Regulated Beauty

Episode 2: HIPAA, Health Data & Who Actually Has to Follow the Rules

Leech Tishman Season 1 Episode 2

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 23:13

In this episode, our hosts outline what HIPAA really covers, and why so many beauty and wellness businesses aren’t actually regulated by it. The team explains the difference between medical vs. health information, who counts as a “covered entity,” and why cash‑pay practices like most med spas fall outside HIPAA’s scope.

We also touch on how smartphones and digital health apps created a huge gap in data protection, leading the FTC to roll out its own Health Breach Notification Rule back in 2009, a rule that sat dormant for years until the FTC suddenly started using it in 2022–2023.

This episode lays the groundwork for understanding why wellness brands, med spas, and consumer apps are now firmly on regulators’ radar.

Disclaimer:

The content of this podcast is for informational purposes only. It is not intended to, and does not constitute, legal advice or a solicitation for the formation of an attorney-client relationship. The information in the podcast is not a substitute for obtaining legal advice from an attorney licensed in the appropriate jurisdiction. Podcast listeners should not act upon any information in the podcast without first consulting legal counsel of their own directly.

 This podcast does not constitute the practice of medicine, nursing or other professional health care services, including the giving of medical advice. The use of information on this podcast or materials mentioned in this podcast is at the user’s own risk. 

SPEAKER_02

Welcome to Regulated Beauty, a podcast that brings clarity to the complex legal landscape of beauty and wellness.

SPEAKER_01

As attorneys in Lee Chishman's Beauty and Wellness Industry Group, we are here to demystify regulations affecting your favorite brands, friends, and influencers.

SPEAKER_00

If you've ever wondered about the rules and regulations and why they matter, welcome. You're in the right place. Let's get started. So before we even launch into this discussion, it's worth explaining why so many of the federal government's three-letter agencies even care about the beauty and wellness industry and why our podcast is called Regulated Beauty. Because this isn't about makeup or skincare, right? It's about an industry where health, wellness, and consumer trust intersect. And from influencer marketing and social media promotions to digital health apps and wellness products, companies are constantly navigating rules around truthful advertising, proper disclosure, and the safe handling of health information. So by understanding how these agencies enforce these rules, we can see how regulation shapes not only beauty products, but also the broader wellness and lifestyle ecosystems. So it's worth setting the stage and kind of getting into HIPAA, which really started kind of this broader discussion.

SPEAKER_01

Sure. Thanks, Carolina. I think it's important to sort of start out with like regular people's like regular consumers' perception of like medical information, health information. Like, okay, if I ask you guys like when you think patient confidentiality or like medical information, like what's the first thing that comes to mind? Hospital. Doctor's office. A hospital, doctor's office, right? And like you're not wrong, right? Like that's what regular people associate with any kind of medical information that's collected. But that's sort of an antiquated idea now. Like we sort of have to distinguish between what those typical healthcare organizations are or providers that we're sort of used to collecting our medical information. We have to distinguish that from the modern day.

SPEAKER_00

Right.

SPEAKER_01

Because there is a difference, as we'll talk about later on, there's a difference between medical information that's collected and health information. So let's take a step back to 1996. A great year. Great year.

SPEAKER_02

Can we first hold on? Can we first talk about what does HIPAA even stand for? I feel like we need to be able to tell people That's a great point. What those letters stand for.

SPEAKER_01

Sure. So I think when people think, ah, confidentiality, like healthcare privacy, people are like, HIPAA, HIPAA, HIPAA, but nobody knows what it stands for, right? What does HIPAA stand for? When was it enacted? Why, right? Why do we have it? Is it a federal or state thing? So it's a great question. Let's let's start out with that. So HIPAA actually stands for the Health Insurance Portability and Accountability Act. It's like a major mouthful, and it doesn't actually pertain to insurance. Why we call it HIPAA. Which is why we call it HIPAA, right? Um everybody misspells it, but just for clarification. One P two P two A's.

