HIPAA limited in age of mHealth, social media, wearables, HHS says
In new report to Congress, HHS says current regulations are not keeping pace with consumer engagement tools, social media.
The U.S. Department of Health and Human Services issued a report to Congress wherein it stated that HIPAA serves traditional healthcare well and continues to support national priorities for interoperable health information with its media-neutral privacy rule, but that the scope of HIPAA is limited.
"The health information marketplace of 2016 is filled with technology that enables individuals to be more engaged in managing their own health outside of the traditional healthcare sphere than ever before," according to the 32-page report. "The wearable fitness trackers, social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act of 1996."
HHS characterizes gaps in health data security, patient privacy concerns, and health IT that can potentially aid in protecting patients and their information. The report pays special attention to mobile health and social media issues.
[Also: Reports: HIPAA waived for Orlando hospital in wake of nation's deadliest mass shooting]
"It applies only to organizations known as 'covered entities,' health plans, healthcare clearinghouses and healthcare providers conducting certain electronic transactions, and their 'business associates,' persons or entities that perform certain functions or activities involving the use or disclosure of individually identifiable health information on behalf of or in providing services to covered entities," the report noted. "Today, in addition to these traditional healthcare organizations, scores of new businesses that collect, handle, analyze and disclose health information about individuals have emerged."
HHS had three goals in its report to Congress: analyze the scope of privacy and security protections of an individual's health information for these new and emerging technology products not regulated by HIPAA., identify key gaps that exist between HIPAA-regulated entities and those not regulated, and recommend addressing those gaps in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA.
[Also: Insurers, providers could save $8 billion by automating HIPAA transactions, CAQH Index says]
"The report thoroughly catalogs gaps in privacy and security protections; it identifies the resulting confusion, lack of consumer protection and delayed progress in the use of innovative tools in healthcare," said Crowell & Moring LLP partner Jodi Daniel, who previously served in the Office of the National Coordinator for Health Information Technology within HHS. "It stops short of recommending solutions for a comprehensive health information privacy policy that addresses contexts not covered by HIPAA. As such, healthcare stakeholders should take the lead in collaboration with patients, to advise on how to close those gaps so consumers can securely access their health data and be assured that it is protected wherever it resides."
Large gaps in policies around access, security and privacy continue, and confusion persists among both consumers and technology makers, the HHS report said.
"Wearable fitness trackers, health social media and mobile health apps are premised on the idea of consumer engagement," HHS said. "However, our laws and regulations have not kept pace with these new technologies. This report identifies the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared and used by [entities not covered by HIPAA]."
Twitter: @SiwickiHealthIT