Health data privacy is no longer just about preventing ransomware attacks. It’s about understanding how patient information legally moves through the healthcare ecosystem — and how it may be shared, aggregated, or even monetized without patients fully realizing it.
In this episode of the HIPAA Insider Show, Adam Z. sits down with Dr. Edward Sharpless, Co-Founder of HealthConsent, to expose the multi-billion-dollar health data broker industry and explain how individuals and practices can regain control.
Your Health Data Is For Sale Without You Knowing
“HIPAA Enables the Sharing of Medical Information Freely.”
One of the most eye-opening moments in the discussion came when Dr. Sharpless said:
“From a patient perspective, believing that HIPAA prevents the sharing of their medical information is a bit of a myth. HIPAA enables the sharing of their medical information freely. It’s really kind of a data sharing framework disguised as a privacy firewall.”
That statement reframes how we think about medical data privacy.
While HIPAA absolutely provides important protections, it also permits broad disclosures of protected health information (PHI) for treatment, payment, and healthcare operations (TPO). The U.S. Department of Health & Human Services outlines these permitted uses in its official guidance on TPO disclosures (HHS)
In other words, patient data can legally flow between providers, clearinghouses, payers, and other entities without additional consent at every step.
For small practices, that means your health data privacy exposure may extend beyond your walls.
Not sure how far your data travels — or where your real exposure exists?
→ Schedule a Free HIPAA Risk Assessment
15-minute intake. Clear remediation plan. Trusted by healthcare providers nationwide.
The Healthcare Data “Food Chain”
Dr. Sharpless explained the data lifecycle in simple terms:
“You visit the doctor. The doctor puts notes into an EMR. The EMR processes claims to a clearinghouse. The clearinghouse sends it to payers. And that data ends up in the hands of data brokers.”
He referred to it as a “food chain.”
That chain may include:
- EHR systems
- Clearinghouses
- Billing services
- Insurance payers
- Analytics vendors
- De-identified data aggregators
This isn’t necessarily a breach. It can occur within existing legal frameworks.
That’s why health data privacy is not just a cybersecurity issue — it’s a governance issue.
“De-Identified Doesn’t Mean Anonymous.”
HIPAA allows two primary de-identification methods — Safe Harbor and Expert Determination — both detailed in official HHS guidance.
However, research shows that even de-identified datasets may be re-identified when combined with other datasets. A well-known study from Harvard’s Data Privacy Lab demonstrated that a small number of demographic attributes can uniquely identify a large portion of individuals under certain conditions.
Modern identity resolution techniques (sometimes referred to as tokenization) allow datasets to be connected across systems.
This shifts the conversation around healthcare data security from “Did we remove names?” to “Can this dataset be recombined downstream?”
The Privacy vs. Patient Outcomes Debate
Adam raised a fair counterpoint during the interview:
“There’s always a balance between privacy and patient outcomes.”
Care coordination matters. Emergency access matters.
But the real question is whether secondary monetization of de-identified data should be automatic or transparent.
HIPAA does allow patients to request certain restrictions in specific circumstances under federal regulation (45 CFR § 164.522)
The issue isn’t necessary treatment disclosures.
The issue is blanket authorization without visibility.
Customize Your HIPAA Bundle—Pick 3 and Save 15%
Don't pay for tools you don't use. Combine Hosting, Email, Fax, or Text into one affordable, managed plan.
Learn MoreWhat This Means for Small Medical Practices
If you operate a clinic, private practice, or specialty group, strengthening medical data privacy doesn’t require building a full security operations center — but it does require intention.
Here’s where to start:
1. Enforce Role-Based Access
Ensure team members only access the minimum data required.
2. Audit Vendor Agreements
Understand:
- Who receives PHI
- Who receives derived or de-identified data
- Whether onward sharing is permitted
3. Enable Logging and Monitoring
You must be able to answer:
Who accessed what?
When?
From where?
4. Perform Regular HIPAA Penetration Testing
Test your real-world exposure — don’t assume compliance equals security.
→ Learn more about HIPAA Pen Testing
Harden Your Infrastructure
If your EHR, patient portal, or applications are hosted in the cloud, infrastructure configuration matters.
→ Get a HIPAA Hosting Quote
Secure, segmented, audit-ready environments built for healthcare workloads.
Managed Services That Continuously Enforce Healthcare Data Security
Small practices often ask:
“What managed services can continuously monitor and enforce medical data privacy rules?”
At minimum, your environment should include:
- Continuous vulnerability scanning
- Patch management
- Centralized logging
- Suspicious activity alerting
- Backup validation
- Incident response readiness
→ Explore Managed HIPAA Services
Proactive monitoring. Real healthcare expertise. 24/7 protection.
FAQ: Health Data Privacy
“Compliance Isn’t Just About Checking Boxes — It’s About Building Trust.”
Adam closed the episode with:
“Compliance isn’t just about checking boxes. It’s about building trust.”
Health data privacy is quickly becoming a competitive differentiator.
Patients expect transparency.
Regulators expect documentation.
Breaches continue to rise.
Practices that lead with privacy will earn long-term trust.
If you want to strengthen your health data privacy posture and reduce your exposure risk
→ Request a Free Consultation
Fast scope. Clear pricing. HIPAA-focused guidance.
