Guess What? HIPAA Isn’t a Medical Privacy Law

CR's guide to common situations when HIPAA protects you—and when it doesn’t. Because health data has fewer safeguards than people think.

By Thomas Germain

You hear about HIPAA all the time. The Health Insurance Portability and Accountability Act is described on forms at the doctor; it’s referenced in privacy policies; it’s even mentioned on the news. Unfortunately, one of the most common things you hear is a misconception. Many people believe that HIPAA creates special protections for any information related to your health, but that is not the case.

“HIPAA doesn’t actually protect medical data” in all circumstances, says Anna Slomovic, a data management and policy consultant whose specialties include health privacy. “People think that it’s sensitive data, and therefore it’s protected, but that’s just not true.”

The law, which was enacted in 1996, was largely concerned with issues like helping people maintain health insurance when they change jobs. It does lay out privacy rules for health care providers and insurance companies to follow when they handle personally identifiable medical data. However, the same piece of information that’s protected at a doctor’s office can be totally unregulated in other settings.

I’ve been writing about HIPAA for years, and more often than not when someone mentions a situation where they think the law protects their privacy, they’re wrong.

“It’s a failure of policy-making that people’s expectations about health data don’t match the actual regulations,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. “We should have strong protections for all sensitive health data, but the law hasn’t caught up.”

It’s important to understand how the law works if you’re concerned about your information being shared with advertisers or other companies.

As states tighten abortion restrictions and the Supreme Court weighs an abortion ruling, you may also fear that seeking guidance on ending a pregnancy, or even getting treatment during a miscarriage, might lead to unwanted attention from the police, prosecutors, or activists.

Below are a number of scenarios involving consumers’ health information, with guidance on whether HIPAA protects their privacy in each case. This should help you make informed choices about seeking healthcare and medical advice.

We’ll start with commonplace situations that apply to millions of people every day. Then we’ll also cover scenarios that are particularly confusing, and could be of special concern to anyone looking for reproductive healthcare.

You can use these links to jump to any section: web searches, smartwatches, drugstores, vaccination status, period trackers and other health apps, doctor visits, health insurers, miscarriages, phone location data, and court orders.

Browsing the Web for Health Info

No, HIPAA Doesn’t Protect You

Let’s say you use Psychology Today to find a therapist, Drugs.com to learn how your medications interact, or WebMD to frantically look up cardiac symptoms at three in the morning. Or, you watch a YouTube video where a medical doctor doles out advice on preventing diabetes, issuing the same tips they’d provide at an office visit.

In none of those cases does HIPAA apply. Normally, a website can monetize your data however it likes, as long as it follows its own privacy policy and terms of service.

The same goes for your shopping habits, whether you go online or walk into a store. You might remember that back in 2012 a dad learned his teenage daughter was pregnant because Target was sending her coupons for baby clothes and cribs. The retailer figured that out because of the pattern of products she was buying.

Since then, the algorithms used by marketers have become more sophisticated, fed by vastly increased quantities of data, from websites, credit card purchases, store loyalty programs, and other sources. The insights that marketers come up with may be accurate or mistaken, but in either case HIPAA does not regulate how they can be used, or by whom.

Wearing a Smartwatch

No, HIPAA Doesn’t Protect You

Go running with a wearable device like a Fitbit or Apple Watch, or go to bed with a sleep tracker, and the data collected has no special legal protections under HIPAA. The same goes for the apps used to store and interpret the data.

“The only things that cover you are the terms of service for Fitbit or Garmin or whomever, that frankly no one reads,” says Clinton Mikel, a partner at Health Law Partners and the former chairman of an American Bar Association group on e-health and privacy.

To be clear, that doesn’t mean that any particular company is using its customers’ heart-rate data for advertising or product development. It just means the law doesn’t prevent that from happening.

Shopping at a Drugstore

It’s Complicated

When you pick up your prescriptions from a pharmacy, expect HIPAA privacy protections to be in force. Pharmacies are clearly identified as health care providers by the Department of Health and Human Services, the agency charged with enforcing HIPAA.

But that doesn’t apply to over-the-counter medications in most situations. For example, Plan-B, an emergency contraceptive that can prevent pregnancy, is available without a prescription. Here’s the tricky part: Whether that purchase is protected by the HIPAA privacy rule depends on where you buy it, and even how a particular pharmacy has set up its retail software.

A computer system that stores prescription information needs to follow strict HIPAA protections. If a drugstore uses just one computer system for all its sales, from prescription drugs to chewing gum to antacid, all the data on who buys what is kept private, too.

