Does HIPAA apply to data brokers? 

Data brokers typically aggregate and sell health-related data obtained from various sources like public records and health apps. A journal article published in Current Psychiatry Reports expands on this role, “Data brokers also combine health data with data from consumer habits, assets, and demographics to use in consumer health scores, profiling, and predictive modeling.” 

The distinction in their role means that data brokers do not fall directly under HIPAA unless they process protected health information (PHI) on behalf of a healthcare provider or health plan, they must enter into a business associate agreement that outlines their responsibilities regarding the handling of PHI. 

What types of PHI do data brokers handle? 

1. Medical history: Information about past and present medical conditions.
2. Prescription records: Details of medications prescribed to individuals.
3. Provider visits: Records of healthcare provider appointments and treatments received.
4. Mental health information: Data related to mental health conditions, such as anxiety or depression.
5. Health insurance claims: Information about claims made to health insurance providers.
6. Over-the-counter purchases: Data on non-prescription medications and health-related products bought.
7. Health-related online activity: Information gathered from online searches related to health conditions and treatments.
8. Demographic information: Age, gender, marital status, and family status that may relate to health risks.
9. Lifestyle information: Data on personal habits or activities that could impact health, such as exercise or diet.

How do state laws interact with HIPAA for data brokers?

HIPAA preempts state laws that provide less stringent protections for PHI while allowing states to enact more rigorous privacy laws. As states continue to develop their privacy laws in response to public demand for greater data protection there is room for the expansion of HIPAA to include data brokers explicitly.  

State laws, like California's Delete Act and similar regulations in other states, have begun to impose specific requirements on data brokers. These state laws aim to improve consumer protection by requiring data brokers to disclose their practices regarding the collection and sale of personal information.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Who qualifies as a HIPAA business associate?

Entities that engage in activities involving PHI, such as billing companies, IT service providers, medical transcriptionists, cloud storage providers, and data analytics companies, qualify as business associates.

What are the key responsibilities of a business associate?

Business associates are responsible for safeguarding PHI and must implement appropriate physical, administrative, and technical safeguards to protect this information.