ONC Issues Report to Congress on Policy Gaps for Security, Privacy of mHealth Data | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ONC Issues Report to Congress on Policy Gaps for Security, Privacy of mHealth Data

July 19, 2016
by Heather Landi
| Reprints
Click To View Gallery

The federal government needs to address large gaps in policies around health data access, security and privacy with regard to mobile health apps and health social media, according to a new report to Congress issued from the Office of the National Coordinator for Health IT (ONC).

ONC developed the report in coordination with the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). In the report, “Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA,” ONC discusses the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by entities that are not currently covered by the Health Insurance and Portability and Accountability Act of 1996 (HIPAA).

In a blog post about the report, Karen DeSalvo, M.D., National Coordinator for Health Information Technology and Acting Assistant Secretary for Health, and Jocelyn Samuels, J.D., OCR Director, notes that mHealth technologies, such as wearable fitness trackers, and their related social media sites where individuals share health information did not exist when Congress enacted HIPAA in 1996.

As the report notes, HIPAA serves traditional health care and its scope is limited. “It applies only to organizations known as ‘covered entities,’ health plans, health care clearinghouses and health care providers conducting certain electronic transactions and their ‘business associates,’ persons or entities that perform certain functions or activities involving the use or disclosure of individually identifiable health information on behalf of or in providing services to covered entities,” the report authors stated.

“Today, in addition these traditional health care organizations, scores of new businesses that collect, handle, analyze and disclose health information about individuals have emerged,” the ONC report states.

Essentially, according to the ONC report, the gaps that exist between HIPAA regulated entities and those not regulated by HIPAA need to be addressed in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA.

“To ensure privacy, security, and access by consumers to health data, and to create a predictable business environment for health data collectors, developers, and entrepreneurs to foster innovation, the gaps in oversight identified in this report should be filled,” the ONC report states, although it does not recommend any specific legislation to fill the gaps.

The ONC report specifically focuses on mHealth technologies and health social media. The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers, the report states. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.

The ONC lays out three ways an individual’s health information is protected. “First, HIPAA, a federal law that establishes a nationwide floor of privacy and security standards, imposes protections through its implementing Privacy, Security, and Breach Notification Rules. Those rules are enforced by OCR, while criminal penalties for certain disclosures are enforced by the Department of Justice,” the report states.

“Second, the FTC enforces the FTC Act’s consumer protection prohibition against acts or practices that are unfair or deceptive. These could include, for example, failing to comply with an entity’s own privacy policy, deceptively failing to disclose material information about the use of personally identifiable information, or failing to reasonably secure this information,” the ONC states in the report. “Third, approximately half the states have enacted health privacy rules that apply in addition to, and are more protective of patient privacy than, HIPAA but which concern specific clinical conditions or circumstances (HIV/AIDS status, mental or reproductive health conditions, or the health information of teenagers, for example).”

However, ONC notes that as the electronic sharing and storage of health information increases, and as individuals become more engaged in sharing personal health data online, “organizations that are not regulated by HIPAA, the FTC, or state law may collect, share, or use health information about individuals in ways that may put such data at risk of being shared improperly,” the report authors state.

One of the challenges of safeguarding electronic health information is that while technological innovation has advanced at a rapid pace, privacy and security protections of health information have not kept up. Among the many challenges that need to be addressed, new types of entities that collect, share, and use health information are not regulated by HIPAA, and individuals also have a limited or incorrect understanding of when data about their health is protected by law, and when it is not, the ONC report states.

In addition, health information collected in more places without consistent security standards may pose a cybersecurity threat, of which individuals may be unaware, and ONC notes, individuals generally have greater rights regarding access to data held by HIPAA covered entities than data held by non-covered entities. The ONC report also raises the concern that a lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people.

The ONC report also identifies policymakers who have worked in collaboration with the industry to address some of these gaps and identify best practices while keeping pace with the rapid development of technology. The FTC’s efforts to-date include enforcement against entities engaging in privacy and security-related violations under the FTC Act and policy and informational initiatives, such as the FTC’s IoT (Internet of Things) report on Mobile Privacy Disclosures and consumer education and business outreach, the ONC report states.

In addition, HHS has worked to improve patient access to protected health information (PHI), to educate users on risks to the confidentiality, integrity and availability of ePHI and to develop educational materials and provide technical assistance to help entities covered by HIPAA comply with the rules.

“HHS has also committed to providing more guidance for developers of technologies offered by NCEs, as well as for entities that are unsure whether they are covered by HIPAA. These efforts are consistent with overall efforts of the Obama Administration to improve data security, privacy, and consumer protection through legislative proposals, regulations, executive orders, and the Precision Medicine Initiative,” the ONC report states.