SPEAKER_00

Right.

SPEAKER_01

One P two A's. Um so HIPAA was enacted in 1996 to sort of try to garner protections over the confidentiality of patient information in the context of insurance, right? So it started out in 1996. When sort of for the first time in history, the federal government wanted to protect the confidentiality of patient information that was collected by those traditional providers we were talking about. So, like hospitals, doctors' offices, um even, you know, your local chiropractor, your local physical therapist, dentist, et cetera, that was collecting information from patients that were coming in to receive typical healthcare services. HIPAA is actually broken down into three main buckets. Um, is broken down into the privacy rule, the security rule, and the breach notification rule.

SPEAKER_00

I guess before we even go there, can you tell me a little bit more about who is subject to HIPAA?

SPEAKER_01

Sure, that's a really great question. So against against many people's perceptions, HIPAA doesn't actually apply to everyone. HIPAA actually only applies to actually a narrow, a narrow pool of individuals and entities. HIPAA applies to what we call covered entities and their business associates. So covered entities are again those institutions we were just talking about, or regular providers, like your regular primary care physician, your cardiologist, your chiropractor, your dentist, et cetera, your typical hospital that bills insurance for your services. So like cash pay practices, like your local med spa or really any cash pay clinic, any any healthcare facility that doesn't touch insurance at all, they're actually not covered by HIPAA. So the only entities and individuals that are covered by HIPAA are those traditional like providers and hospitals that take insurance. Any third party provider that works for them that sort of touches patient information, um, even like our law firm, for example, right? Like when we have healthcare clients, like we're actually a business associate and we have certain obligations.

SPEAKER_02

So it's the outside party. The covered entity is the entity itself. So the hospital.

SPEAKER_01

Right.

SPEAKER_02

The outside party is the insurance company, or something totally different.

SPEAKER_01

Something totally different, right? So that it's like third-party vendors, third-party service providers that contract with your local doctor, for example. Those would be called business associates, and they have the same obligations that the doctor does under HIPAA.

SPEAKER_00

Oh, interesting.

SPEAKER_01

Yeah. So like a billing company, like a law firm, even like your electronic medical uh record vendor.

SPEAKER_00

Yeah.

SPEAKER_01

Um not something like janitorial staff, but really any service provider that touches or manipulates or uses or discloses any confidential patient information.

SPEAKER_02

Let's just boil it down. Can we find a way to just simplify what is the true difference of being a covered entity under HIPAA, needing to care about it and how it affects you, and not being covered under HIPAA and therefore not needing to worry about this conversation?

SPEAKER_01

Yeah. So basically, if you're any kind of healthcare provider or you're a healthcare facility and you take insurance from patients and you bill that insurance for the services that you're providing, you are a covered entity definitively, and you need to comply with HIPAA with all of its rules and regulations. But if you're not, if you're a healthcare facility or you're some kind of provider that renders healthcare services or like healthcare adjacent services, or frankly, even like wellness services that are considered clinical, um, like a med spa or like, you know, any kind of like ketamine-assisted therapy, for example, that's not um covered under insurance. It's not reimbursable by insurance, then you're not a covered entity. You definitely don't have to comply with HIPAA. Um, but that's not the end of the story, right? So under HIPAA, it's important to understand like what was it intended to cover, right? Like what was intended to protect. The privacy rule, which is sort of that first main rule, it was intended to really give patients um ownership over their medical information. It was intended to, and it's still to this day, right? Much of the language is the same from when it was originally written in 1996. Basically, gives patients the right to like amend their information or like ask for a copy of it. Um, they're not allowed to be penalized for sort of wanting to take that ownership and autonomy over their own information. And it obligates those covered entities and business associates to basically comply with those patient requests.

SPEAKER_00

Okay.

SPEAKER_01

And then we have the security rule, which basically, just like it sounds, requires covered entities and business associates to really secure all of that information.

