It was tasked to provide a report on privacy concerns tied to health care information handled by non-HIPAA-bound organizations and businesses, but a report by the U.S. Department of Health and Human Services, delivered late, has not offered any guidance on how to protect people’s privacy.

Related: Wearable data not being put to good use

Modern Healthcare reports that the HHS report was not only six years late — it was requested by Congress in 2009 — but it also failed to provide any specific suggestions on how personal health care data handled by mobile apps and companies not covered by the Health Insurance Portability and Accountability Act may be safeguarded.

People often have no idea whether their health care data is bound by privacy laws, but technology has outpaced regulatory requirements, in that mobile apps and devices that collect and transmit health data are not bound.

Related: Cyberattacks: The next health care epidemic

For instance, they are not required to provide copies of client data to patients, or to account for disclosures of that information to third parties. They also do not have to perform and keep a current health data security risk assessment, which HIPAA-bound entities must do.

And consumer ignorance of what HIPAA does and does not require means they are likely unaware of where its protections end.

The report cites the example of “the location of a mobile device [that] can be so precise … it can detect the coordinates of a psychiatric hospital or the offices of a heart specialist, inferring the health condition of its wearer.”

In addition, with a person’s data collected and stored in multiple locations, that “make[s] the data increasingly vulnerable to cybersecurity attacks.”

Related: Fitness tracker data poses legal, privacy concerns

The report, produced by HHS and the Federal Trade Commission, reviews current privacy laws and two kinds of technologies. Health systems include personal health records systems and wearable fitness trackers, while patients themselves share their conditions and experiences on “health social media.”

HIPAA-covered entities include health care providers, insurers, claims clearinghouses and their business associates. But companies that produce mobile apps and social media sites are what’s known as non-covered entities, or NCEs, and while the FTC can go after them — as well as HIPAA-covered entities — in the event of breaches only if they’re engaging in unfair or deceptive business practices, from a strictly health care standpoint there’s not much the agency can do. And NCEs, the report said, have “large gaps in policies around access, security, and privacy."

So what did the report recommend? That Congress figure out how to close those gaps. Privacy advocate Dr. Deborah Peel was quoted in the article saying that “There was never any way that HIPAA could work, because patient information wasn't staying in the hands of HIPAA-covered entities.” Her suggestion is that protection should be bound to the data rather than the entity handling it; that way, no matter what kind of company handles it, it will be a “covered entity.”