Healthcare organizations that are HIPAA "covered entities," such as hospitals, clinics and insurers, as well as their business associates must comply with the HITECH Act breach notification rule, a component of the HIPAA privacy rule. That's why the pending legislation before Congress wouldn't apply to these organizations.
But Harley Geiger, policy counsel at the Center for Democracy & Technology, points out in a blog that not all healthcare information is protected under HIPAA. For example, certain commercial products and services, such as mobile health applications and social networking sites devoted to medical conditions, aren't regulated under HIPAA, although they could contain sensitive patient information.
If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA.
Geiger says breach notification requirements for health information held by companies not covered by HIPAA "are weak and unclear." But of the seven breach notifications bills Congress is considering, none explicitly protect health information held by companies that are not HIPAA covered entities. They're designed, instead, with other industries, especially financial services, in mind.
If Congress passes one of these pending bills, it should make sure the legislation includes protections for health information used by entities not covered under HIPAA, Geiger argues. Sounds like a good idea to me.