Agencies Encourage New Privacy Regulations to Close the mHealth Black Hole and Keep Pace with Evolving Technologies
Friday, August 26, 2016

On July 19, 2016, the ONC1 submitted a report to Congress which suggests that health privacy regulations soon may be revised to catch up with the universe of mHealth technologies that now use and share personal health data2. The report, titled Examining Oversight of the Privacy and Security of Health Data Collected by Entities (the "Report"), was drafted by the ONC in collaboration with the Office for Civil Rights ("OCR") and US Federal Trade Commission ("FTC"). The Report summarizes the regulatory construct currently protecting the privacy of personal health information held by covered entities (and their business associates)3 and outlines the agencies' concerns regarding the lack of similar regulatory oversight over health data usage by mHealth technology developers and other businesses falling outside the scope of HIPAA4 (each, referred to as a "Non-Covered Entity" or "NCE").

Since HIPAA's passage in 1996, health data usage has evolved beyond the simple chart review in the doctor's office or processing of an insurance claim. Scores of new businesses and technologies have emerged that utilize health data in increasingly innovative ways. Now, health data is collected by data aggregators and mined by data analysts for scores of new, innovative purposes—such as, market forecasting and development, advertising, clinical research, predictive analytics for the development of new treatment protocols or clinical decision support algorithms, and structuring patient populations for accountable care organizations. Yet, federal privacy regulations have not evolved to keep pace. The report correctly notes that federal privacy regulations have yet to contemplate the existence of "mHealth technologies" (entities that collect personal health records ("PHRs") and cloud-based or mobile software tools that collect health information directly from individuals and enable health data sharing outside of the traditional healthcare provider context (i.e. wearable fitness trackers)) or "health social media" (websites that encourage health data sharing directly by users). Most actions by these entities, as Non-Covered Entities, are not regulated by HIPAA. While a patchwork of federal and state laws do govern some NCE data practices, rather than enhance privacy protections, the inconsistencies between laws mostly generate confusion among mHealth technology developers and consumers, thereby encouraging risky data management practices by both (e.g. businesses fail to develop security protocols believing they are exempt from HIPAA; consumers input health data into wearable trackers believing HIPAA protects its further disclosure when it does not).

As a first step to a solution, the Report seeks to detail the current gaps in policies governing access, security, and privacy of personal health data. Specifically, the ONC identifies five (5) major areas in which an individual's right to control his or her health data differs markedly based on whether the health data is held by a covered entity (governed by HIPAA) versus an NCE. The five 'gaps in oversight' identified are as follows:

  • Differences in Individual's Right of Access

  • Differences in Individual's Right to Control Third Party Use of Data

  • Differences in Security Standards

  • Differences in Understanding of Privacy and Security Protections Terminology

  • Inadequate Data Collection, Usage, and Disclosure Limitations


1 Office of the National Coordinator for Health Information Technology ("ONC") of the U.S. Department of Health and Human Services.

2 The term 'health data' is used throughout this Article as a proxy for the following legal terms: "health information", "individually identifiable health information", "protected health information", and "personally identifiable information". Since NCE's deal with health information that is not necessarily restricted to the protected health information governed by HIPAA, this broader term is used to reference the health-related information individuals share with mHealth technologies, social media, personal health records, and other NCE's.

3 See 42 C.F.R. §160.103 (HIPAA only applies to organizations known as "covered entities", defined as health plans, health care clearing houses, and health care providers conducting certain electronic transactions, and their "business associates", defined as persons or entities that perform certain functions or activities involving the use or disclosure of individually identifiable health information on behalf of or in providing services to covered entities.).

4 Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936 (1996), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act") and implementing regulations (collectively, "HIPAA")

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins