HHS report leaves it to Congress to fill privacy gaps on health data

A report on privacy and security concerns surrounding new technology that collects health data, such as wearable fitness trackers, admitted regulations like HIPAA haven’t kept pace with new developments.

The 32-page study, entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” was jointly produced by the Office of the National Coordinator of Health IT (ONC), HHS’s Office of Civil Rights (OCR) and the Federal Trade Commission (FTC).

In examining how existing privacy and security laws can apply to “mHealth (mobile health) technologies” and “health social media,” the agencies determined that as non-covered entities (NCEs) under HIPAA, regulators have little authority to take actions on potential data breaches.

“The rapidly increasing mobile technology environment enables the sharing of information with many different parties in a variety of ways,” the report said. “However, for NCEs, there are no federal requirements for policies, or related notices, to inform individuals about practices that may impact the privacy and security of their health information.”

An exception would be when NCEs can be found to be engaging in unfair or deceptive business practices by not reasonably protecting a consumer’s health information, which would allow the FTC to get involved. The study identified several areas where new technologies are offering security far below what would be required of healthcare providers under HIPAA, like a lack of data encryption.

In the absence of enforceable federal standards, industry groups have stepped in with voluntary guidelines—but companies have largely ignored them.  

“For example, in October 2015, the Consumer Electronics Association (CEA) issued ‘Guiding Principles on the Privacy and Security of Personal Wellness Data.’ These guidelines can be adopted by companies, but are not required of CEA members,” the report said. “As of July 2016, we have been unable to identify any companies that have adopted the guidelines. In short, despite the best efforts of the administration, the FTC and industry, no widely adopted, comprehensive voluntary code of conduct has emerged.”

In its conclusion, the report said the confusing gaps in government oversight surrounding these new technologies should be filled by updating laws and regulations, both to ensure data security for users and “to create a predictable business environment for health data collectors, developers and entrepreneurs."

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.