Share this article on:
Consumers’ health data is potentially being placed at risk by entities that are not covered by HIPAA Rules, according to a recent report issued by the ONC.
The report – Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA – was produced following a study of the application of privacy and security requirements to non-HIPAA covered entities and business associates. The report also draws on work conducted by the FTC, National Committee on Vital and Health Statistics (NCVHS), and OCR.
The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk.
The Scope of HIPAA is Limited
HIPAA covers traditional healthcare organizations that perform electronic transactions – healthcare providers, health plans, and healthcare clearinghouses – as well as business associates of those organizations. The ONC points out that HIPAA Rules serve the healthcare industry well and ensure that appropriate controls are put in place to protect ePHI, but the scope of the legislation is limited. Many organizations that collect personal health information fall outside the scope of the HIPAA.
Organizations that collect or deal in personal health records (PHRs), manufacturers of fitness trackers, and companies that develop mobile software and cloud-based tools that collect, store, and share personal health data are not covered by HIPAA regulations. The report also explains that social media services that have been sent up to allow individuals to share health information or healthcare experiences are similarly not covered.
The ONC is concerned that data security and privacy protections may not be sufficiently robust to prevent accidental disclosure or theft of data, yet many consumers may mistakenly believe that their data – and their privacy – is protected and covered by federal laws.
Health Information is Being Placed at Risk
Most individuals are aware that the Health Insurance Portability and Accountability Act exists and that one of the aims of the legislation is to ensure that health information is protected. However, the ONC explains that many individuals may lack an understanding of the organizations that are required to comply with HIPAA and those that are not.
HIPAA does not apply to fitness trackers and HIPAA Rules may not necessarily apply to certain portable devices or apps that are used for medical purposes: Regulating insulin levels or blood pressure for example. The ONC points out that individuals may have a limited or incorrect understanding of when their health data are protected by law, and when they are not.
HIPAA requires security measures to be implemented to ensure that ePHI is appropriately protected, yet the same data may not necessarily be protected by adequate controls, depending on which organization records the information. There are also no consistent security standards for the protection of health information for non-covered entities, resulting in consumers facing a high risk of having their health data exposed or stolen.
The ONC explains that while individuals have a right to access their health information under HIPAA, the same rights may be harder to exercise if individuals want to obtain data from non-HIPAA-covered entities.
Differences in Privacy and Security Oversight and Protections
The ONC explains in its report that privacy and security oversight and protections differ between HIPAA-covered and non-HIPAA covered entities in five key areas:
- Individuals’ Access Rights
- Re-Use of Data by Third Parties
- Security Standards Applicable to Data Holders and Users
- Terminology About Privacy and Security Protections
- Collection, Use, and Disclosure Limitations
The ONC points out that the FTC has stepped in and is making efforts to protect consumers against misuse of data and is preventing consumers from being deceived by unfair or inaccurate descriptions of privacy practices. The private sector has also taken steps to protect individuals and their data from exposure or theft in some cases, although there are no clear standards that are followed by all organizations.
Tackling Access, Privacy, and Security Gaps at Non-HIPAA Covered Entities
The ONC explains that privacy and security protections for health information have not kept up with technology and that there is a “lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by non-covered entities”.
The ONC does not recommend broadening the definition of “covered entities,” but says there are serious security gaps at non-HIPAA covered entities and that those gaps must be addressed.
The ONC does not explain what must be done to address the issues raised. The report just explains the extent of the problem. The report therefore serves as a starting point for discussions on how the security gaps can be addressed to ensure that consumers’ health data are protected, regardless of who collects, stores, or shares that information.