Skip to content Skip to navigation

ONC Issues Report to Congress on Policy Gaps for Security, Privacy of mHealth Data

July 19, 2016
by Heather Landi
| Reprints
Click To View Gallery

The federal government needs to address large gaps in policies around health data access, security and privacy with regard to mobile health apps and health social media, according to a new report to Congress issued from the Office of the National Coordinator for Health IT (ONC).

ONC developed the report in coordination with the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). In the report, “Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA,” ONC discusses the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by entities that are not currently covered by the Health Insurance and Portability and Accountability Act of 1996 (HIPAA).

In a blog post about the report, Karen DeSalvo, M.D., National Coordinator for Health Information Technology and Acting Assistant Secretary for Health, and Jocelyn Samuels, J.D., OCR Director, notes that mHealth technologies, such as wearable fitness trackers, and their related social media sites where individuals share health information did not exist when Congress enacted HIPAA in 1996.

As the report notes, HIPAA serves traditional health care and its scope is limited. “It applies only to organizations known as ‘covered entities,’ health plans, health care clearinghouses and health care providers conducting certain electronic transactions and their ‘business associates,’ persons or entities that perform certain functions or activities involving the use or disclosure of individually identifiable health information on behalf of or in providing services to covered entities,” the report authors stated.

“Today, in addition these traditional health care organizations, scores of new businesses that collect, handle, analyze and disclose health information about individuals have emerged,” the ONC report states.

Essentially, according to the ONC report, the gaps that exist between HIPAA regulated entities and those not regulated by HIPAA need to be addressed in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA.

“To ensure privacy, security, and access by consumers to health data, and to create a predictable business environment for health data collectors, developers, and entrepreneurs to foster innovation, the gaps in oversight identified in this report should be filled,” the ONC report states, although it does not recommend any specific legislation to fill the gaps.

The ONC report specifically focuses on mHealth technologies and health social media. The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers, the report states. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.

The ONC lays out three ways an individual’s health information is protected. “First, HIPAA, a federal law that establishes a nationwide floor of privacy and security standards, imposes protections through its implementing Privacy, Security, and Breach Notification Rules. Those rules are enforced by OCR, while criminal penalties for certain disclosures are enforced by the Department of Justice,” the report states.

“Second, the FTC enforces the FTC Act’s consumer protection prohibition against acts or practices that are unfair or deceptive. These could include, for example, failing to comply with an entity’s own privacy policy, deceptively failing to disclose material information about the use of personally identifiable information, or failing to reasonably secure this information,” the ONC states in the report. “Third, approximately half the states have enacted health privacy rules that apply in addition to, and are more protective of patient privacy than, HIPAA but which concern specific clinical conditions or circumstances (HIV/AIDS status, mental or reproductive health conditions, or the health information of teenagers, for example).”

However, ONC notes that as the electronic sharing and storage of health information increases, and as individuals become more engaged in sharing personal health data online, “organizations that are not regulated by HIPAA, the FTC, or state law may collect, share, or use health information about individuals in ways that may put such data at risk of being shared improperly,” the report authors state.

One of the challenges of safeguarding electronic health information is that while technological innovation has advanced at a rapid pace, privacy and security protections of health information have not kept up. Among the many challenges that need to be addressed, new types of entities that collect, share, and use health information are not regulated by HIPAA, and individuals also have a limited or incorrect understanding of when data about their health is protected by law, and when it is not, the ONC report states.

In addition, health information collected in more places without consistent security standards may pose a cybersecurity threat, of which individuals may be unaware, and ONC notes, individuals generally have greater rights regarding access to data held by HIPAA covered entities than data held by non-covered entities. The ONC report also raises the concern that a lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people.

The ONC report also identifies policymakers who have worked in collaboration with the industry to address some of these gaps and identify best practices while keeping pace with the rapid development of technology. The FTC’s efforts to-date include enforcement against entities engaging in privacy and security-related violations under the FTC Act and policy and informational initiatives, such as the FTC’s IoT (Internet of Things) report on Mobile Privacy Disclosures and consumer education and business outreach, the ONC report states.

In addition, HHS has worked to improve patient access to protected health information (PHI), to educate users on risks to the confidentiality, integrity and availability of ePHI and to develop educational materials and provide technical assistance to help entities covered by HIPAA comply with the rules.

“HHS has also committed to providing more guidance for developers of technologies offered by NCEs, as well as for entities that are unsure whether they are covered by HIPAA. These efforts are consistent with overall efforts of the Obama Administration to improve data security, privacy, and consumer protection through legislative proposals, regulations, executive orders, and the Precision Medicine Initiative,” the ONC report states.

And, the report highlights private sector initiatives to address these gaps, such as published codes of contact that private sector organizations can adopt if they choose. For example, the Consumer Electronics Association (CEA) issued Guiding Principles on the Privacy and Security of Personal Wellness Data in October 2015, and while these guidelines can be adopted by companies, the ONC report notes that that the guidelines are not required by CEA members and the ONC also as not identified any companies that have actually adopted the guidelines, as of July 2016.

“In short, despite the best efforts of the Obama Administration, the FTC and industry, no widely adopted, comprehensive voluntary code of conduct has emerged,” the ONC report states.

The ONC report concludes that’s evidence that large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. “Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies,” the report authors write.

In the blog post, DeSalvo and Samuels note that the report is just the first step in a conversation about these issues. “In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed. As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure,” DeSalvo and Samuels state.



CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.