And, the report highlights private sector initiatives to address these gaps, such as published codes of contact that private sector organizations can adopt if they choose. For example, the Consumer Electronics Association (CEA) issued Guiding Principles on the Privacy and Security of Personal Wellness Data in October 2015, and while these guidelines can be adopted by companies, the ONC report notes that that the guidelines are not required by CEA members and the ONC also as not identified any companies that have actually adopted the guidelines, as of July 2016.

“In short, despite the best efforts of the Obama Administration, the FTC and industry, no widely adopted, comprehensive voluntary code of conduct has emerged,” the ONC report states.

The ONC report concludes that’s evidence that large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. “Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies,” the report authors write.

In the blog post, DeSalvo and Samuels note that the report is just the first step in a conversation about these issues. “In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed. As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure,” DeSalvo and Samuels state.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


LabCorp Joins Apple Health Records Project

November 5, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

LabCorp, a provider of clinical laboratory and end-to-end drug development services, has announced that it has enabled Apple’s Health Records feature for its patients.

This iPhone feature aims to make it easier for LabCorp patients to access their LabCorp laboratory test results, along with other available medical data from multiple providers, whenever they choose, according to officials.

In January, Apple announced that it would be testing the Health Records feature out with 12 hospitals, inclusive of some of the most prominent healthcare institutions in the U.S. Since that time, more than 100 new organizations have joined the project,  according to Apple.

LabCorp test results are viewable in the Apple Health app for LabCorp patients who have an account with the company, and enable integration with the Health Records app. In addition to their LabCorp test results, patients will have information from participating healthcare institutions organized into one view, covering allergies, medical conditions, immunizations, lab results, medications, procedures and vitals.

Patients will receive notifications when their data is updated, and the Health Records data is encrypted and protected with the user’s iPhone passcode, Touch ID or Face ID, according to officials.

“LabCorp on Health Records will help provide healthcare consumers with a more holistic view of their health. Laboratory test results are central to medical decision making, and broadening access to this information will help patients take charge of their health and wellness, and lead to more informed dialogues between patients and their healthcare providers,” David P. King, chairman and CEO of LabCorp, said in a statement.

More From Healthcare Informatics


HIMSS Analytics Introduces Infrastructure Adoption Model for Health Systems

October 25, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society, announced the introduction of the Infrastructure Adoption Model, or INFRAM, which is designed to measure the technical infrastructure used within a health system.

The INFRAM focuses on five technical subdomains, allowing organizations to benchmark how their infrastructure operates within the following areas: mobility; security; collaboration; transport; and data center.

Similar to HIMSS Analytics’ well-known Electronic Medical Record Adoption Model, or, EMRAM, the INFRAM is an eight-stage model (0 – 7) that allows healthcare IT leaders to map the technology infrastructure capabilities required to reach their facility’s clinical and operational goals, while meeting industry benchmarks and standards.  The final stage, Stage 7, guides organizations towards optimized information integration, contextualization and orchestration essential for the delivery of higher order local and virtualized care processes.

For reference purposes, Stage 0 on the model represents that an organization does not have a VPN, intrusion detection/prevention, security policy, data center or compute architecture. Stage 3 signifies that an organization has an advanced intrusion prevention system, while Stage 5 represents having video on mobile devices, location-based messaging, firewall with advanced malware protection, and real-time scanning of email hyperlinks.

HIMSS officials note that by identifying specific benchmarks for organizations to reach before they go live with EMR, systems, the INFRAM aims to ensure that a health system’s infrastructure is stable, manageable and extensible. Through this, organizations can ideally improve care delivery and create a pathway for infrastructure development tied to business and clinical outcomes.

 “The INFRAM is a welcome addition to our maturity model suite and addresses a longstanding need – guiding healthcare organizations in securely implementing the infrastructure with which their EMRs are built upon,” Blain Newton, executive vice president, HIMSS Analytics, said in a statement. “We have seen health systems engage with advanced clinical applications, only for them to ‘glitch’ under infrastructure that isn't powerful enough to support their tools. With the INFRAM, healthcare providers can develop a detailed, strategic technology plan that defines their organization's current state, desired future state, and each stage in between to achieve their clinical and operational goals.”

Related Insights For: Mobile


Clinical Team Communication and Data Access in the Palm of Your Hand

Thursday, October 25, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Eisenhower Health, a west coast-based Magnet Hospital, implemented an enterprise-wide solution enabling mobile communications and collaboration across all care teams, linking the entire enterprise, advancing its communications capabilities, creating access to an enterprise directory, and improving care team response and turnaround times.

Additionally, the system provided extensive and comprehensive reporting with data analytics showing where and to what extent response improvements were made, but also providing the information the hospital needed to better utilize the system and make adjustments to improve results.

See more on Mobile

betebet sohbet hattı betebet bahis siteleringsbahis