.Back to listing

Wed, Feb 21


People often have the misconception that HIPAA is a health privacy law that protects all health data and gives them a right not to disclose their sensitive information. The unfortunate truth is that the “Health Insurance Portability and Accountability Act” is far from the privacy law most people believe it to be. HIPAA only applies to a select group of organizations like medical providers and insurers called “covered entities” and associated entities called “business associates.” In the past few years, there has been an explosion of digital health websites and mobile apps that collect, store, use, and sell health data. However, the majority of services don’t connect users with a medical provider or require health insurance and therefore, are not covered by the data protections and regulations imposed by HIPAA.

2024 Duke Data Privacy Panel Photo

To better understand the evolving environment of non-HIPAA-covered health data, I attended Duke’s Data Privacy Day—a two-panel conference at the Duke Law School on February 2nd. In the first panel, privacy expert Marc Groman and medical provider Dr. David Reitman discussed the data privacy concerns of mental health apps. David highlighted how health providers see mental health apps as an outside-the-box solution for the current shortage of mental health professionals, while Marc underscored how mental health apps turn patients into products by selling sensitive health information collected during services. By hearing from both a privacy and medical perspective, the discussion shed light on the tension between the duty of care and the right to privacy while providing a relevant example of a category of apps that collect health data, not subject to HIPAA regulation.

The second panel, composed of privacy experts with distinctive backgrounds, discussed potential solutions to the growing quantity of non-HIPAA-covered health data. The panel generated interdisciplinary conversations about solutions to protecting health data while maximizing its benefit to society. Each panelist brought a unique perspective to the table, attuned to the concerns, limitations, and arguments in their respective fields. Dr. Rachele Hendricks-Sturrup, who is a Duke Health Policy Researcher in Real-World Evidence, was particularly attuned to how non-health data, like location data or credit card data, can infer information about your health. Maneesha Mithal, lawyer and former leader of the FTC’s Division of Privacy and Identity Protection, expanded on the FTC’s evolving role in protecting health data.

2024 Duke Data Privacy Group Photo

Health data privacy is a complex problem that requires a diverse set of perspectives and expertise to solve. Duke’s Data Privacy Day is just one example of the co-curricular events sponsored by Science & Society that focus on creating an environment where interdisciplinary conversations are welcomed and thrive. As an MA in Bioethics and Science Policy student, I frequently engage in classroom dialogue with fellow students and professors. However, the hallmark of my education thus far is events like Data Privacy Day where I can interact with and learn from experts around the world, gaining insight into the most pertinent conversations in ethics and policy.


Liz Sparacino, Duke MA in Tech Ethics & Policy

Liz SparacinoLiz Sparacino enrolled in the Duke Master of Arts in Bioethics & Science Policy to better understand how to articulate and advocate for the bioethical issues that arise at intersection of science, technology, and society. Throughout her career, she hopes to address these concerns before new genetic technology is implemented and to continue to advocate for people with disabilities.

DISCLAIMER: These reflections represent the views of the student and not necessarily the views of the Duke Initiative for Science & Society or the Bioethics & Science Policy Masters Program. Our program represents myriad views and ideologies and we welcome open discussion on potentially controversial subject matter as it relates to society.