Notice & Comment

The Celebrity Hacking Scandal and HIPAA

My health law students and I were discussing HIPAA’s Privacy Rule when we got to talking about the iCloud hack of the nude celebrity photos. Although publication of the photos was a grotesque invasion of the celebrities’ privacy, there’s been no big push for the federal government to pass a law requiring Apple to take better care of its customers’ data. Yet the federal government already has a law in place—the Privacy Rule—that closely regulates how health-care providers protect their patients’ medical records.

Why do we treat medical data so differently from other personal data? The answer isn’t obvious, at least not to me. It’s probably not because medical data is categorically more sensitive. When I asked my students whether it’d be a bigger invasion of their privacy to search their medical records or whatever data their phones sent to the cloud, their answer was unequivocal and universal: the cloud data.

I think that’s what most of us would say, at least those of us with one foot in the digital age. That’s not to minimize the importance of medical privacy. But just think about the snarky emails, off-color text messages, and (maybe) naked selfies you’ve got floating around in the cloud. Are those really less sensitive than an embarrassing medical condition? For some people, sure. But for most?

Maybe there’s a better reason. Studies consistently show that people are really, really worried about medical privacy. Without HIPAA’s Privacy Rule, maybe people would avoid doctors or refuse to tell them everything they need to know. That’d be a problem. In contrast, people who fear the disclosure of their other personal data can always unplug from the cloud or change their privacy settings. No big deal.

There’s something to this, but I’m not sure it stands up to close analysis. For one thing, I doubt that members of the public know enough about the Privacy Rule to change their behavior. For another thing, participating in digital life isn’t really a choice. It’s a fact. It’s perfectly reasonable to think that the price for connecting to the cloud shouldn’t be the surrender of personal privacy. If we need a law to get people to go to the doctor, why wouldn’t we also need a law to make people comfortable with the cloud?

I can think of one other reason for treating medical information differently. Technology companies like Google, Apple, and Facebook know that they’ll lose customers if they’re careless with personal data. Even when data breaches happen, the story goes, we can trust they’re doing all they can to stop them. Maybe medical providers don’t face the same incentives. They’ll be reckless with medical data because the market won’t adequately punish them if they’re not. Like sheep, the patients will still come.

But is that right? It’s certainly plausible. Still, I wonder. It’s not like providers don’t care about the market. Hospitals cultivate their reputations, for example, because those reputations affect their bottom lines. They can’t just brush off newspaper exposés about data breaches. When Stanford Hospital in Palo Alto accidentally posted data on 20,000 ER patients, or when a laptop containing 33,000 medical records was stolen from a Cedars-Sinai employee, the hospitals didn’t just worry about the potential HIPAA penalty. They also worried that the scandals would drive away patients.

Sure, the incentives for technology companies might be sharper than for health-care providers. Patients can’t pick where they get treatment as easily as they can pick which company carries their personal data. Yet, as Richard Epstein has observed, there was no “explosion of improper disclosures of sensitive [medical] information” prior to the advent of the Privacy Rule, in part because providers were already subject to state privacy laws. And I’m not aware of evidence that hospitals and doctors were systematically cavalier about patient records. (Lurid anecdotes don’t count.) In any event, it’s not like Facebook, Apple, or Google have always put their customers’ privacy first.

So I guess I’m left scratching my head. If we think that HIPAA’s Privacy Rule makes for good policy, shouldn’t we also consider a similar rule for companies that have custody over cloud data? Alternatively, if we think it’d be counter-productive to superintend data privacy at Apple, might it also be counter-productive to do it at hospitals and physician practices?