Anna Mizzi
88 Geo. Wash. L. Rev. 481
Technology knows the most intimate details of our lives: our exercise and eating habits, our ability to conceive children, even how often we dream or have sex. Companies like the fitness wearable giant FitBit, the meditation and anxiety support app Headspace, and the widely used period and ovulation predictive company Flo Health, Inc., have built their businesses on the interaction between the consumer’s raw health data and the company’s data analysis. The increasing prevalence of consumer health interactive analysis companies (“CHIACs”) and the consumerization of health care have, however, far outpaced existing patient-consumer protection laws. This lack of regulation creates an environment where individuals have little control over their own health data. CHIACs frequently buy and sell sensitive health data with virtually no patient-consumer consent or notification. Intensely private information is now easily discoverable by anyone with access to the internet— including employers,4 credit score or insurance companies, and even criminals. This Note argues that the best way to fill this regulatory gap is to bring CHIACs into the existing interpretation of “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).