HHS report leaves it to Congress to fill privacy gaps on health data

A report on privacy and security concerns surrounding new technology that collects health data, such as wearable fitness trackers, admitted regulations like HIPAA haven’t kept pace with new developments.

The 32-page study, entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” was jointly produced by the Office of the National Coordinator of Health IT (ONC), HHS’s Office of Civil Rights (OCR) and the Federal Trade Commission (FTC).

In examining how existing privacy and security laws can apply to “mHealth (mobile health) technologies” and “health social media,” the agencies determined that as non-covered entities (NCEs) under HIPAA, regulators have little authority to take actions on potential data breaches.

“The rapidly increasing mobile technology environment enables the sharing of information with many different parties in a variety of ways,” the report said. “However, for NCEs, there are no federal requirements for policies, or related notices, to inform individuals about practices that may impact the privacy and security of their health information.”

An exception would be when NCEs can be found to be engaging in unfair or deceptive business practices by not reasonably protecting a consumer’s health information, which would allow the FTC to get involved. The study identified several areas where new technologies are offering security far below what would be required of healthcare providers under HIPAA, like a lack of data encryption.

In the absence of enforceable federal standards, industry groups have stepped in with voluntary guidelines—but companies have largely ignored them.  

“For example, in October 2015, the Consumer Electronics Association (CEA) issued ‘Guiding Principles on the Privacy and Security of Personal Wellness Data.’ These guidelines can be adopted by companies, but are not required of CEA members,” the report said. “As of July 2016, we have been unable to identify any companies that have adopted the guidelines. In short, despite the best efforts of the administration, the FTC and industry, no widely adopted, comprehensive voluntary code of conduct has emerged.”

In its conclusion, the report said the confusing gaps in government oversight surrounding these new technologies should be filled by updating laws and regulations, both to ensure data security for users and “to create a predictable business environment for health data collectors, developers and entrepreneurs."

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."