Big Gaps in Health Data Protection IdentifiedONC's Lucia Savage Discusses Findings of Report to Congress
Mobile health applications, wearable fitness trackers and even social media sites are creating new security and privacy risks for health information, especially because the data collected, shared and used typically falls outside the regulatory scope of HIPAA, says Lucia Savage chief privacy officer at the Office of the National Coordinator for Health IT.
ONC, in collaboration with the Federal Trade Commission and the Department of Health and Human Services' Office for Civil Rights, recently completed a long overdue report, required by Congress under the HITECH Act enacted in 2009, that examines the privacy and security oversight of health data collected by entities not covered under HIPAA.
HIPAA applies to "covered entities," which include healthcare providers, health plans and healthcare clearinghouses conducting certain electronic transactions. It also applies to their "business associates" - those that perform certain functions or activities for covered entities that involve the use or disclosure of individually identifiable health information. But scores of new mobile health application providers, consumer wearable makers and related technology companies fall outside that regulatory umbrella.
ONC's report offers five key findings regarding the privacy and security of data collected by those not covered by HIPAA and highlights the need for lawmakers and businesses to consider taking action in addressing those issues, Savage explains in an interview with Information Security Media Group. The key issues are:
- Individuals' legal right to get a copy of the digital information that's been collected about them, or to allow them to request information be sent to third parties, "is not statutorily protected outside of HIPAA," Savage says
- There are no federal minimum security standards for protecting health information for those entities that are not covered by HIPAA. "While security engineering best practices are pretty easy to identify, there's no law that requires any particular security practices related to non-HIPAA regulated entities."
- While HIPAA prohibits the use of identifiable health information for marketing and prohibits the sale of identifiable information, no such restrictions exist for those not covered by HIPAA.
- Consumers are confused about the regulatory requirements for protecting their health data. They're "not quite sure where certain privacy protections end and others kick in."
- The complicated regulatory environment may be "impeding development of innovation" that could improve healthcare.
Despite the lack of HIPAA regulatory oversight of many entities offering new health technologies to consumers, "if an organization was found to engage in unfair or deceptive business practices, in regards to health information, the Federal Trade Commission might take action," Savage notes.
In the interview (see audio player below photo), Savage also discusses:
- Examples of entities, including those that offer social media functions, that fall outside of HIPAA's privacy and security regulatory scope;
- The various ways health information that's collected, shared and used by entities not covered by HIPAA is at risk for breaches;
- Potential ways of addressing the regulatory and related security and privacy gaps involving certain mobile health applications and other technologies.
Savage was appointed ONC chief privacy officer in October 2014 by HHS secretary Sylvia Mathews Burwell. Before joining ONC, Savage was senior associate general counsel at United Healthcare, where she supervised a team that represents the insurer in its work in large data transactions related to health information exchanges, health care transparency projects and other data-driven health care innovation projects. Previously, Savage was general counsel at the Pacific Business Group on Health and compliance manager at Stanford University.