A recent U.S. Department of Health and Human Services report to Congress regarding privacy and security as it relates to mHealth and healthcare technology sends one clear signal: more must be done, especially regarding companies collecting health data that do not fall under HIPAA regulations.
Jodi Daniel (pictured right), a partner at law firm Crowell & Moring, believes that everyone has a role to play in shoring up security and privacy. From entities regulated by HIPAA to proactive consumers, security cannot be a singular effort, says Daniel, who previously served as director of the Office of Policy for the Office of the National Coordinator for Health Information Technology.
FierceMobileHealthcare recently spoke with Daniel to gain a better understanding of her perspective of the report.
FierceMobileHealthcare: How you would describe the privacy/security environment for healthcare data today?
Jodi Daniel: The same information that is protected when held by a doctor or health system is not protected when captured and stored directly by the individual, or when the patient obtains a copy of her health record and stores it in a PHR. Information held by other entities such as websites, personal health records, mHealth tools and remote monitoring devices often falls outside HIPAA protection. This leaves a gap and may cause much confusion.
FMH: You've said that the recent HHS report on oversight of mHealth tools and HIPAA stops short of recommending solutions and that stakeholders should take the lead in determining how to close the gaps. Which specific stakeholders should be involved and how?
Daniel: You have to involve everyone that has a role to play with health information. This includes those covered by HIPAA rules, including doctors, hospitals and health plans; those providing innovative tools to consumers, including social networking sites for patients, companies providing wearable devices, and mHealth companies; retail clinics that are providing direct healthcare, as well as providing tools for people to manage their own health; health technology companies, including EHR companies; researchers and pharmaceutical companies; and, of course, patients.
Those who understand the regulations and areas where government can and can't intervene must also be involved to help develop sound approaches to addressing these uneven protections.
FMH: Should HIPAA be revised to include more non-traditional health entities?
Daniel: Revising HIPAA is not the right answer. The HIPAA rules were designed for the healthcare system. These new tools and uses of health information may not need to follow the same rules and the HIPAA rules may stifle innovation. It will also be politically difficult for Congress to change HIPAA to extend its scope. Therefore, the best approach is to develop a baseline of protection for all health information that is compatible with business models and innovation, but that also increases protection for consumers.
FMH: How vital are proactive consumers in the effort to protect healthcare data?
Daniel: The consumer role is critical. One of the primary problems with the current privacy and security landscape is the confusion for individuals who don't understand that the same information is protected in some places and not at all in others. It is important that any effort to extend privacy and security protections involves discussions about consumer expectations and what type of notice and permissions would be most effective.
Daniel: I think the private sector needs to take the lead in developing solutions for a comprehensive privacy approach. It is very difficult for the government to address this topic effectively, as evidenced by the delay in releasing this report and the lack of recommendations. Stakeholders have strong views on privacy and the government process is slow and raises challenges in reconciling these differences.
There is an economic imperative for those covered by HIPAA to be able to share information outside the healthcare environment to support patient engagement and improved health outcomes. They will be more comfortable doing so when there are protections in place for this data. For those outside the HIPAA environment, they have an incentive to bring their innovations to healthcare and to have clear guidance on how privacy rules apply to them. This will expand opportunities for these companies.
The private sector can develop sound baseline protections that would improve the current status. In order for this to be effective, one of two things must happen: either they can develop an industry-led accountability mechanism, including some type of accreditation or seal of approval that could be enforceable by the Federal Trade Commission, or they can propose baseline protections that can be used as the basis for government action.
Editor's Note: This interview has been edited for clarity and length.