A closeup of a smarphone in the hands of a dark-skinned doctor
Photo: National Cancer Institute/Unsplash

HIPAA is a poor substitute for trust

Protocol Policy

Hello, and welcome to Protocol Policy! Today we look at how Big Tech faces a trust gap in the health care space that HIPAA can’t fill; in D.C., the Commerce Department is planning to further limit exports of AI chips to China; and Truth Social’s SPAC faces liquidation.

The limits of HIPAA

Big Tech wants in on health care, but that doesn’t mean its efforts to break into the industry will always go smoothly. Amazon, for instance, didn’t wind up acquiring Signify, and its agreement to acquire One Medical for $4 billion now faces an FTC investigation.

  • Regardless of how those go, Amazon and Big Tech as a whole will continue to set their sights on health care. I mean, even TikTok parent ByteDance spent $1.5 billion to acquire a chain of birthing hospitals in China for unclear reasons.
  • As NYU professor Scott Galloway pointed out: To keep growing and to justify their enormous valuations, tech giants basically have no choice but to enter the health care market.

It’s easy to concoct troubling scenarios for what Big Tech can do with our health data. We may wonder, for instance, whether Amazon could use a pregnancy checkup at One Medical to recommend diapers on Prime, or we might worry that anxiety symptoms could be used to target medication ads through Amazon Pharmacy.

HIPAA doesn’t do as much for privacy as you might expect. Congress created the Health Insurance Portability and Accountability Act in 1996 as part of an effort to make it easier for individuals to move their health information between providers (hence the “portability” part). Privacy rules weren’t issued for HIPAA until 2000 and didn’t go into effect until 2002. Two decades later, there’s still a lot of confusion about the scope of these rules.

  • HIPAA only applies to covered entities. Health care providers count as covered entities under HIPAA, meaning they must abide by all of the privacy restrictions. However, having one health care unit doesn’t mean your entire company must abide by HIPAA. That applies for any “health” data collected by a non-medical business unit.
  • For example, wearable heart rate or period-tracking data collected by a tech company wouldn’t be covered by HIPAA, even if that company operates a primary care facility. That data can be sold for a profit (as we’ve seen with fertility apps) and HIPAA would have no say in the matter.
  • Patients can grant permission for their health data to be used elsewhere. Under HIPAA, covered entities can give patients Notice of Privacy Practices that inform them how their health information will be used and disclosed. Many of us are accustomed to scrolling through terms and conditions lists and clicking “I agree” to get to the next step. That’s a problem, because HIPAA doesn’t require covered entities to ensure patients understand what they’re signing away — only that disclosures are written in plain language.

But selling sensitive user health data could ultimately limit Big Tech’s health care ambitions. There’s a lot more money to be made in actually running a full-service health system trusted by patients rather than running a full-service health system that can’t attract patients because they’re too afraid of having their data sold.

  • “In my mind, that’s not a data play,” Nigam Shah of Stanford Medical School told Protocol when asked about Amazon’s acquisition of One Medical.
  • “Health care is good business,” Shah added. “What’s going to happen is a company that is so passionate about pleasing and delighting its customers is now entering health care, where, historically, the incumbent providers’ attitude towards patients has been neglect, so to speak.”

Ultimately, patients still don’t trust tech companies. More than 67% of patients in the U.S. said they weren’t comfortable with big technology companies having access to their private medical information, according to a 2022 survey from the American Medical Association. Patients were instead much more likely to trust their doctor’s office or a hospital/health system with that data.

  • That’s a problem not only for tech companies’ ability to attract patients, but also to make good on the promise of data-enhanced health care.
  • “We trust nobody to give our data to,” said Shah. “So we have a problem, and that is the essence of the issue here: It is not HIPAA, it is not tech — it is the U.S. is a low-trust society. You go to Scandinavian countries and the government collects things that, even if we saw the list, we would shudder in this country.”

Tech companies could try to win back our trust (good luck) or advocate for stronger health care privacy laws. In the absence of trust, stronger privacy laws might ease patients' concerns over tech companies having access to sensitive medical data.

