An Update is Required to Continue Using This Regulation: Why the HIPAA Privacy Rule Should be Modified to Protect a Broader Range of Health Data

Authors

Lauren Caverly Pratt, Belmont University College of Law

Abstract

While there is no constitutional right to privacy of information, general public sentiment leans in favor of keeping personal health data private. More precisely, individuals would like information known only to the individual and other parties to whom he or she chooses to disclose the information. This is because public knowledge of sensitive personal data may harm the individual economically, socially, or in other intangible ways. The benefits of public knowledge of such individually identifiable health data do not outweigh these potential harms. Privacy should be the default.

To achieve this, HIPAA must be expanded to protect private health data beyond the confines of traditional patient-provider relationships and in the broader digital healthcare industry. This note will provide relevant background information on the current state of the HIPAA Privacy Rule and California’s Confidentiality of Medical Information Act (CMIA). The primary issue this Note will discuss is that advancements in technology have fundamentally changed the healthcare landscape to the point where existing federal regulations neither address nor protect private health data when it is created or transmitted between non-traditional providers of healthcare. For example, companies that create technological products that allow consumers to track their personal health data are not covered by the HIPAA Privacy Rule. Thus, the collection, processing, and storage of such data is not subject to federal health regulations. This note will argue that more classes of entities, specifically businesses that track and store individuals’ health data, should be subject to HIPAA privacy regulations. A state-by-state solution would be less effective than a federal regulation because it would likely cause confusion for businesses and consumers regarding when data is protected and when it is not. Furthermore, it is likely that such an approach would prove wasteful if Congress were to enact general data privacy regulations in the near future. Finally, this note will conclude that the most comprehensive and simple approach to addressing the issue of health data privacy is to modify the HIPAA Privacy Rule to cover a broader range of entities in the United States.

Recommended Citation

Pratt, Lauren Caverly (2023) "An Update is Required to Continue Using This Regulation: Why the HIPAA Privacy Rule Should be Modified to Protect a Broader Range of Health Data," Belmont Health Law Journal: Vol. 5, Article 7.
Available at: https://repository.belmont.edu/healthlaw/vol5/iss1/7