Is HIPAA a consumer-focused Privacy Regulation?

One common theme among Europe's General Data Protection Regulation ("GDPR") and the nineteen state comprehensive data privacy laws is that they are consumer focused. In other words, consumers have a fair amount of control over their data. From opt-in or opt-out consent requirements prior to processing to the ability to have a business delete personal data, these laws focus more on giving individuals control over their data rather than creating specific rules for how businesses can process personal data.

But what about HIPAA? I have often seen HIPAA mentioned in the same breath as these laws, with some commentators suggesting HIPAA likewise gives consumers (or in the context of HIPAA, patients) control over their data. Is this true? Is HIPAA in the same vein as the GDPR, CCPA, or other privacy regulations or laws?

Generally speaking, no. HIPAA does not grant consumers the ability to control their data on par with the GDPR and state privacy laws.

Notably, HIPAA does not require regulated entities (i.e., covered entities) to obtain consent prior to processing a patient's data. Likewise, patients do not have many opt-out rights. In fact, although HIPAA allows individuals to submit an opt-out request (what HIPAA refers to as a "restriction request"), there is only one request that a covered entity must agree to. Moreover, if a covered entity voluntarily agrees to a restriction request, it may unilaterally terminate that agreement and the underlying restriction.

Going beyond how individuals can control their data, HIPAA is less focused on consumers because it grants consumers a smaller basket of rights. Under HIPAA, individuals have a right to request access to their data, request their data be amended, receive an accounting of disclosures of their data, and so forth. However, HIPAA does not grant individuals with rights commonly found under other privacy laws, such as the right to deletion or the right to confirm.

Importantly, this is a feature rather than a bug. When first drafted, HIPAA's Privacy Rule required covered entities to obtain consent from patients prior to processing their data. In subsequent versions the consent requirement was removed over concerns that it would impede the delivery of healthcare. Likewise, the reason that HIPAA grants consumers with a smaller basket of rights, such as not providing them with a right to deletion, is because the drafters sought to navigate the numerous Federal and state healthcare regulations and laws--such as those pertaining to medical record retention, and hence the lack of a right to deletion.

This is important to understand because it highlights that industries and sectors are not homogeneous in terms of data processing and their ability to manage administrative requirements related to data processing. Accordingly, this calls into question the wisdom of eschewing a sectoral approach to data privacy regulation in favor of a comprehensive approach for data privacy regulation. Furthermore, because of the impetus for GDPR and state data privacy laws, a comprehensive approach would likely need to adopt an approach more line with those laws. This is problematic for two reasons.

First, a comprehensive approach ignores the differences between industries and assumes that data processing is a monolith; a monolith not only in terms of data processing needs of companies within the industry, but also of consumer expectations. Do consumers expect data to be handled in the same manner in the healthcare industry as in, say, the streaming services industry?

Second, adopting a comprehensive approach to data privacy regulation more akin to GDPR or state privacy laws would require certain industries--specifically the healthcare industry--to overhaul their privacy compliance programs. It may come as a surprise to some, but a privacy compliance program designed to comply with HIPAA would likely to meet the requirements of the GDPR, CCPA, or any number of other privacy laws or regulations (which is not to suggest HIPAA is less protective of the data under its purview).

HIPAA is not a consumer-focused privacy regulation and that is by design. That design should inform regulators and advocates when deciding whether to eschew a sectoral approach to data privacy regulation in favor a comprehensive one. More important, here in the United States, such a shift to a comprehensive approach would be disruptive to the healthcare industry.