Laws and Resources

To exercise your rights to privacy over your health data, it is important to first understand them.

Laws

What is HIPAA?

Thanks to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), when it comes to your medical records, you can always get it, check it, and know who was seen it. The Standards for Privacy of Individually Identifiable Health Information, also known as the “Privacy Rule,” requires that healthcare providers and other covered entities protect the privacy of protected health information.

What Is and Isn’t Covered Under HIPAA?

8 out of 10 Americans incorrectly believe that the Privacy Rule applies to private healthcare products and services. However, this is untrue. The Privacy Rule only applies to health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form, known as “covered entities.” Amongst these entities, the Privacy Rule protects individually identifiable health information, which relates to the individual’s condition, the provision of health care to the individual, or payment for the provision of health care to the individual. There are no restrictions on the use or disclosure of de-identified health information.

HIPAA does not apply in a number of situations, including browsing the web for health information and using private, direct-to-consumer products and services such as apps, wearable trackers, and other tools which collect health information, but which are not formally associated with covered entities.

What laws do govern health privacy?

Genetic Information Nondiscrimination Act of 2008 (GINA)

GINA is a federal anti-discrimination statute that prohibits employment discrimination on the basis of genetic information, which includes diseases or disorders in family history, an individual’s genetic tests, requests for genetic services, and more. This means that your genetic information can never be used in hiring, firing, promotion, discipline, compensation, or other employment decisions.

This law is especially important in the context of modern healthtech because DNA analysis companies like 23&me and AncestryDNA have been criticized for their lack of data privacy safeguards.

Federal Trade Commission (FTC) Act

The Federal Trade Commission (FTC) is an independent agency of the U.S. federal government which enforces consumer protection laws. While most healthtech products do not fall under HIPAA coverage because they are operated by private healthtech companies, they are subject to the FTC Act of 1914, a federal statute that governs a variety of consumer rights include those related to privacy and security.

Amongst other things, Section 5 of the FTC Act addresses “unfair or deceptive acts or practices in or affecting commerce.” It requires that companies must adhere to their stated privacy policies, implement reasonable and appropriate security measures, and obtain proper consent for data collection.

Family Educational Rights and Privacy Act (FERPA)

FERPA is a federal law that applies to educational institutions that receive federal funding which is designed to protect the privacy of student education records, including health information, maintained by schools. It is enforced by the Department of Education and aims to ensure the protection of students’ health data.

2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act)

The Health Breach Notification Rule of the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) applies to non-HIPAA regulated entities which maintain a “personal health record” on behalf of a customer. These records differ from personal health information and medical records—which do apply under HIPAA—in that medical records are generated and retained by covered entities, whereas personal health requirements are generated and managed by individuals, for example users of healthtech monitoring apps.

It requires vendors of personal health records and related entities to notify customers following a breach involving unsecured information. In the case of breaches involving 500+ people, they must notify the media.

Your Tech

Following the guiding principles of Consentful Tech, we believe that users’ relationship with their healthtech should align with the FRIES acronym of 1) freely-given, 2) reversible, 3) informed, 4) enthusiastic, and 5) specific digital consent. Based on these principles, here’s what we look for in our privacy pulse check:

  • Easy data deletion: A convenient, accessible way for users to request edits or deletions of their stored data, whether through a digital form, AKA reverse their consent to digital technologies’ access of health data.

  • Data minimization: Specific, narrowly-tailored purposes of data collection outlined in the product or service’s privacy policy which makes it clear why they need your personal or health data.

  • No data selling: Does not sell your valuable health or personal data, and asks for specific and explicit consent to share this with any third parties.

  • Easy-to-read privacy policies: Information written in plain English for users to understand the way that the product or service collects, uses, and potentially shares their data.

  • Transparency reports: annual or monthly reports summarizing facts and figures related to data collection, usage, and sharing.

  • Security measures: encryption, anonymization and de-identification, and other protections of your data that is collected and stored.

Explore by healthcare area

Whether you want to learn more about your Fitbit, period-tracking app, or glucose monitor, we have resources to help!

Each includes easy-to-understand information about the laws and technology of a healthtech sub-sector.

  • Menstruation, pregnancy monitors, machine-learning based fertility support, and sexual health. Learn more!

  • Wearable activity monitors, exercise trackers and guides, AI-based diet and fitness coaches, smart scales, and more. Learn more!

  • At-home diagnostic, testing, and screening products and services. Learn more!

  • Mental and holistic health trackers and resources. Read more!

  • Wearable and other monitors for vitals including glucose, heart rate, blood pressure, and more.

Learn More!

Can I ask ChatGPT about my birth control? When should I ask my doctor about healthtech concerns? What does my mental health medication tracker know about me? What would a Harris-Walz presidency mean for healthtech regulation?

If these are questions that interest you, we invite you to subscribe our bi-weekly newsletter to receive engaging, relevant health tech news, guest interviewees, A+ Ethical Tech Check products, and more.

Resources We Recommend

At Your HealthTech, we aim to provide a one-stop-shop for users to understand their healthcare technologies. We also recognize the amazing work of other platforms and organizations in building tools to connect users with additional information:

  • Privacy Not Included’s Reproductive and Mental Health technology databases, which provide more comprehensive coverage than our sites’s existing database.

  • Allied Media Project’s Consentful Tech Project, which serves as the basis of our “privacy pulse check” checklist and includes additional resources like its zine and curriculum.