Share this e-Alert:

Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care


August 2016


Agencies Encourage New Privacy Regulations to Close the mHealth Black Hole and Keep Pace with Evolving Technologies







For more information about this e-Alert, please contact:


Erin Fleming Dunlap


Email | Bio


Zuzana S. Ikels


Email | Bio


Laura Little


Email | Bio


Sidney Welch


Email | Bio


To learn more about our Health Care practice, to contact one of our Health Care attorneys, or for more Health Care Intelligence, click here.



Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care View Polsinelli documents on JD Supra  


LinkedIn Twitter Facebook Polsinelli Podcast

On July 19, 2016, the ONC1 submitted a report to Congress which suggests that health privacy regulations soon may be revised to catch up with the universe of mHealth technologies that now use and share personal health data2. The report, titled Examining Oversight of the Privacy and Security of Health Data Collected by Entities (the "Report"), was drafted by the ONC in collaboration with the Office for Civil Rights ("OCR") and US Federal Trade Commission ("FTC"). The Report summarizes the regulatory construct currently protecting the privacy of personal health information held by covered entities (and their business associates)3 and outlines the agencies' concerns regarding the lack of similar regulatory oversight over health data usage by mHealth technology developers and other businesses falling outside the scope of HIPAA4 (each, referred to as a "Non-Covered Entity" or "NCE").

Since HIPAA's passage in 1996, health data usage has evolved beyond the simple chart review in the doctor's office or processing of an insurance claim. Scores of new businesses and technologies have emerged that utilize health data in increasingly innovative ways. Now, health data is collected by data aggregators and mined by data analysts for scores of new, innovative purposes—such as, market forecasting and development, advertising, clinical research, predictive analytics for the development of new treatment protocols or clinical decision support algorithms, and structuring patient populations for accountable care organizations. Yet, federal privacy regulations have not evolved to keep pace. The report correctly notes that federal privacy regulations have yet to contemplate the existence of "mHealth technologies" (entities that collect personal health records ("PHRs") and cloud-based or mobile software tools that collect health information directly from individuals and enable health data sharing outside of the traditional healthcare provider context (i.e. wearable fitness trackers)) or "health social media" (websites that encourage health data sharing directly by users). Most actions by these entities, as Non-Covered Entities, are not regulated by HIPAA. While a patchwork of federal and state laws do govern some NCE data practices, rather than enhance privacy protections, the inconsistencies between laws mostly generate confusion among mHealth technology developers and consumers, thereby encouraging risky data management practices by both (e.g. businesses fail to develop security protocols believing they are exempt from HIPAA; consumers input health data into wearable trackers believing HIPAA protects its further disclosure when it does not).

As a first step to a solution, the Report seeks to detail the current gaps in policies governing access, security, and privacy of personal health data. Specifically, the ONC identifies five (5) major areas in which an individual's right to control his or her health data differs markedly based on whether the health data is held by a covered entity (governed by HIPAA) versus an NCE. The five 'gaps in oversight' identified are as follows:

  • Differences in Individual's Right of Access [more...]

  • Differences in Individual's Right to Control Third Party Use of Data [more...]

  • Differences in Security Standards [more...]

  • Differences in Understanding of Privacy and Security Protections Terminology [more...]

  • Inadequate Data Collection, Usage, and Disclosure Limitations [more...]

The Report does not go as far as to recommend solutions for the noted gaps in oversight. Yet, ONC's publication of this Report, detailing for Congress the identified gaps in privacy protections, could signal that new regulations directly or indirectly governing NCE data practices may be forthcoming. mHealth technology developers (including, vendors of personal health records, mobile health applications, wearable health data trackers, or others), websites actively collecting health data, social media health platforms (e.g. patient-peer networking websites or websites tracking biometric data), and others handling health data as non-covered entities should monitor congressional activities for any new regulatory developments that would impact their data collection, management, and sharing practices.

To view or print the full alert, please click here.

For More Information

For questions regarding this information, please contact the author, a member of Polsinelli’s Health Care practice, or your Polsinelli attorney.

1 Office of the National Coordinator for Health Information Technology ("ONC") of the U.S. Department of Health and Human Services.

2 The term 'health data' is used throughout this Article as a proxy for the following legal terms: "health information", "individually identifiable health information", "protected health information", and "personally identifiable information". Since NCE's deal with health information that is not necessarily restricted to the protected health information governed by HIPAA, this broader term is used to reference the health-related information individuals share with mHealth technologies, social media, personal health records, and other NCE's.

3 See 42 C.F.R. §160.103 (HIPAA only applies to organizations known as "covered entities", defined as health plans, health care clearing houses, and health care providers conducting certain electronic transactions, and their "business associates", defined as persons or entities that perform certain functions or activities involving the use or disclosure of individually identifiable health information on behalf of or in providing services to covered entities.).

4 Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936 (1996), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act") and implementing regulations (collectively, "HIPAA")







Atlanta  Boston  Chattanooga  Chicago  Dallas  Denver  Houston  Kansas City  Los Angeles  Nashville  New York
Overland Park  Phoenix  Raleigh  St. Joseph  St. Louis  San Francisco  Washington, D.C.  Wilmington








real challenges. real answers.SM  
Polsinelli is an Am Law 100 firm with more than 800 attorneys in 19 offices, serving corporations, institutions, and entrepreneurs nationally. Ranked in the top five percent of law firms for client service*, the firm has risen more than 50 spots over the past five years in the Am Law 100 annual law firm ranking. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on health care, financial services, real estate, intellectual property, mid-market corporate, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.

* 2016 BTI Client Service A-Team Report







Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2016 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Polsinelli Health Care Technology Health Care