Earlier this month the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC), released a report to Congress highlighting “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by certain “mHealth technologies” and “health social media.”

mHealth technologies may include wearables, such as fitness trackers, as well as personal health records and other cloud- or mobile-based tools that collect health information from consumers. The report defines health social media to include websites providing consumers with “specific opportunities” to share their health information and experiences, such as patient support portals or sites allowing patients to share their experiences with a particular health condition.  The report notes that 27 percent of internet users have tracked their personal health indicators online (such as weight, diet, exercise, or symptoms).

The ONC report highlights a number of concerns with mHealth technologies and health social media, primarily centered around the fact that many entities offering these technologies are not subject to the Health Insurance Portability and Accountability Act (HIPAA). These “non-covered entities” (NCEs) therefore need not comply with HIPAA privacy and security requirements and need not provide individuals with the same level of access to and control over their health information as that guaranteed by HIPAA.  The report also notes that non-covered entities are not subject to HIPAA limitations on the re-use and further disclosure of health information, such as HIPAA limitations on the use of such information for marketing.

With respect to data security, the report notes that many non-covered entities do not appropriately secure their users’ information. Specific concerns included lack of encryption, lack of methods to verify users’ identities, and inconsistent or inappropriate risk assessment and audit capabilities.  Although not a central focus, the report also notes that the expanded collection of health information by numerous entities without consistent security protections increases the risk of cybersecurity attacks targeting health information.

Finally, the report highlights gaps in information and understanding. For example, consumers using technologies offered by non-covered entities may not realize that the health information they provide is not protected by HIPAA.  The report also expressed concern that many NCEs lack “appropriate and understandable” privacy policies and notices, citing a study suggesting that only 30% of the most common mHealth apps have a privacy policy.  When non-covered entities do have privacy policies, the report states that the policies may be difficult to understand, may use undefined or imprecise terminology, or may change without notice.

The report does not recommend specific actions, but urges that gaps identified by the report “should be filled.” In a blog post announcing the report’s publication, the National Coordinator for Health Information Technology, Karen DeSalvo, described the report as “the first step in a conversation about these important issues.”  She noted that ONC looks forward to engaging with stakeholders in the coming weeks about how to address the gaps the report identifies.