HHS report leaves it to Congress to fill privacy gaps on health data

A report on privacy and security concerns surrounding new technology that collects health data, such as wearable fitness trackers, admitted regulations like HIPAA haven’t kept pace with new developments.

The 32-page study, entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” was jointly produced by the Office of the National Coordinator of Health IT (ONC), HHS’s Office of Civil Rights (OCR) and the Federal Trade Commission (FTC).

In examining how existing privacy and security laws can apply to “mHealth (mobile health) technologies” and “health social media,” the agencies determined that as non-covered entities (NCEs) under HIPAA, regulators have little authority to take actions on potential data breaches.

“The rapidly increasing mobile technology environment enables the sharing of information with many different parties in a variety of ways,” the report said. “However, for NCEs, there are no federal requirements for policies, or related notices, to inform individuals about practices that may impact the privacy and security of their health information.”

An exception would be when NCEs can be found to be engaging in unfair or deceptive business practices by not reasonably protecting a consumer’s health information, which would allow the FTC to get involved. The study identified several areas where new technologies are offering security far below what would be required of healthcare providers under HIPAA, like a lack of data encryption.

In the absence of enforceable federal standards, industry groups have stepped in with voluntary guidelines—but companies have largely ignored them.  

“For example, in October 2015, the Consumer Electronics Association (CEA) issued ‘Guiding Principles on the Privacy and Security of Personal Wellness Data.’ These guidelines can be adopted by companies, but are not required of CEA members,” the report said. “As of July 2016, we have been unable to identify any companies that have adopted the guidelines. In short, despite the best efforts of the administration, the FTC and industry, no widely adopted, comprehensive voluntary code of conduct has emerged.”

In its conclusion, the report said the confusing gaps in government oversight surrounding these new technologies should be filled by updating laws and regulations, both to ensure data security for users and “to create a predictable business environment for health data collectors, developers and entrepreneurs."