However, many pharmacies run hybrid operations. The part of the store that handles prescriptions operates on one computer system, governed by HIPAA, and there’s a separate system for everything else. Companies can essentially do whatever they want with the details on a product you buy at a nonprescription counter, whether it’s shampoo, treatment for a yeast infection, or a greeting card.

Here’s a good rule of thumb. HIPAA governs your data at registers where you can pay for prescriptions. If you want that Plan-B purchase to remain private, pay for it where you’d pick up a prescription medication.

This is a good spot to point out another meaningful caveat with HIPAA. The law’s data protections don’t bar drugstores, hospitals, or other organizations from sharing health data where identifying details have been removed. Those details include your name, address, your phone’s permanent ID number, and quite a few more.

Security researchers have found that what many tech companies refer to as "anonymized" data can often be tied back to individuals. However, experts say it would be much harder to do that with data that follows HIPAA’s rules.

“If it’s de-identified to the HIPAA standard, the chances of it being re-identified are quite small,” Slomovic says. “I’m not saying it’s impossible, but that’s not where I would spend the bulk of my worrying.”

Fielding Questions About Vaccination Status

No, HIPAA Doesn’t Protect You

When a reporter asked Congresswoman Marjorie Taylor Greene whether she was vaccinated at a press conference in 2021, she answered that the “question is in violation of my HIPAA rights.”

HIPAA doesn’t prevent people from asking you questions, at a press conference or anywhere else.

More importantly, workplaces and schools can require you to reveal medical details such as your vaccination status. HIPAA doesn’t apply, but other laws can help protect your data. For instance, the Family Educational Rights and Privacy Act provides guidelines for schools to follow in maintaining vaccination records.

Using a Period Tracker or Other App

No, HIPAA Doesn’t Protect You—Usually

Consumer Reports recently evaluated period-tracking apps that do a lot to protect users’ privacy. But those apps were unusual. When we first tested a group of popular period trackers in 2020, we discovered that each one shared very personal data with other companies for advertising purposes. We have also found personal data being shared by mental health apps.

It was all legal, even when the companies shared intimate information that would be protected if it was revealed in a doctor’s office.

HIPAA protections can sometimes come into play, however. Say you download a mental health app that provides checklists to screen yourself for depression. Typically, none of the data you enter into the screener would be protected by HIPAA. But if the app then lets you open a separate window to talk to a licensed social worker, that conversation probably would be covered under HIPAA.

In contrast, certain apps and websites are covered by HIPAA protections as soon as you start using them.

“The way to think about it is whether the app is acting on behalf of the provider,” Slomovic says. If an app works for your insurance company or your healthcare provider, handling personally identifiable health information, the app developer is a “business associate” under the law, and is required to follow HIPAA privacy rules. MyChart, which lets patients view their health records and make medical appointments, is a good example.

How can you tell if an app is covered? Click on the privacy policy and check for a section that lays out your rights under the law. “Every single covered entity that’s actually regulated under HIPAA will have this thing, and the title will always be Notice of Privacy Practices,” says Pam Dixon, executive director of the World Privacy Forum. If you don’t see that, assume HIPAA’s rules don’t apply,

Be careful, though. According to Dixon, if a company says its app is “HIPAA compliant” at the top of its privacy policy or anywhere else, it could just mean the law doesn’t apply to them. (By that logic, your local carwash is probably HIPAA-compliant, too.) The term is often thrown around to give people a false sense of security, according to Dixon and other privacy experts. “It’s a big problem,” she says.

Talking to a Doctor

Yes, HIPAA Protects You

This is an area where HIPAA lays out strict guidelines. The law covers your interactions with doctors, clinics, dentists, psychologists, nursing homes, hospitals, and other healthcare providers. The same goes for their “business associates,” like billing companies and online patient portals such as MyChart, described above.

Most of the time, those people and companies are barred from using identifiable health information for anything other than research, billing, insurance, and providing care unless they have your permission.

You’re also protected during telemedicine appointments on platforms such as Doxy.me, Vsee, and Zoom for Healthcare (a division of the popular teleconferencing service)—which are all set up to follow HIPAA rules. Other platforms, like FaceTime and WhatsApp, don’t follow the same rules, but during the pandemic the government has been temporarily letting doctors use them when necessary. If you’re concerned about the app a doctor wants to use for an appointment, ask them to consider making a change. (Doxy.me is one that’s free to use.)

