Fitness trackers and social media sites didn’t exist when Congress enacted HIPAA in 1996, and thus there are gaps in the privacy and security protections offered by such tools.
“These days, scores of new businesses use consumer-facing technology to collect, handle, analyze and share health information about individuals--sometimes without those individuals’ knowledge,” according to an blog post from the Office of the National Coordinator for Health IT's Karen DeSalvo, and Jocelyn Samuels, director of the HHS Office for Civil Rights.
And the government office, in a report to Congress, says the gaps for entities not currently covered by HIPAA must be addressed.
The report focuses on mHealth technologies and “health social media,” which either collect personal health information from consumers or where people share information about themselves. These are non-covered entities under HIPAA.
The report makes a number of issues in regard to digital health:
- Information is collected in myriad new ways, including peer health communities, online health management tools and websites used to generate information for research.
- People might not fully understand the protections that HIPAA offers and how they differ from entities that are not covered.
- Health information in more places without consistent security standards poses more cybersecurity risk. Lack of encryption has been a particular concern.
- People generally have more rights to access their own information from HIPAA-covered entities than from those not covered.
When people share PHI through mHealth technologies or health social media, they may not be able to learn what information was collected or where the data was re-disclosed, according to the report. In addition, HIPAA or Federal Trade Commission protections may not prevent re-use of their information for marketing or other purposes.
In response, the FTC has gone after companies for privacy and security-related violations under its purview and also has worked with ONC to educate consumers about their rights. ONC also has been providing more guidance to application developers about when HIPAA applies and does not.