- A new government report finds “key gaps” in HIPAA's ability to protect personal information generated by wearable fitness trackers and other mobile apps.
- The report, developed in conjunction with HHS Office for Civil Rights and the U.S. Federal Trade Commission, examines the lack of guidance around access to and protection of consumer health information used by entities that are not covered under current HIPAA regulations.
- HHS’s Office of the National Coordinator for Health Information Technology will seek stakeholder input on ways to address the privacy gap in the coming weeks.
Enacted in 1996, HIPAA applies to “covered entities,” such as health plans, healthcare clearinghouses and providers, as well as their business associates. Mobile health technologies and health-related social media sites, on the other hand, fall under the category of “non-covered entities” (NCEs). But that’s where increasing numbers of people share personal health information.
Many people are confused or have a limited understanding of when their health data is protected by HIPAA and when it is not, according to the report. Their data is also more vulnerable to cyberattacks with NCEs, since the FTC’s consumer protection oversight doesn’t provide the level of protection that HIPAA would.
“Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” the report says. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.”
Finally, lack of a clear understanding of what is and isn’t protected information could hamper the development of new mobile health technologies.
Concerns about privacy have grown in recent years as workplace wellness programs encourage employees to log activities on mobile apps, Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, told ProPublica.