It was tasked to provide a report on privacy concerns tied to health care information handled by non-HIPAA-bound organizations and businesses, but a report by the U.S. Department of Health and Human Services, delivered late, has not offered any guidance on how to protect people’s privacy.
Modern Healthcare reports that the HHS report was not only six years late — it was requested by Congress in 2009 — but it also failed to provide any specific suggestions on how personal health care data handled by mobile apps and companies not covered by the Health Insurance Portability and Accountability Act may be safeguarded.
People often have no idea whether their health care data is bound by privacy laws, but technology has outpaced regulatory requirements, in that mobile apps and devices that collect and transmit health data are not bound.
For instance, they are not required to provide copies of client data to patients, or to account for disclosures of that information to third parties. They also do not have to perform and keep a current health data security risk assessment, which HIPAA-bound entities must do.
And consumer ignorance of what HIPAA does and does not require means they are likely unaware of where its protections end.
The report cites the example of “the location of a mobile device [that] can be so precise … it can detect the coordinates of a psychiatric hospital or the offices of a heart specialist, inferring the health condition of its wearer.”
In addition, with a person’s data collected and stored in multiple locations, that “make[s] the data increasingly vulnerable to cybersecurity attacks.”
The report, produced by HHS and the Federal Trade Commission, reviews current privacy laws and two kinds of technologies. Health systems include personal health records systems and wearable fitness trackers, while patients themselves share their conditions and experiences on “health social media.”
HIPAA-covered entities include health care providers, insurers, claims clearinghouses and their business associates. But companies that produce mobile apps and social media sites are what’s known as non-covered entities, or NCEs, and while the FTC can go after them — as well as HIPAA-covered entities — in the event of breaches only if they’re engaging in unfair or deceptive business practices, from a strictly health care standpoint there’s not much the agency can do. And NCEs, the report said, have “large gaps in policies around access, security, and privacy."
So what did the report recommend? That Congress figure out how to close those gaps. Privacy advocate Dr. Deborah Peel was quoted in the article saying that “There was never any way that HIPAA could work, because patient information wasn't staying in the hands of HIPAA-covered entities.” Her suggestion is that protection should be bound to the data rather than the entity handling it; that way, no matter what kind of company handles it, it will be a “covered entity.”
Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
