News Feature | July 29, 2016

Report Finds ‘Key Gaps' In Protection Of PHI On Mobile Apps

Christine Kern

By Christine Kern, contributing writer

PHI Protection

HIPAA is not keeping up with privacy gaps on mobile health apps for consumers.

“Key gaps” exist in HIPAA's ability to protect personal information generated by wearable fitness trackers and other mobile apps according to the findings of a new government report. Developed in conjunction with HHS Office for Civil Rights and the U.S. Federal Trade Commission, Examining Oversight of the Privacy & Security of Health Data Collected By Entities Not Regulated by HIPAA examines the lack of guidance around access to and protection of consumer health information used by entities not covered under current HIPAA regulations. A recent FTC report also investigated the scope of data-sharing and collection in all sectors.

As the HHS report explains, “The health information marketplace of 2016 is filled with technology that enables individuals to be more engaged in managing their own health outside of the traditional healthcare sphere than ever before. The wearable fitness trackers, social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health insurance Portability and Accountability Act of 1996 (HIPPA). While HIPAA served traditional healthcare well and continues to support national priorities for interoperable health information with its media-neutral Privacy Rule, its scope is limited.”

The study points out many new technologies — including mobile health apps — are falling through the cracks of HIPAA protection. To-wit, the report “analyzes the scope of privacy and security protections of an individual’s health information for these new and emerging technology products that are not regulated by HIPAA; identifies key gaps that exist between HIPAA regulated entities and those not regulated by HIPAA; and recommends addressing those gaps in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA.”

This is not the first time the privacy issue for healthcare-related personal information has been addressed. As Pro Publica reported, Congress asked for recommendations regarding what to do about information that fell beyond HIPAA oversight. This new report revealed the current landscape of mobile app information, but offered no concrete suggestions for protection of that data.

“Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” notes the report. “Moreover, even entrepreneurs, particularly those outside the healthcare industry may not have a clear understanding of where HIPAA oversight begins and ends.”

“At the end of the day, it’s a very complicated environment that we find ourselves in,” Lucia Savage, chief privacy officer at the Office of the National Coordinator for Health Information Technology, told ProPublica. “We believe we’re fulfilling our duties. If Congress has concerns about that, I’m sure that we will hear about them.”

As a blog post by Karen B. DeSalvo and Jocelyn Samuels explained, the report is just the “first step in a conversation about these important issues,” and HHS’s Office of the National Coordinator for Health Information Technology will seek stakeholder input on ways to address the privacy gap in the coming weeks.