HIPAA & Digital Contact Tracing Applications

Written By Mona Hariri

On August 21, 1996, President Clinton signed Health Insurance Portability & Accountability Act (HIPAA) into law.[1] It was the first substantive set of corporate legal obligations imposed on the healthcare sector.[2] The initial reason for HIPAA was not to protect privacy and security.[3] Congress was seeking to meet other goals such as to protect individual’s privacy as a fundamental right, balance that privacy with societal interests in the free flow of information and mitigate concerns of inefficiency within the health care sector.[4] HIPAA is often misunderstood as applying to all health data in the United States.[5] However, HIPAA regulates the use and disclosure of protected health information (PHI)[6] by “covered entities” and “business associates.[7]” The requirements of covered entities and business associates under HIPAA relates to their use and disclosure of PHI.[8] Entities that are wholly covered under HIPAA include healthcare providers[9] (e.g., a doctor’s office, hospitals) that conducts any health information[10] in electronic form in connection with a transaction[11], health plans[12] (e.g., health insurance) and healthcare clearing houses[13] (e.g., third-party organizations that host, handle, or process medical information).[14] It is important to recognize that HIPAA applies to these covered entities, but not to other health care providers and services.[15] For example, doctors which only accept cash and do not bill for insurance would not be covered under HIPAA.[16] Thus, because HIPAA targets health care entities and a very narrow class of businesses that contract with health care entities, rather than all individuals and all businesses that handle health care data, most healthcare data controlled or processed by those outside the traditional health care environment will not be subject to HIPAA laws.[17]

Despite HIPAA’s robust privacy and security requirements, if a digital contact tracing application does not constitute a covered entity or business associate of a covered entity, HIPAA’s requirements will not apply.[18] Thus, its primary limitation in effectively regulation such applications is limited in scope.[19]  Likewise, “if PHI is disclosed pursuant to the public health activities exception to an entity that does not constitute a covered entity or business associate of a covered entity that PHI would no longer be protected by HIPAA.” [20] Since Google and Apple do not meet the definition of a covered entity under HIPAA, the law’s privacy enforcing requirements do not apply to the companies’ digital contact tracing efforts.[21] In some states, such as California, however, state laws may provide some protections.[22] It is important to note though, that not every state has applicable laws or regulations.[23]


[1] ARTICLE: The HIPAA Privacy Rule and the EU GDPR: Illustrative Comparisons, 47 Seton Hall L.Rev.973, 974

[2] 35 Suffolk Transnat’l L.Rev.363, *363

[3] Id.

[4] Vol.12, No.1, J.Health & Life Sci.L.Pg.39

[5] Thomas, Ashley et al., In This Issue: Digital Contact Tracing In the European Union- Best Practices For United States Legislators And Regulators,33 Health Lawyer 47, (October 2020).

[6] Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C.1232g;

(ii) In records described at 20 U.S.C.1232g(a)(4)(B)(iv);

(iii) In employment records held by a covered entity in its role as employer; and

(iv) Regarding a person who has been deceased for more than 50 years.

45 C.F.R § 160.103, https://www.law.cornell.edu/cfr/text/45/160.103 (accessed February 2021)

[7] 45 C.F.R.§§ 160.102 and 160.103.

[8] Thomas, Ashley et al., In This Issue: Digital Contact Tracing In the European Union- Best Practices For United States Legislators And Regulators,33 Health Lawyer 47, (October 2020).

[9] Health care provider means a provider of services (as defined in section 1861 of the Act, 42 U.S.C.1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C.1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

[10] Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

[11] Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

(1)    Health care claims or equivalent encounter information.

(2)    Health care payment and remittance advice.

(3)    Coordination of benefits.

(4)    Health care claim status.

(5)    Enrollment and disenrollment in a health plan.

(6)    Eligibility for a health plan.

(7)    Health plan premium payments.

(8)    Referral certification and authorization.

(9)    First report of injury.

(10)  Health claims attachments.

(11)  Health care electronic funds transfers (EFT) and remittance advice.

(12)  Other transactions that the Secretary may prescribe by regulation.

[12] Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(2) of the PHS Act, 42 U.S.C.300gg-91(a)(2)).

[13] Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

https://www.law.cornell.edu/definitions/index.php?width=840&height=800&iframe=true&def_id=8b76bcc5b120eabe975323d7896f0cf3&term_occur=999&term_src=Title:45:Chapter:A:Subchapter:C:Part:160:Subpart:A:160.103

[14] Vol.12, No.1, J.Health & Life Sci.L.Pg.39

[15] Id.

[16] Id.

[17] Vol.12, No.1, J.Health & Life Sci.L.Pg.39

[18] Thomas, Ashley et al., In This Issue: Digital Contact Tracing In the European Union- Best Practices For United States Legislators And Regulators,33 Health Lawyer 47, (October 2020).

[19] Id.

[20] Id.

[21] Shachar, Carmel. Protecting Privacy In Digital Contact Tracing For COVID-19: Avoiding A Regulatory Patchwork. https://www.healthaffairs.org/do/10.1377/hblog20200515.190582/full/ (Accessed Feb. 25, 2021)

[22] Id.

[23] Id.

Mona Hariri
Previous

CCPA & Digital Contact Tracing applications
Next

The COVID-19 Pandemic & The Emergence Of Digital Contact Tracing