What HIPAA & Other Privacy Laws Miss: Data Sharing on Health Apps, Websites, & More

What HIPAA & Other Privacy Laws Miss: Data Sharing on Health Apps, Websites, & More

Have you used a fitness tracker in recent months? Or, met with patients via telehealth communications system during the COVID-19 PHE? With the rise of health-related websites, communications, and applications, now’s the time to review how sensitive patient data is shared and protected by the HIPAA Security & Privacy Rule from these evolving technologies.

During a meeting in late 2022 among healthcare provider advocacy groups, several weaknesses were highlighted in the Health Insurance Portability and Accountability Act’s (HIPAA) coverage of data sharing and privacy while using such tools (Digital Health Business & Technology, 2023).

hipaa security rule

The meeting pointed out that since several laws regulate and protect health data privacy, it’s difficult to sort through those sources and draw precedence. Ultimately, the framework established by HIPAA becomes challenging to enforce when multiple regulations from several organizations and governmental agencies overlap (and sometimes leave loopholes).

Two such safeguards that protect patients and their sensitive information include the HIPAA Security Rule and HIPAA Privacy Rule. The HIPAA Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity” (HHS, 2023). The HIPAA Privacy Rule utilizes the same standards and applies to “health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically” (HHS, 2023). The latter gives patients rights to access their information and knowledge of how this data is used.

It’s important to note that digital health applications frequently do not fall under covered HIPAA entities. Therefore, HIPAA or other privacy laws do not regulate much of the data collected and shared from these applications.

In early February 2023, the Federal Trade Commission (FTC) brought allegations against GoodRx for sharing its users’ medications, email addresses, and other personal information with Facebook, Google, and additional third parties (Digital Health Business & Technology, 2023). The FTC claims GoodRx allegedly used the information for targeted marketing on Facebook and Instagram.

hipaa security rule

In a separate investigation, conducted by STAT and The Markup, patients using WorkIt Health potentially had their sensitive health information and answers to intake questions shared with Facebook, Google, TikTok, and several other social media sites (The Markup, 2022). WorkIt Health was not the only telehealth site that STAT and The Markup noted for using trackers to collect personal medical information. They found a total of 49 different telehealth websites employing such devices to gather health data.

In conclusion, more effort must be made to educate patients on how their information is stored and shared. And health data privacy laws need to be unified to ensure sensitive data isn’t stolen or mishandled.

healthcare cybersecurity bill is already in the works in Congress to protect the healthcare and public health sector from cyber attacks. But, a specific bill to extend or unify HIPAA’s coverage with other health data privacy laws remains yet to be introduced.

YES HIM Consulting

hipaa security rule

Subscribe to our Newsletter


  • By clicking Submit, you agree to YES HIM Consulting's Privacy Policy and Terms of Use.