The rules may not apply to health care providers who don’t accept insurance, such as many therapists. However, in these cases patient data is often still protected, because the therapist is obligated to follow professional codes of conduct and state medical privacy rules.

There are, however, exceptions to HIPAA privacy rules that you may find surprising. Some of them can affect people worried about reproductive healthcare, as we’ll see further down.

Talking to Your Health Insurance Company

Yes, HIPAA Protects You

The “I” stands for insurance, remember. The same privacy protections you expect at a doctor’s office are in operation for health insurance companies.

HIPAA doesn’t apply to other kinds of insurance. If a life insurance company acquires information about your health, it’s not required to safeguard it the way HIPAA-covered entities are.

Workplace wellness programs aren’t always covered by HIPAA either, even if you get a discount on your health insurance for participating. It depends on factors including whether the program is being run by your health insurer, your employer, or a company hired just to administer the program.

Seeking Treatment for a Miscarriage

HIPAA May Not Protect You

Let’s say a woman having a miscarriage arrives at an ER for care. In a state where abortion becomes illegal, the hospital might report the visit to law enforcement if doctors suspect the patient tried to induce an abortion. In the future, experts say, state laws could even require doctors and hospitals to report such miscarriages to law enforcement.

What would HIPAA say about that situation?

“This is an unfortunately easy question,” says Jennifer Oliva, a professor at the University of California Hastings College of the Law, who has studied reproductive health law. “HIPAA would be of no help because it includes numerous exceptions that permit mandatory health care provider reporting.”

As the Department of Health and Human Services (HHS), which enforces HIPAA, explains, the law allows doctors to set aside privacy rules voluntarily if they think a crime has taken place.

And many states already require reporting in certain situations, such as gunshot wounds.

“There’s a possibility that states will include abortion reporting in the same kind of broad category. It wouldn’t surprise me at all,” says Mary Ziegler, a law professor at University of California, Davis, and author of “Abortion and the Law in America: Roe v. Wade to the Present.”

Women in the United States have already been prosecuted and imprisoned after miscarriages and stillbirths, as The Guardian, Mother Jones, and others have reported. Prosecutors alleged that the women were to blame for the death of the fetuses, because they used drugs or, more rarely, drove recklessly. One woman was even indicted after she was shot in the abdomen during an argument, though the charges were later dropped.

Many of the investigations started when the patients were reported to the police by doctors or other hospital staff.

Bringing Your Phone to a Medical Clinic

No, HIPAA Doesn’t Protect You

The data collected by tech companies can be used to piece together a picture of nearly every area of your life, including your health. That’s especially clear when you consider location data.

Researchers and journalists have repeatedly shown that location information gleaned from phones and purchases from data brokers can show where individual people travel, whether that’s to a gym, a mental health clinic, their church, or an abortion provider.

Vice reported in early May that, for just $160, reporters were able to purchase a week’s worth of location data for people who visited Planned Parenthood clinics, including information on where the individuals had traveled from, and where they went afterwards. SafeGraph, the data broker that sold the information, said it would stop selling data related to people’s visits to abortion providers shortly afterward. However, many other companies sell location information, too.

Location data is not covered by HIPAA, and other laws don’t prevent it from being purchased by anyone from activists to law enforcement agencies—no warrant needed.

Doctors Getting Subpoenas or Court Orders

No, HIPAA Doesn’t Protect You​​

When lawyers or judges issue formal requests for medical information, your doctor, health insurer, and others are allowed to disclose it. HIPAA doesn’t prevent that. However, if your health providers think a request is inappropriate, for instance because it’s asking for more information than necessary, they can make a formal objection.

That is most likely to happen with a subpoena, which is often issued by an attorney researching a case. “If it’s a subpoena or just a regulatory agency asking for the information, the provider could ostensibly fight it,“ says Mikel, the Health Law Partners attorney. In addition, HIPAA has a rule that says you need to be notified when a covered entity gets a subpoena for your health information, providing you an opportunity to fight to keep your records private.

In contrast, a court order such as a search warrant comes from a judge. While you can file an appeal, court orders are much harder to challenge. “At the point of a court order, you’re done,” Mikel says.

Things get more complicated if a law enforcement official wants to access information from another state. Attorneys point out that for such a request to go forward, a court in the second state has to cooperate with the out-of-state prosecutor.

Some courts could face requests like that in a post-Roe world. Earlier this year, a Missouri lawmaker proposed barring residents from obtaining out-of-state abortions. The measure wasn’t adopted. But if such restrictions do become law, HIPAA won’t offer you protection.



More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.