SPEAKER_00

So it kind of sounds like the privacy rule is focusing more on protecting patient privacy and it's defining the patient's rights regarding the medical records. Whereas, can you clarify a little bit more about the security rule and the the difference? It's not patient focused as much, so much as it's sounds like more technical safeguards, administrative safeguards, physical safeguards.

SPEAKER_01

So the security rule, and again, much of the language is the same, but of course it's evolved, right? Like HIPAA has gone through a few iterations. So now we have these actual federal uh cybersecurity standards that sort of provide guidance to us and maybe even like sort of a checklist of what we need to do to maintain security of patient information. Um and HIPAA refers to it as protected health information, PHI, but I'm just gonna call it patient information throughout since it's just a teeny bit shorter.

SPEAKER_02

But wouldn't med spas technically still get patient health information? I mean, if they're doing any sort of intake form or like any cash pay healthcare institution, aren't they still getting that? So wouldn't they be covered under HIPAA? Why is that not?

SPEAKER_01

That's a really good question. So med spas actually, like I mentioned earlier, covered entities that are subject to HIPAA are only providers that are billing insurance. So med spas are the type of provider, the type of like healthcare facility that are cash pay only. Why? Because the treatments that they're doing and the medications that they're using are yeah, they're not covered. They're not medically necessary for insurance to cover them. Like if you try to bill insurance for like the Botox you go and get, right, for non-clinical purposes, for aesthetic purposes, your insurance company is gonna deny it and claim that it's it's elective. It's not medically necessary to treat an actual medical condition. So it's just gonna deny it outright.

SPEAKER_00

But if I'm getting Botox for a migraine or for jaw pain, then it changes a bit.

SPEAKER_01

That's a completely different story. That's also a really good question. So yeah, we have had a number of providers, even if they're med spas, right, um, that actually do um treatments or use the same types of medications that they would use for cosmetic purposes for actual clinical medical purposes. Um but if, again, if a med spa or any provider at the med spa is going to be using like Botox for migraine purposes, right? Which is a clinically accepted treatment for migraines, um, they would have to be credentialed with an insurance company and they would bill insurance. And by virtue of billing insurance, submitting those electronic transactions, they're automatically a covered entity and they would definitely be subject to HIPAA. So there's definitely like a few steps you have to go through to even become a covered entity. Okay. But you're right, like if it's a med spa and they're collecting health information, they have to be regulated by somebody or by something, right? Like med spas, med spas that don't that don't engage in um like clinical treatments with what we consider as like aesthetic drugs, let's say um, they're not typically subject to HIPAA. Okay. They would be subject to a different rule, which we'll get into in just a little bit.

SPEAKER_00

So okay, so you talked about the privacy rule, you talked about the security rule. That was in 1996. Fast forward 10 years, more than 10 years, what's happening around that time?

SPEAKER_01

Yeah. So in the security rule, we we uh we're basically given a guideline of the steps that providers need to take to keep information secure, right? Like institute physical safeguards, like make sure that any patient records you have on paper are in a locked cabinet. Make sure there are policies and procedures around what to do when like a patient requests their information, or or like I I don't know how many computers were um in the modern day in 1996, right? But now but now, right, like all of these um safeguards have evolved, right? So now we have uh security rules about like password management, like multi-factor authentication, stuff like that. But back in 1996, we had the privacy rules, we gave the patients their rights, we had the security rule, the providers knew what they needed to do to protect the confidentiality of patient information. There wasn't any kind of like enforcement mechanism. You'd think like there's all of this law out there, and you want people to abide by it. Right. But then what? Right, but then like how do you enforce it, right? Was there any penalty laid out there? Was there any um sort of delineation of what happens if there's a breach, right, of that protected health information? 1996 actually wasn't.

SPEAKER_02

That's crazy.

SPEAKER_01

That's crazy, right?

SPEAKER_02

That doesn't even make sense. What's the point of having it then?