  • Congress has recently introduced a few bills that tackle health care privacy, though none have passed. The Health Data Use and Privacy Commission Act from February acknowledged the need to adjust HIPAA to “account for the evolution of emerging technologies, data and data management tools, and the modernization of health care delivery.” And the Stop Commercial Use of Health Data Act introduced in August attempts to limit the use of personally identifiable health data for advertising purposes.
  • The challenge for regulators will be coming up with rules that are strong enough to protect patients and ease their concerns while also being permissive enough to allow health care providers to capitalize on the promise of data-enhanced health care. The good news for them is this process won’t necessarily be — or at least shouldn’t be — adversarial for the most powerful tech companies. Striking that balance is very much in their favor.

— Hirsh Chitkara (email | twitter)

In Washington

The Commerce Department plans to broaden limits on the export of chips used in AI to China, according to Reuters. While some firms including Nvidia and AMD had already learned of licensing requirements in one-off letters, the U.S. aims to issue formal rules on the matter.

The DOJ’s antitrust section is hiring up, including bringing on several high-profile attorneys from Big Law, Bloomberg Law reports. The division is dealing with a boom in mergers, and its head, Jonathan Kanter, is expected to go to court more often than his predecessors.

Coming soon

The state of innovation: Join Protocol Policy on Sept. 27 at 10 a.m. PT/1 p.m. ET as we dive into the U.S.’s national strategy on innovation, what’s working, what isn’t and what policy changes we can expect from the year ahead. RSVP here.


Alibaba — a leading global ecommerce company — is a particularly powerful engine in helping American businesses of every size sell goods to more than 1 billion consumers on its digital marketplaces in China. In 2020, U.S. companies completed more than $54 billion of sales to consumers in China through Alibaba’s online platforms.

Learn more

On Protocol

Louisiana residents desperate for reliable internet thought they were finally on the cusp of getting it. Then a big provider swooped in, insisting it already covers the area — and any funds should go elsewhere. It’s an example of how challenge processes for infrastructure grants can get in the way of rolling out billions meant to expand broadband connectivity.

The Defense Department and U.S. Geological Survey are hoping AI and ML can help map American reserves of 50 minerals that are critical to the energy transition. Although the U.S. has an ample supply of many of these minerals, it frequently must rely on foreign sources because, sometimes, nobody actually knows where the minerals are. The tech will be designed to get a digital handle on older, analog maps.

9/11 helped push the U.S. to digitize checks and caused an (initial) boom in remote work technology. 21 years later, the lessons are an indicator of how our world may change after COVID-19.

In the C-suite

The SPAC hoping to take Truth Social public — but that could face liquidation if it does so now — reportedly doesn’t have the votes to delay the merger with Trump’s app, according to CNBC. Instead, Digital World Acquisition Corp. has had to delay the vote on delaying the merger. It also received an infusion of cash from a related company that triggered an automatic extension. Got all that?

Amazon is buying a Belgian company that helps move goods in warehouses and package them for delivery. The ecommerce giant has been on a buying spree that’s attracted the attention of the FTC.

In data

17.6 million hours: That’s the cumulative time Instagram users spent per day watching Reels, which was less than 10% of the time users spend on TikTok, according to a leaked research document obtained by the Wall Street Journal. Even more damning: Reels engagement declined nearly 14% over the past month. Yikes.


Using economic multipliers published by the U.S. Bureau of Economic Analysis, NDP estimates that the ripple effect of this Alibaba-fueled consumption in 2020 supported more than 256,000 U.S. jobs and $21 billion in wages. These American sales to Chinese consumers also added $39 billion to U.S. GDP.

Learn more


The return of the NFL season is one of the few things that makes the end of summer more tolerable (better sleeping weather is the other). Anyhow, Sen. Amy Klobuchar probably appreciated the decisive Vikings win yesterday, but she also noticed something else about the games: “Hey big tech companies, no one in the sports bar liked seeing your negative ads against my bill playing during the Sunday football games,” she tweeted. “Give it a break. We know you have the money to run them. Congrats…”

Thanks for reading — see you Wednesday!

Recent Issues