Conduro Ventures
Healthcare Information Security Consultants
girl4web.jpg

News

News & Insights

Can HIPAA Keep Up With Rapidly Evolving Consumer Technologies?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), legislation that exists to safeguard private medical information, could be creating more problems than it is preventing. The rapid growth of mainstream consumer technologies such as fitness trackers and the increasingly widespread adoption of social networks and messaging applications are creating a void in HIPAA that is growing bigger by the day.

But don’t take our word for it. The issue was recently brought to light in a 32-page report issued to Congress by HHS’ Office for Civil Rights — the agency responsible for enforcing the HIPAA Privacy and Security Rules — which explained, “The wearable fitness trackers and social media sites where individuals share health information through specific social networks and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA).”

This is because HIPAA only covers patient information kept by health providers, insurers, data clearinghouses, and their business associates (BAs) — categories which modern consumer technologies do not slot into. The companies behind these consumer technologies are therefore considered non-covered entities under HIPAA and, when these companies collect health data from consumers, they are doing so with very little restriction on what they can or cannot do with that collected data.

This is problematic for consumers who may not be aware of the protection they are entitled to under HIPAA and how those rights do not apply when they inadvertently share their information through wearables or social media applications. What’s more, consumers may not be able to access details about what information has been collected or whether it has been disclosed or reused for marketing or other purposes.

Unpicking the ambiguities that exist under HIPAA, the paper notes, “Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not.” It goes on to suggest, “Even entrepreneurs, particularly those outside the healthcare industry may not have a clear understanding of where HIPAA oversight begins and ends.”

The paper highlights the cybersecurity risks that exist when health information is collected by non-covered entities, citing lack of security standards and lack of encryption as the main causes of concern. With 2015 already hailed as the year of the healthcare breach due to more than 100 million healthcare records being compromised and the industry as a whole being targeted at a much higher rate than any other, the news could not come at a worse time.

The report, which was actually due for completion way back in 2010, has been at the center of controversy since its belated release last month on the basis that, while clearly outlining gaps in the scope of HIPAA privacy and security protections for the modern consumer, it does stop short in offering any recommendations for mitigating these concerns. On being asked why the report did not offer any advice, an official said readers could draw their own conclusions from the findings.

While perhaps raising more questions than providing answers, the report serves well to be interpreted by healthcare providers as a starting point for developing such solutions through seeking to outline the exact boundaries of the problems that have come to exist as more and more consumer technologies come onto the market.

Responding to the report, Jodi Daniel, LLP partner of Crowell & Moring, who previously worked in the Office of the National Coordinator within HHS has suggested, “Healthcare stakeholders should take the lead in collaboration with patients, to advise on how to close those gaps so consumers can securely access their health data and be assured that it is protected wherever it resides.”

By Gene Fry

Originally Published September 8, 2016
Health IT Outcomes
Can HIPAA Keep Up With Rapidly Evolving Consumer Technologies?