SPEAKER_01

Exactly. So fast forward 13 years, guys. 13 years crazy, right? To 2009. There was a Congressional Appropriations Act. We won't get into the act itself, but boring boring, boring. But in 2009, for the first time, uh, the federal government was like, oh yeah, I guess we should probably so up until this point, if there was a breach, you're saying like no one there was a breach. Yeah, there was just a breach. There was nothing.

SPEAKER_02

As simple as that. No fines, no jail time, no nothing.

SPEAKER_01

Right. There was no reporting obligations to the federal government. Like if something happened, they were like, whoops.

SPEAKER_00

I wonder how how often that happened, where there were breaches and well, it happened a lot, right?

SPEAKER_01

Which is why in 2009 had to make a role. In in 2009, and let's let's think about what was happening around 2009. In 2007 was the first time what happened? The iPhone. The iPhone, right? The first time we saw a smartphone in history. The first time we were we like leapt into the technological future was in 2007. And so I think since then, since 1996, and then especially like boom, in 2007, we saw this like huge explosion in the use of technology, in the use of mobile technology specifically. And there was a lot more access to technology, um, more hacking attempts, frankly, right? And sort of more opportunity for different institutions to be hacked.

SPEAKER_00

Sure.

SPEAKER_01

Um, for there to be other types of breaches. So in 2009, the federal government sort of got it together and realized like we need to add an established breach notification rule.

unknown

Yeah.

SPEAKER_01

And so they did. And the breach notification rule basically says that if you have a specific breach of protected health information, and again, I'm not gonna go into the specifics. There, you know, there are a lot of guidelines, there's a lot of language around what constitutes a breach, like what are the exceptions, like sort of what do we have to look for, different mitigation measures, whatever. But if there's a if there's a legitimate reportable breach, automatically there are reporting obligations to the federal government, to the Office for Civil Rights. If the breach is over a certain number of residents in a specific state, then you might even have reporting obligations to that specific state's attorney general. You're put on like the attorney general's shame board. Oh, wow. It's like a very, it's like very, yeah, it's very, very interesting. And I'm not even gonna get into state-specific compliments of HIPAA. This was just HIPAA. This was just HIPAA in 2009. Um interestingly, in the same act, and this is what nobody talks about, right? In the same exact Congressional Appropriations Act in 2009, HIPAA passed its breach notification rule, which exploded, freaked everyone out, all of a sudden imposed major reporting obligations on all of these covered entities and business associates across the country. And at the same time, sort of sneakily, the FTC was like, oh, I guess we should, guess we should add our own. Because we're realizing that in 2007, with the boom of the smartphone, we've been seeing just in the last two years, like how explosive the industry has gotten. We're going to introduce our own uh health breach notification rule.

SPEAKER_00

So can we take a step back for a second? Absolutely and just you know, what does the FTC role even apply to? We talked about HIPAA applying to covered entities and business associates. And you mentioned that you know HIPAA is only for insurance within the with with some sort of electronic transmission, um, meaning not cash pay. So can you expand a little bit more on this rule specifically and who it applies to?

SPEAKER_01

Sure. So we'll we'll get into the FTC um perhaps in later episodes for sure. Um but for now, the FTC is a Federal Trade Commission. I'm sure everyone's heard of that acronym, and maybe it sounds familiar, maybe not, but we'll we'll sort of dive into what it is in a little bit. But the FTC sort of recognized we have this federal agency, the Department of Health and Human Services. We have this law, HIPAA, this one grand federal law that's governing the protection, the confidentiality of protected health information for specific types of entities. What about all of the other entities that are popping up that are starting to collect health information?

SPEAKER_00

Let's talk about it.

