Privacy & Data Protection

Health Data Privacy and HIPAA: Protecting Medical Records

By AntiPhishers Published

Health Data Privacy and HIPAA: Protecting Medical Records

Health data is among the most sensitive information that exists: diagnoses, treatments, prescriptions, mental health records, substance abuse history, genetic information, and reproductive health data. A medical record breach does not just expose data; it can affect employment, insurance, relationships, and personal safety. HIPAA (Health Insurance Portability and Accountability Act) provides the primary legal framework for protecting health data in the US, but significant gaps exist.

What HIPAA Covers

HIPAA applies to “covered entities” (healthcare providers, health plans, healthcare clearinghouses) and their “business associates” (companies that handle health data on their behalf). These entities must protect Protected Health Information (PHI) including any individually identifiable health information: names combined with diagnoses, treatment records, lab results, prescription records, and payment information for healthcare services.

The Privacy Rule limits who can access and share your health information without your authorization. Covered entities can share PHI for treatment, payment, and healthcare operations without patient authorization but must limit disclosure to the minimum necessary.

The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI), including encryption, access controls, audit logging, and workforce training.

The Breach Notification Rule requires covered entities to notify affected individuals, the HHS Secretary, and in some cases the media when a breach of unsecured PHI occurs. Breaches affecting 500 or more individuals must be reported within 60 days.

What HIPAA Does Not Cover

HIPAA has significant gaps. Health apps (fitness trackers, period trackers, mental health apps) that are not provided by a covered entity or their business associate are not subject to HIPAA. Your Fitbit data, Calm meditation records, and Flo period tracking data may have no HIPAA protection. This data can be sold to advertisers, shared with data brokers, or subpoenaed by law enforcement.

Genetic testing companies like 23andMe and AncestryDNA are generally not covered by HIPAA. Their privacy practices are governed by their own privacy policies and the FTC Act’s prohibition on deceptive practices.

Protecting Your Health Data

Review the privacy practices of any health app before entering personal health information. Minimize health data sharing: provide only what is necessary. Request copies of your medical records to verify accuracy. Use patient portals with strong passwords and 2FA. Be cautious about discussing health conditions on social media, as this information can be used for targeted advertising and discrimination.

For broader data privacy protections, see our GDPR compliance guide. To protect the devices storing your health data, explore our mobile device security checklist.

The App Privacy Gap

The most significant gap in health data protection is the universe of health-related apps that fall outside HIPAA. Fitness trackers, mental health apps, fertility tracking apps, and meditation apps collect intimate health data with no HIPAA obligation. Their data practices are governed solely by their own privacy policies, which can change at any time and often permit broad sharing.

The FTC has taken enforcement action against health app companies that violated their own privacy promises, but this is reactive rather than preventive. Before using any health app, read the privacy policy specifically looking for: what health data is collected, whether it is shared with third parties, whether it is used for advertising, and what happens to your data if you delete the app.

For particularly sensitive health information (mental health, reproductive health, substance use), consider whether the convenience of a tracking app justifies the privacy risk of creating a digital record that could potentially be accessed by employers, insurers, or law enforcement.

Telehealth Privacy Considerations

The expansion of telehealth during and after the COVID-19 pandemic created new health data privacy considerations. Video consultations may be recorded. Health data transmitted through telehealth platforms is subject to HIPAA only when the platform is provided by a covered entity. Consumer video tools like Zoom or FaceTime used informally for health discussions do not provide HIPAA-level protections even if the conversation involves health information.

More in Privacy & Data Protection

Encryption Basics for Beginners: Protecting Data at Rest and in Transit Biometric Data Privacy: Fingerprints, Face Recognition, and the Law The Future of Digital Privacy: Trends, Challenges, and Predictions Social Media Privacy Settings: Platform-by-Platform Guide

View all Privacy & Data Protection articles →