[dragonwriter]

It's HIPAA, and there's no such meaningful category as HIPAA-adjacent data. Data is either PHI held by HIPAA covered entities or it's not, and consumer health and wellness data that one would see as being equally sensitive but that involves consumer transactions with an entity which is not a “covered entity” as defined in HIPAA (including where the consumer takes information from a covered entity and provides it to the service, so that the service is engaged by the consumer but has no business relation to the covered entity) is simply not PHI protected by HIPAA.

On the other hand, the information you describe from a pharmacy customer isn't “HIPAA adjacent”, it's just plain HIPAA PHI. on the gripping hand, lots of places have fairly weak internal controls on access to PHI; there is no required independent certification of practices, only after-the-fact enforcement when an unauthorized use occurs, is reported, and is investigated. And lots of places that haven't been caught out yet have training in what your not allowed to do with data, but inadequate controls on what you can do and inadequate auditing of what you have done.

[bovermyer]

Minor quibble - HIPAA and HITECH are not the same thing, but many people lump the two together.

HIPAA is the general policy. HITECH is what regulates how that policy can be implemented in technology.

[dragonwriter]

> Minor quibble - HIPAA and HITECH are not the same thing

They are separate legislative actions, but HITECH is largely amendments to HIPAA, and can't really be considered in isolation. References to what HIPAA requires generally refer to not only the original HIPAA enactment but subsequent amendments (such as, but not limited to, those in the ACA and HITECH), and regulations and guidance adopted under HIPAA (as amended). Distinguishing HITECH from HIPAA makes sense in terms of discussing legislatibve history, but less so in terms of discussing current rules.

It is also not accurate to draw the division as HIPAA being "general policy" and HITECH being "how that policy can be implemented in technology." Its true that HITECH (more precisely, guidance/regulation mandated by and adopted subsequently to HITECH's amendments to HIPAA) provides more technical specificity in some areas, particularly privacy/security, than was in HIPAA (and regulations under HIPAA) prior to HITECH, but HITECH also amended aspects of HIPAA that fall into the general policy area (for instance, direct liability of Business Associates), and there were specific technical standards adopted under HIPAA prior to HITECH and also under mandates stemming from post-HITECH (notably, ACA) amendments to HIPAA.