Americans Leaving Health Data Unprotected, Feds Say

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Alex Ruoff

July 19 — Federal regulators are worried that Americans are giving up ownership of their private health data by sharing it online and in ways not protected under federal privacy laws, according to an HHS report to Congress released July 19.

Americans regularly share information about their health on social media, on fitness and diseases websites and with researchers online, often under the false assumption their privacy is protected by federal law, the report said.

“HIPAA serves traditional health care well and supports national priorities for the safe and secure flow of health information, but its scope is limited,” Karen DeSalvo, national coordinator for health IT, and Jocelyn Samuels,cq director of the HHS Office for Civil Rights, said in a coauthored blog post.

The report sought to flag gaps in federal consumer protection and health privacy laws for lawmakers.

While the Health Insurance Portability and Accountability Act (HIPAA) governs how health-care organizations such as hospitals, doctors' offices and insurers must protect patient privacy, wellness companies such as Fitbit or online health communities such as PatientsLikeMe are free to set their own privacy rules.

The report contained no recommendations for lawmakers.

DeSalvo and Samuels said they'll meet with lawmakers and consumer advocates in the coming weeks to discuss the report and ways to close these gaps in federal privacy laws. An Office of the National Coordinator for Health IT spokesman told Bloomberg BNA July 19 that no meetings have been scheduled.

The report was required by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.

Lobbying Efforts

Health information technology companies and mobile health app developers have been lobbying Congress in recent years to update federal privacy and safety regulations. These companies have said they're often uncertain which federal laws apply to their products, making it difficult to bring them to market ( see previous article ).

In response, House lawmakers have been debating ways to modernize HIPAA to ensure health-care organizations can make better use of innovative health technologies ( see previous article ).

However, the effort has gained little traction.

Uneven Environment

A slew of agencies within the Department of Health and Human Services, along with the Federal Trade Commission, is charged with protecting Americans' health privacy, Michelle De Mooy, deputy director for the Privacy and Data Project at the Center for Democracy & Technology, told Bloomberg BNA July 19.

The ONC and the OCR offer guidance for technology companies on protecting consumer data, while the Food and Drug Administration oversees medical devices, she said.

The FTC can hold companies responsible for violating their own privacy terms, De Mooy said, but can't push them to adopt strict policies.

Companies that don't offer health-care services but collect health data aren't generally covered by HIPAA or other federal privacy-protection laws, De Mooy said.

These companies—some of which offer software that stores personal health records—have no responsibility to make this data available to the people it concerns, she said. They also have no requirements to install security measures to keep hackers from accessing the data.

The gaps in federal privacy laws have created an uneven policy environment that treats health data differently based on who is holding it, Nicolas Terry, a professor of law at Indiana University in Indianapolis and executive director of the Hall Center for Law and Health, told Bloomberg BNA. This can be confusing for most Americans, who generally don't understand that the rules for their doctor don't apply to their mobile apps.

“Every day doctors rightfully reassure their patients as to the legally-enforced confidentiality of the information they share while their offices distribute mandated privacy notices,” Terry told the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade July 13. “However, the same or similar data collected on mobile devices lack these protections.”

Need for Legislation

De Mooy said legislation is likely needed to fill the gaps in federal privacy laws. She said Congress is unlikely to act this year, but she has hopes lawmakers will begin seriously discussing the issue in the fall.

“Privacy legislation takes time,” she said. “But, it's seen as a bipartisan issue.”

Industry efforts, such as voluntary pledges to use strict privacy protections, have failed to address the holes in federal policy, the ONC report said. For example, the Consumer Technology Association in 2015 created a voluntary set of standards for the technology industry to follow, but the HHS wasn't able to identify any companies that adopted them.

De Mooy said the health IT and mobile health industries deserve more credit. Many companies, such as Apple, are considering adopting HIPAA-compliant privacy and security practices to ensure they can be used by patients and doctors, she said.

“There are market pressures pushing some toward protecting data,” De Mooy said. “They want to work in the HIPAA-covered space.”

To contact the reporter on this story: Alex Ruoff in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law