ONC Issues Report to Congress on Policy Gaps for Security, Privacy of mHealth Data | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ONC Issues Report to Congress on Policy Gaps for Security, Privacy of mHealth Data

July 19, 2016
by Heather Landi
| Reprints
Click To View Gallery

The federal government needs to address large gaps in policies around health data access, security and privacy with regard to mobile health apps and health social media, according to a new report to Congress issued from the Office of the National Coordinator for Health IT (ONC).

ONC developed the report in coordination with the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). In the report, “Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA,” ONC discusses the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by entities that are not currently covered by the Health Insurance and Portability and Accountability Act of 1996 (HIPAA).

In a blog post about the report, Karen DeSalvo, M.D., National Coordinator for Health Information Technology and Acting Assistant Secretary for Health, and Jocelyn Samuels, J.D., OCR Director, notes that mHealth technologies, such as wearable fitness trackers, and their related social media sites where individuals share health information did not exist when Congress enacted HIPAA in 1996.

As the report notes, HIPAA serves traditional health care and its scope is limited. “It applies only to organizations known as ‘covered entities,’ health plans, health care clearinghouses and health care providers conducting certain electronic transactions and their ‘business associates,’ persons or entities that perform certain functions or activities involving the use or disclosure of individually identifiable health information on behalf of or in providing services to covered entities,” the report authors stated.

“Today, in addition these traditional health care organizations, scores of new businesses that collect, handle, analyze and disclose health information about individuals have emerged,” the ONC report states.

Essentially, according to the ONC report, the gaps that exist between HIPAA regulated entities and those not regulated by HIPAA need to be addressed in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA.

“To ensure privacy, security, and access by consumers to health data, and to create a predictable business environment for health data collectors, developers, and entrepreneurs to foster innovation, the gaps in oversight identified in this report should be filled,” the ONC report states, although it does not recommend any specific legislation to fill the gaps.

The ONC report specifically focuses on mHealth technologies and health social media. The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers, the report states. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.

The ONC lays out three ways an individual’s health information is protected. “First, HIPAA, a federal law that establishes a nationwide floor of privacy and security standards, imposes protections through its implementing Privacy, Security, and Breach Notification Rules. Those rules are enforced by OCR, while criminal penalties for certain disclosures are enforced by the Department of Justice,” the report states.

“Second, the FTC enforces the FTC Act’s consumer protection prohibition against acts or practices that are unfair or deceptive. These could include, for example, failing to comply with an entity’s own privacy policy, deceptively failing to disclose material information about the use of personally identifiable information, or failing to reasonably secure this information,” the ONC states in the report. “Third, approximately half the states have enacted health privacy rules that apply in addition to, and are more protective of patient privacy than, HIPAA but which concern specific clinical conditions or circumstances (HIV/AIDS status, mental or reproductive health conditions, or the health information of teenagers, for example).”

However, ONC notes that as the electronic sharing and storage of health information increases, and as individuals become more engaged in sharing personal health data online, “organizations that are not regulated by HIPAA, the FTC, or state law may collect, share, or use health information about individuals in ways that may put such data at risk of being shared improperly,” the report authors state.

One of the challenges of safeguarding electronic health information is that while technological innovation has advanced at a rapid pace, privacy and security protections of health information have not kept up. Among the many challenges that need to be addressed, new types of entities that collect, share, and use health information are not regulated by HIPAA, and individuals also have a limited or incorrect understanding of when data about their health is protected by law, and when it is not, the ONC report states.

In addition, health information collected in more places without consistent security standards may pose a cybersecurity threat, of which individuals may be unaware, and ONC notes, individuals generally have greater rights regarding access to data held by HIPAA covered entities than data held by non-covered entities. The ONC report also raises the concern that a lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people.

The ONC report also identifies policymakers who have worked in collaboration with the industry to address some of these gaps and identify best practices while keeping pace with the rapid development of technology. The FTC’s efforts to-date include enforcement against entities engaging in privacy and security-related violations under the FTC Act and policy and informational initiatives, such as the FTC’s IoT (Internet of Things) report on Mobile Privacy Disclosures and consumer education and business outreach, the ONC report states.

In addition, HHS has worked to improve patient access to protected health information (PHI), to educate users on risks to the confidentiality, integrity and availability of ePHI and to develop educational materials and provide technical assistance to help entities covered by HIPAA comply with the rules.

“HHS has also committed to providing more guidance for developers of technologies offered by NCEs, as well as for entities that are unsure whether they are covered by HIPAA. These efforts are consistent with overall efforts of the Obama Administration to improve data security, privacy, and consumer protection through legislative proposals, regulations, executive orders, and the Precision Medicine Initiative,” the ONC report states.

And, the report highlights private sector initiatives to address these gaps, such as published codes of contact that private sector organizations can adopt if they choose. For example, the Consumer Electronics Association (CEA) issued Guiding Principles on the Privacy and Security of Personal Wellness Data in October 2015, and while these guidelines can be adopted by companies, the ONC report notes that that the guidelines are not required by CEA members and the ONC also as not identified any companies that have actually adopted the guidelines, as of July 2016.

“In short, despite the best efforts of the Obama Administration, the FTC and industry, no widely adopted, comprehensive voluntary code of conduct has emerged,” the ONC report states.

The ONC report concludes that’s evidence that large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. “Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies,” the report authors write.

In the blog post, DeSalvo and Samuels note that the report is just the first step in a conversation about these issues. “In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed. As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure,” DeSalvo and Samuels state.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.