Guest Column | September 8, 2016

Can HIPAA Keep Up With Rapidly Evolving Consumer Technologies?

Image courtesy of Google.

By Gene Fry, Scrypt, Inc.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), legislation that exists to safeguard private medical information, could be creating more problems than it is preventing. The rapid growth of mainstream consumer technologies such as fitness trackers and the increasingly widespread adoption of social networks and messaging applications are creating a void in HIPAA that is growing bigger by the day.

But don’t take our word for it. The issue was recently brought to light in a 32-page report issued to Congress by HHS’ Office for Civil Rights — the agency responsible for enforcing the HIPAA Privacy and Security Rules — which explained, “The wearable fitness trackers and social media sites where individuals share health information through specific social networks and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA).”

This is because HIPAA only covers patient information kept by health providers, insurers, data clearinghouses, and their business associates (BAs) — categories which modern consumer technologies do not slot into. The companies behind these consumer technologies are therefore considered non-covered entities under HIPAA and, when these companies collect health data from consumers, they are doing so with very little restriction on what they can or cannot do with that collected data.

This is problematic for consumers who may not be aware of the protection they are entitled to under HIPAA and how those rights do not apply when they inadvertently share their information through wearables or social media applications. What’s more, consumers may not be able to access details about what information has been collected or whether it has been disclosed or reused for marketing or other purposes.

Unpicking the ambiguities that exist under HIPAA, the paper notes, “Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not.” It goes on to suggest, “Even entrepreneurs, particularly those outside the healthcare industry may not have a clear understanding of where HIPAA oversight begins and ends.”

The paper highlights the cybersecurity risks that exist when health information is collected by non-covered entities, citing lack of security standards and lack of encryption as the main causes of concern. With 2015 already hailed as the year of the healthcare breach due to more than 100 million healthcare records being compromised and the industry as a whole being targeted at a much higher rate than any other, the news could not come at a worse time.

The report, which was actually due for completion way back in 2010, has been at the center of controversy since its belated release last month on the basis that, while clearly outlining gaps in the scope of HIPAA privacy and security protections for the modern consumer, it does stop short in offering any recommendations for mitigating these concerns. On being asked why the report did not offer any advice, an official said readers could draw their own conclusions from the findings.

While perhaps raising more questions than providing answers, the report serves well to be interpreted by healthcare providers as a starting point for developing such solutions through seeking to outline the exact boundaries of the problems that have come to exist as more and more consumer technologies come onto the market.

Responding to the report, Jodi Daniel, LLP partner of Crowell & Moring, who previously worked in the Office of the National Coordinator within HHS has suggested, “Healthcare stakeholders should take the lead in collaboration with patients, to advise on how to close those gaps so consumers can securely access their health data and be assured that it is protected wherever it resides.”

About The Author
Gene Fry joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security Compliance Officer by the Identity Management Institute, as an Electronic Health Record Specialist Certification (CEHRS™) through the National Healthcareer Association and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers. In his spare time, Gene rides a Harley Davidson as part of the Austin, TX Chapter.