HIPAA can’t keep up with fast-moving consumer technologies

The U.S. Department of Health and Human Services (HHS) recently issued a report to Congress, outlining the gaps that exist in the scope of health data protection. The 32 page document serves to recognize that “While HIPAA serves traditional health care well and continues to support national priorities for interoperable health information with its media-neutral Privacy Rule, its scope is limited.”

HIPAA rules have long applied only to covered entities and their business associates. The basis of this HHS disclosure is that today, in addition to these organizations, waves of new companies that are collecting, handling, analyzing, and disclosing health information have emerged.

The report goes on to explain that “The wearable fitness trackers and social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA).”

“Wearable fitness trackers, health social media and mobile health apps are premised on the idea of consumer engagement,” HHS said “However, our laws and regulations have not kept pace with these new technologies. This report identifies the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared and used by [entities not covered by HIPAA].”

The paper therefore sheds light on the possible discrepancies in health IT, data security, and patient privacy concerns that exist because of modern technology, that enables individuals to be more engaged than ever before in managing their own health outside of realms of traditional healthcare.

This raises issues for consumers who are using wearables and social media sites to collect their health data because the companies behind these technologies are not subject to HIPAA, and, as a result, there are considerably fewer restrictions on what can, or cannot, be done with that collected data.

Large gaps in policies around access, security and privacy are clearly prevalent, and confusion persists for both consumers and technology makers, and so, the HHS have set out three goals in this report:

  • To analyze the scope of privacy and security protections of an individual’s health information for these technology products which are not regulated by HIPAA;
  • To identify gaps which exist between HIPAA regulated entities and those that are not regulated;
  • To recommend addressing those gaps in a way that will protect consumers while remaining fair to emerging companies, both inside and outside of HIPAA.

In response to the report, LLP partner of Crowell & Moring, Jodi Daniel, who previously worked in the Office of the National Coordinator (ONC) within HHS says “The report thoroughly catalogs gaps in privacy and security protections; it identifies the resulting confusion, lack of consumer protection and delayed progress in the use of innovative tools in healthcare. However, it does stop short of recommending solutions for a comprehensive health information privacy policy that addresses contexts not covered by HIPAA. As such, healthcare stakeholders should take the lead in collaboration with patients, to advise on how to close those gaps so consumers can securely access their health data and be assured that it is protected wherever it resides.”

While it doesn’t outline a plan for mitigating health data privacy concerns that fall outside of HIPAA, the report does provide a starting point for developing such a solution by seeking to lay out the precise boundaries of the problem.