At 26 years old, the Health Insurance Portability and Accountability Act (HIPAA) is the most mature and comprehensive health data protection law in the US. (It passed in 1996.)
One of the earliest manifestations of the law came when Gen Z kids were given HIPAA authorization forms to bring home for their parents to sign for the school nurse.
Behind the forms, however, is purpose: The law safeguards patients from disclosure of their protected health information (PHI) to any third parties without consent.
A law that protects Americans from the unregulated collection and sale of their data online, as HIPAA does, now has added importance given the legal implications of the recent Roe v. Wade overturn.
But does this patient data protection law apply to data-driven advertising and online data collection? The answer is yes and no.
Meta, for example, was just hit with a HIPAA violation this week because it used patient data from hospitals for targeted advertising.
But many other companies that have access to sensitive health information through the services they provide – from period-tracking apps and Fitbits to smart thermometers and blood-sugar-tracking apps and devices – aren’t necessarily subject to HIPAA.
There are many misconceptions about when HIPAA actually applies, said Gary Kibel, a partner and attorney at Davis+Gilbert LLP.
HIPAA only applies to “covered entities” – including licensed healthcare providers, insurance clearinghouses, hospitals and some pharmacies – that have access to PHI found in electronic health records, such as medical history, diagnoses and medications and treatment information.
That specificity narrows the law’s applicability more than one might think.
If a marketer wants to target people with diabetes, for example, it’s possible to do so without being subject to HIPAA. What matters is if the health information came from an electronic health record or a noncovered entity, like a retailer, whose sales data includes frequent buyers of sugar-free products.
Similarly, at the onset of the COVID-19 pandemic, many employees protested the mandated disclosure of vaccination proof as a HIPAA violation – but “the law only applies to covered entities,” Kibel said, and an employer is not a “covered entity.” Nor are Fitbit and period-tracking apps, for that matter.
The most common intersection between targeted marketing and personal health data is probably patient-facing pharma ads (as opposed to drug ads meant for physicians).
But the data itself needs a clean bill of health, so to speak, before it’s processed, said Jay Calavas, head of vertical products at the CDP Tealium. “If the data itself isn’t compliant,” he said, “none of it can be activated within a platform.”
The company’s new product, Tealium for Pharma, for example, aims to give pharma advertisers access to deterministic audiences with “built-in HIPAA compliance,” which can be a lot more convoluted than basic consent management.
Tealium ingests patient data from the websites of its pharma clients, all of which is either consented or anonymized. It then overlays that information with other first-party or licensed third-party data – namely, site engagement and prescription data – to help customers target their patients. If a targeted patient sees an ad for a product, it’s because Tealium gained their consent, Calavas said.
But HIPAA compliance is more than just playing nice with hashed data. Tealium also had to sign BAA or Business Associate Agreements with each one of its customers and partners, Calavas said. These HIPAA-mandated contracts acknowledge legal responsibility for PHI shared between healthcare providers and any contractors that access it.
Tealium also had to undergo breach notification and change and risk management implementation auditing.
It’s a “tremendous checklist” to be HIPAA compliant, Calavas said, because of the stringency of patient data protection.
Conversely, the other branch of pharma ads – those targeted to physicians and providers – get to pretty much bypass HIPAA altogether.
Doceree, for example, is another vendor that provides pharma ad serving solutions. But because it only targets healthcare providers and “doesn’t touch any identifiable patient data,” HIPAA doesn’t apply, the company’s CEO Harshit Jain told AdExchanger.
Although HIPAA primarily applies to the processing of PHI, which must be de-identified, brands and agencies still have to take steps to avoid deterministic targeting just in case.
“You can’t take a real patient data set, with conditions identified at a name-base level, and then match that data with, say, Acxiom or Epsilon – that’s an obvious case for a HIPAA violation,” said Ray Rosti, chief digital officer at Publicis Health Media.
Instead, Publicis Health Media takes a clean room approach with data partners to build modeled, probabilistic audiences for its advertisers, so the agency can avoid ever targeting the actual patients whose data was used for modeling.
“We also go heavy on contextual targeting,” Rosti said, referring to contextual data based on web activity rather than about patients. “User research is [actually] one of the strongest signals someone may be heading toward diagnosis or treatment.”
With clean rooms and contextual data, Publicis Health Media can run campaigns without touching real patient data.
In this case, HIPAA applies in the sense that it’s a deterrent to using patient data. For healthcare advertisers, contextual advertising not only allows them to sidestep HIPAA; it’s less likely to come across as creepy or invasive to the person they’re targeting.
An advertiser would need direct access to real patient data via an electronic health record system, like those maintained by hospitals, in order to breach HIPAA, Rosti said.
What does a HIPAA breach look like?
But HIPAA violations do occur in the digital advertising sphere, like Facebook’s recent mini scandal with hospitals.
Dozens of hospitals were caught earlier this summer sending sensitive patient data to Facebook via a Meta pixel embedded on their sites when patients scheduled appointments online.
Investigative tech publication The Markup tested the websites of Newsweek’s top 100 hospitals in the US in June and found that 33 of them had a Meta pixel installed. The pixel would transmit patient data to Facebook, which would then link that data to individual profiles for targeted advertising (and also share these insights back with the hospitals for site retargeting).
“This is a much closer example of where a HIPAA violation could have taken place,” Kibel said, adding that hospitals are responsible for the patient data that passes through their websites.
The lawsuit alleging a HIPAA violation followed promptly in August.
Does HIPAA have a role to play in a post-Roe v. Wade world?
The recent Roe v. Wade overturn is also putting a lot of pressure on internet giants to take extra steps to protect customers’ data.
Google, for example, promised to delete location data related to sensitive medical facilities after the decision was overturned.
Conversely, the data broker Safeguard was was caught selling abortion clinic visitation data before it cracked under political pressure and stopped selling this type of data in the spring (a month before the SCOTUS decision).
But will HIPAA fully protect people from data harvesting or from that data subsequently being used against them, especially when it comes to health information that relates to abortion care?
Unfortunately, the answer is that HIPAA is too narrow to offer that scope of protection.
Sensitive health data can be collected or revealed through dozens of noncovered entities, from location data providers to retail media companies. And these companies aren’t prevented from sharing data, unless the data was sourced from a covered entity.
Regardless of Google’s pledge, if a woman using a fertility-tracking app, for example, has her location tracker turned on when she visits an abortion clinic, that data isn’t covered by HIPAA.
And HIPAA also isn’t able to prevent the sharing of data with law enforcement agencies that are investigating a crime, Kibel said. They need to comply with court orders and subpoenas.
What happens inside a doctor’s office stays inside the doctor’s office – but beyond that is out of HIPAA’s control.
For the time being, using health data in advertising is still not a matter of standardized legal compliance, but rather one of ethics and sensitivity toward people’s privacy.
Update: The day after this story was published, Meta received a HIPAA violation for the data sharing described in this article. This story has been updated to reflect this latest development.