SPEAKER_01

So, like, what does that mean, right? What are we talking about? I mean, today I think it's super recognizable. We have so many digital healthcare apps. Um, we even have uh on our phones pre-downloaded, right? We have like the Samsung Health app, the Apple Health app, right? Like you don't even realize that it's there collecting your health information. When you set up a new phone, when you download any kind of new app, you go through these teeny tiny little terms and conditions that nobody ever reads. But what are they doing? Like they're collecting your health information and doing God knows what with it, right? So the FTC, I think very astutely, um, in 2009 recognized that this might be a problem, even before we even knew what a mobile healthcare app was, right? Um, and so they instituted sort of a HIPAA complement, but for those other types of entities. So all those cash bay practices like med spas, for example, um, and all of these digital health apps, which they, again, very astutely saw were coming into the future. And like they wanted to make sure that there was something on the books that they could use to regulate all of these non-covered entities that were collecting pretty sensitive confidential health information.

SPEAKER_02

So it was essentially their way to fill the gap of any now any entity that's collecting health information. It's not just covered entities that bill insurance. We will be covering all entities.

SPEAKER_01

Exactly. Yeah.

SPEAKER_00

But you kind of made it sound like nobody ever talks about it. Or do you mean more so the fact that nobody ever talks that the FTC's own rule came out at the same time that HIPAA made their respective rule?

SPEAKER_01

Exactly. Okay. Because and and again, we'll get into this in the next episode um in much greater detail, but the Federal Trade Commission has been around for a very long time, for well over a century. In fact, it's its primary sort of focus, one of its primary focuses, is to target consumer unfairness and deception. And its primary tool, primary enforcement mechanism that it's been using for over a hundred years, actually since 1914. I just checked this and looked this up the other day. Um it's called Section Five of the FTC Act. So the FTC is governed by the Federal Trade Commission Act, and it has a section within it, which we lovingly refer to as Section 5 of the FTC Act, which it uses to target any companies, healthcare or non-healthcare, right? Google, yeah, any any company you can imagine, uh unfairness and deceptive practices towards consumers.

SPEAKER_00

What do you mean? Just to give a very basic example.

SPEAKER_01

Sure. So, like I was talking about those teeny tiny little terms and conditions. Yeah. Facebook, meta, whatever we're calling it today. Uh Facebook and Google over the last decade, decade plus, two decades, specifically, and a million other companies, have been hit with serious um allegations and basically lawsuits by the FTC for hiding language in their terms and conditions and privacy policies that they put publicly on websites for consumers that they know nobody's gonna read, right? They know nobody's gonna read through those terms and conditions. They're gonna swipe through and just click that little box so you can use whatever application they're putting out. They're hiding information there that basically says that they're allowed to do whatever they want with the information that you give them. They're collecting information that you manually enter, like your full name, your date of birth, sometimes your social security number, right? Like other sensitive information, but they're also collecting information from your computer, from your computer's use of whatever application you're using, like your geographic location, your precise geographic location, the coordinates, right? Um, your IP address, um, your browsing history, your your behavior on their website. So they're target they're using all of that information to create targeted ads for you. They sell all of that information and make a killing. They make a huge profit to find consumer look aliks.

SPEAKER_00

That's wild.

SPEAKER_01

Yeah. Um I think we'll dive into the FTC conversation in the next episode. But as to the health breach notification rule, um I think it's important to sort of get back to why it's important now.

SPEAKER_00

So why is it important now?

SPEAKER_01

Like the health breach notification rule, again, was enacted into law in 2009 and then nothing happened. It sat dormant literally for almost 15 years. And the first time in history that we ever saw the FTC using the health reach certification rule was literally in 2022, 2023. Yeah, good RX, right? And I think we'll explore that in the next episode. Thanks for tuning in.

SPEAKER_00

See you next time. Thanks for joining us on Regulated Beauty, where we bring clarity to the legal side of beauty and wellness. If you found today's discussion insightful, be sure to subscribe and share the podcast.

SPEAKER_01

Have questions or topics you'd like us to cover? Connect with us at leachtishman.com or follow us on social media.

SPEAKER_02

Until next time, stay informed and stay well.