A new report from the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care.The report notes that HIPAA’s rules for protecting the privacy and security of health information were designed to protect data held by health care providers and health plans and do not extend to many mHealth technologies sold directly to consumers (e.g., wearable health sensors and apps on smartphones and tablets) or social media, which includes websites and apps on which individuals are encouraged to voluntarily share information about their health. Both categories fall outside of what the report refers to as “traditional health care organizations” regulated by HIPAA.
HHS acknowledges that health data not covered by HIPAA is not entirely without protection. The agency highlights protections offered by the Federal Trade Commission (FTC) and state data protection laws. The FTC protects health data by prohibiting “unfair or deceptive acts or practices” in violation of section 5 of the FTC Act and enforcing the FTC Health Breach Notification Rule, which covers consumer health data contained in online tools that help consumers manage their own health information, known as personal health records (PHRs).
The report maintains that the differences between HIPAA and non-HIPAA protections translate into significant gaps in protections for health data held in non-HIPAA contexts. In particular, the report highlights five areas in which health data outside of HIPAA may not receive the same level of protection as is required by HIPAA privacy and security regulations:
- Individual Access Rights. Outside of HIPAA and some state laws, individuals do not have the right to obtain a copy of their own data, nor to request an accounting of disclosures of their data.
- Re-Use of Data by Third Parties. If a company makes promises about data protection or use and then fails to follow through, it could be subject to FTC Section 5 enforcement based on deceptive or unfair practices. But a company not subject to HIPAA’s constraints on data disclosure and use generally can allow data to be used for marketing or third-party uses so long as notice is provided and there is no deception or unfairness.
- Security Protections. ONC found that institutions not subject to HIPAA often lacked encryption, other security safeguards, and appropriate procedures for security risk assessments and audits, despite the fact that inadequate security protections could lead to FTC enforcement for failure to reasonably protect consumer health data.
- Understanding of Privacy and Security Terms. The report notes that both consumers and businesses may not have an accurate and shared understanding of the meaning of important terminology. Privacy policies may be difficult to find, contain confusing content, or change without notice, potentially causing conflicts between consumer and company expectations.
- Inadequate Collection, Use, and Disclosure Limitations. ONC found that many entities not covered by HIPAA were using collected information more broadly than consumers likely expected, raising concerns about consumers’ loss of control over their data and misplaced confidence that data is protected by HIPAA when it is not.
The ONC report, required by Congress as part of the 2009 HITECH Act and based on information obtained through a multi-year process that included public comments and roundtables, consultation with the HHS Office for Civil Rights, and consultation with the FTC Division of Privacy and Identity Protection, concludes that “the gaps in oversight identified in this Report should be filled.” The report however stops short of making a call for specific action. The agency acknowledges industry efforts to establish voluntary codes of conduct, but points out that no such code has achieved widespread adoption. For now, federal agency action in this space appears focused on HHS guidance for entities that are not covered by HIPAA (or that are unsure of whether they are covered) and FTC guidance and enforcement actions.
The protection of health, wellness, and fitness data by entities not covered by HIPAA will continue to be a focus for regulators, policymakers, and consumers. As the market for consumer health technologies such as wearable health devices, mobile apps, and health and wellness-related social media continues to grow, businesses should carefully consider the potential impact of their data protection practices on consumer trust. Given confusion surrounding the application of HIPAA and other legal frameworks to different types of health information, and the increasing importance of consumer-generated health information, consumers may expect more of companies than regulators currently require. Those expectations are likely to drive future regulation.
Katherine Kwong, a summer associate in our Washington, D.C. office also contributed to this post.