Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By Alex Ruoff
July 19 — Federal regulators are worried that Americans are giving up ownership of their private health data by sharing it online and in ways not protected under federal privacy laws, according to an HHS report to Congress released July 19.
Americans regularly share information about their health on social media, on fitness and diseases websites and with researchers online, often under the false assumption their privacy is protected by federal law, the report said.
“HIPAA serves traditional health care well and supports national priorities for the safe and secure flow of health information, but its scope is limited,” Karen DeSalvo, national coordinator for health IT, and Jocelyn Samuels,cq director of the HHS Office for Civil Rights, said in a coauthored blog post.
The report sought to flag gaps in federal consumer protection and health privacy laws for lawmakers.
While the Health Insurance Portability and Accountability Act (HIPAA) governs how health-care organizations such as hospitals, doctors' offices and insurers must protect patient privacy, wellness companies such as Fitbit or online health communities such as PatientsLikeMe are free to set their own privacy rules.
The report contained no recommendations for lawmakers.
DeSalvo and Samuels said they'll meet with lawmakers and consumer advocates in the coming weeks to discuss the report and ways to close these gaps in federal privacy laws. An Office of the National Coordinator for Health IT spokesman told Bloomberg BNA July 19 that no meetings have been scheduled.
The report was required by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
Health information technology companies and mobile health app developers have been lobbying Congress in recent years to update federal privacy and safety regulations. These companies have said they're often uncertain which federal laws apply to their products, making it difficult to bring them to market ( see previous article ).
In response, House lawmakers have been debating ways to modernize HIPAA to ensure health-care organizations can make better use of innovative health technologies ( see previous article ).
However, the effort has gained little traction.
A slew of agencies within the Department of Health and Human Services, along with the Federal Trade Commission, is charged with protecting Americans' health privacy, Michelle De Mooy, deputy director for the Privacy and Data Project at the Center for Democracy & Technology, told Bloomberg BNA July 19.
The ONC and the OCR offer guidance for technology companies on protecting consumer data, while the Food and Drug Administration oversees medical devices, she said.
The FTC can hold companies responsible for violating their own privacy terms, De Mooy said, but can't push them to adopt strict policies.
Companies that don't offer health-care services but collect health data aren't generally covered by HIPAA or other federal privacy-protection laws, De Mooy said.
These companies—some of which offer software that stores personal health records—have no responsibility to make this data available to the people it concerns, she said. They also have no requirements to install security measures to keep hackers from accessing the data.
The gaps in federal privacy laws have created an uneven policy environment that treats health data differently based on who is holding it, Nicolas Terry, a professor of law at Indiana University in Indianapolis and executive director of the Hall Center for Law and Health, told Bloomberg BNA. This can be confusing for most Americans, who generally don't understand that the rules for their doctor don't apply to their mobile apps.
“Every day doctors rightfully reassure their patients as to the legally-enforced confidentiality of the information they share while their offices distribute mandated privacy notices,” Terry told the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade July 13. “However, the same or similar data collected on mobile devices lack these protections.”
De Mooy said legislation is likely needed to fill the gaps in federal privacy laws. She said Congress is unlikely to act this year, but she has hopes lawmakers will begin seriously discussing the issue in the fall.
“Privacy legislation takes time,” she said. “But, it's seen as a bipartisan issue.”
Industry efforts, such as voluntary pledges to use strict privacy protections, have failed to address the holes in federal policy, the ONC report said. For example, the Consumer Technology Association in 2015 created a voluntary set of standards for the technology industry to follow, but the HHS wasn't able to identify any companies that adopted them.
De Mooy said the health IT and mobile health industries deserve more credit. Many companies, such as Apple, are considering adopting HIPAA-compliant privacy and security practices to ensure they can be used by patients and doctors, she said.
“There are market pressures pushing some toward protecting data,” De Mooy said. “They want to work in the HIPAA-covered space.”
To contact the reporter on this story: Alex Ruoff in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)