LibGuides: Medical and Health Data Privacy: HIPAA and Beyond: Health Data Not Covered by HIPAA

Introduction

But the HIPAA privacy laws that protect patients in a medical setting don’t apply to companies that do direct-to-consumer genetic testing. That means that as long as their terms of service don’t specifically prohibit it, these companies can conduct research on your genetic data, sell it, or share it with third parties.

Apps that require users to enter their own information may not have to comply with HIPAA. Take, for example, a fitness-tracking app that asks for the weight, height, and medical background of the end user. If the end user enters this data on their own using their own equipment (i.e., scale, blood pressure machine), then the app developer does not have to comply with HIPAA.

But if an app is developed for a covered entity or is used as a service provided by a business associate, HIPAA may apply to the app developers. A good example would be an insurance provider that has an app for consumers that tracks the status of claims and coverage details. The information in the app is populated directly by the insurance provider, which would mean this app and the information collected falls within scope of HIPAA.

US Code

6 U.S. Code § 1533
Improving cybersecurity in the health care industry
15 U.S. Code § 45
Federal Trade Commission regulates unfair methods of competition and deceptive trade practices.
FTC Act 15 USC Sec. 41-58
20 U.S. Code § 1232g
Family Educational and Privacy Rights (FERPA)
42 U.S.C. 300jj et seq
Health Information Technology and Quality

Consent Decrees

Facebook's 2012 Consent Decree with FTC
Facebook was accused of misleading consumers about the privacy of their data, in violation of Federal Trade Commission Act.

HIPPA and School Records

34 CFR Part 99
FAMILY EDUCATIONAL RIGHTS AND PRIVACY
45 CFR § 160.103
Student records that are covered by the FERPA are not subject to the privacy rules of HIPPA . Although a school district as such is not generally subject to the privacy rules, some school-based services, such as a school-based health center, may be required to comply with the privacy rules. To the extent a state law provides greater privacy protection than the HIPAA privacy rules, the state law continues to apply and is not preempted by HIPAA.
45 CFR Secs. 164.500-164.534
The privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) may apply to restrict the use and disclosure of individually identifiable health information by a group health plan sponsored by a school district for the benefit of the district's employees.

FTC

16 CFR 318
FTC's Health Breach Notification Rule
Proposed changes to the Health Breach Notification Rule
Public comments through 8/8/23

Links

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups
HIPAA Journal 2/22/19 Facebook is not bound by HIPAA Rules, so the sharing of any personal health information with advertisers would not be a HIPAA violation. However, Facebook is required to comply with FTC Rules: Rules that Facebook is alleged to have violated.
Facebook class action lawsuit settlement: Who’s eligible, how to file claim
Click on Detroit 4/23/23
Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy
HIPAA Journal 5/6/19
Facebook Pays $643,000 Fine For Role In Cambridge Analytica Scandal
Facebook's 'Preventative Health' tool has a flaw that's impossible to ignore. Would you trust Facebook with public health information?
Inverse.com 11/3/19
Gartner Says Over 40% of Privacy Compliance Technology Will Rely on Artificial Intelligence in the Next Three Years
Gartner Group Press Release 2/25/20
The Global Data Protection, Privacy & Surveillance Law Library
From Cornell's Legal Information Institute
Hacker leaks millions more 23andMe user records on cybercrime forum
Techcrunch 10/18/23
How health information privacy laws apply when reopening the workplace
HR Dive 5/23/22
How to Delete Your Data From 23andMe, Ancestry, and Other Sites Worried about your privacy after taking an at-home DNA test? Here's what you should know and what you can do.
Consumer Reports 1/29/19
How your health information is sold and turned into ‘risk scores’
Politico 2/3/19
Most Pregnancy Apps Are Terrible at Keeping Your Data Private: Report
Gizmodo 8/17/22
People Search Data Brokers, Stalking, and ‘Publicly Available Information’ Carve-Outs
Lawfare 10/30/23
Special Report on Protecting Patient Health Information During the COVID‑19 Pandemic
Department of Defense Office of Inspector General 4/27/20
Storing Health Records On Your Phone: Can Apple Live Up To Its Privacy Values?
NPR 2/27/19
Student Privacy During the COVID-19 Pandemic
Future of Privacy Forum 3/20/20
When Does HIPAA Apply to Health Apps?
Focal Point Insights 10/3/18
Without Consent An analysis of student directory information practices in U.S. schools, and impacts on privacy
World Privacy Form Report 4/20

State Laws

Data Breach Notification Laws by State
ITGovernance USA.com, last updated July 2018.

Fitness Trackers

Best fitness tracker guide 2023
Tom's Guide, last visited 10/12/23
Best Android Fitness apps
Android Authority, last updated 1/15/23
Digital Health Fitbit, Apple user data exposed in breach impacting 61M fitness tracker records
Fierce Healthcare 9/13/21
Fitbit fitness tracker cracks Connecticut murder case
New York Daily News 4/27/17
Google Buys Fitbit For $2.1 Billion, Pledges To Protect Health Data
NPR 11/1/19
Google takes first step in killing your Fitbit account Fitbit’s transition to Google accounts began June 6
Android Police 6/6/23
Wearables go invisible with the launch of Whoop 4.0
TechRadar 9/9/21
Your Medical Devices Are Not Keeping Your Health Data to Themselves CPAP units, heart monitors, blood glucose meters and lifestyle apps generate information that can be used in ways patients don’t necessarily expect. It can be sold for advertising or even
ProPublica 11/21/18