Dive Brief:
- The Health Insurance Portability and Accountability Act (HIPAA), implemented in 1996, does not protect health information stored in wearables, online databases or testing companies. The law only covers patient information kept by insurers, health providers and data clearinghouses, and their business partners.
- A law in 2009 requested HHS work with the Federal Trade Commission to submit recommendations on how to regulate entities that handle health information not covered by HIPAA. No recommendations have been issued to date.
- Mobile apps are especially vulnerable to breaches since many are connected to third-party websites without the user’s knowledge and send data unencrypted, exposing personal information.
Dive Insight:
Several companies have made headlines for failing to secure consumers health information. For example, FitBit users found data they entered into their online profiles about their sexual activity to help calculate calories burned was accessible to anyone, reported ProPublica. In addition, the ProPublica article noted AncestryDNA pulled its online database down after police used a publicly accessible genealogy database to solve a 1996 Idaho murder.
What compounds trying to calculate the extent of this privacy problem is many companies don’t know when health information they’ve stored has been inappropriately accessed.
Erin Murphy, a professor at New York University School of Law, told ProPublica, “When you publicly make available your genetic information, you essentially are signing a waiver to your past and future medical records.”