On July 19, 2016, the ONC1 submitted a report to Congress which suggests that health privacy regulations soon may be revised to catch up with the universe of mHealth technologies that now use and share personal health data2. The report, titled Examining Oversight of the Privacy and Security of Health Data Collected by Entities (the "Report"), was drafted by the ONC in collaboration with the Office for Civil Rights ("OCR") and US Federal Trade Commission ("FTC"). The Report summarizes the regulatory construct currently protecting the privacy of personal health information held by covered entities (and their business associates)3 and outlines the agencies' concerns regarding the lack of similar regulatory oversight over health data usage by mHealth technology developers and other businesses falling outside the scope of HIPAA4 (each, referred to as a "Non-Covered Entity" or "NCE").
Since HIPAA's passage in 1996, health data usage has evolved beyond the simple chart review in the doctor's office or processing of an insurance claim. Scores of new businesses and technologies have emerged that utilize health data in increasingly innovative ways. Now, health data is collected by data aggregators and mined by data analysts for scores of new, innovative purposes—such as, market forecasting and development, advertising, clinical research, predictive analytics for the development of new treatment protocols or clinical decision support algorithms, and structuring patient populations for accountable care organizations. Yet, federal privacy regulations have not evolved to keep pace. The report correctly notes that federal privacy regulations have yet to contemplate the existence of "mHealth technologies" (entities that collect personal health records ("PHRs") and cloud-based or mobile software tools that collect health information directly from individuals and enable health data sharing outside of the traditional healthcare provider context (i.e. wearable fitness trackers)) or "health social media" (websites that encourage health data sharing directly by users). Most actions by these entities, as Non-Covered Entities, are not regulated by HIPAA. While a patchwork of federal and state laws do govern some NCE data practices, rather than enhance privacy protections, the inconsistencies between laws mostly generate confusion among mHealth technology developers and consumers, thereby encouraging risky data management practices by both (e.g. businesses fail to develop security protocols believing they are exempt from HIPAA; consumers input health data into wearable trackers believing HIPAA protects its further disclosure when it does not).
As a first step to a solution, the Report seeks to detail the current gaps in policies governing access, security, and privacy of personal health data. Specifically, the ONC identifies five (5) major areas in which an individual's right to control his or her health data differs markedly based on whether the health data is held by a covered entity (governed by HIPAA) versus an NCE. The five 'gaps in oversight' identified are as follows:
- Differences in Individual's Right of Access [more...]
- Differences in Individual's Right to Control Third Party Use of Data [more...]
- Differences in Security Standards [more...]
- Differences in Understanding of Privacy and Security Protections Terminology [more...]
- Inadequate Data Collection, Usage, and Disclosure Limitations [more...]
The Report does not go as far as to recommend solutions for the noted gaps in oversight. Yet, ONC's publication of this Report, detailing for Congress the identified gaps in privacy protections, could signal that new regulations directly or indirectly governing NCE data practices may be forthcoming. mHealth technology developers (including, vendors of personal health records, mobile health applications, wearable health data trackers, or others), websites actively collecting health data, social media health platforms (e.g. patient-peer networking websites or websites tracking biometric data), and others handling health data as non-covered entities should monitor congressional activities for any new regulatory developments that would impact their data collection, management, and sharing practices.
To view or print the full alert, please click here.
For More Information
For questions regarding this information, please contact the author, a member of Polsinelli’s Health Care practice, or your Polsinelli attorney.