Indiana Law Journal

Document Type


Publication Date

Fall 2022

Publication Citation

97 Indiana Law Journal 1505 (2022)


One lasting impact of the Health Insurance Portability and Accountability Act (HIPAA) is the privacy protections it provides for our sensitive health information. In the era of Big Data, however, much of our health information exists outside the traditional doctor-patient dynamic. From wearable technology, to mobile applications, to social media and internet browsing, Big Data organizations collect swaths of data that shed light on sensitive health information. Big Data organizations largely fall outside of HIPAA’s current framework because of the stringent requirements for when the HIPAA protections apply, namely that the data must be held by a covered entity, and it must originate from a select few sources. Thus, the very same sensitive health information is covered by HIPAA when a physician obtains the information while outside of HIPAA’s purview when it is in the hands of Big Data organizations. Without HIPAA’s protections, Big Data organizations are free to exploit their consumers’ sensitive information without their consent and often without their knowledge.

This Note first explores the current HIPAA framework with a goal of identifying the gaps that allow Big Data to fall outside of its reach. This Note identifies two primary requirements that allow Big Data organizations to escape the privacy regulations but could, if amended, force these organizations possessing sensitive health information into compliance with HIPAA. Finally, this Note proposes an amended HIPAA framework to cover Big Data by borrowing solutions employed by the European Union and the state of Texas. *