On Tuesday, the Office of the National Coordinator for Health Information Technology (ONC) issued a report to Congress entitled "Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA." The report, which was developed in coordination with the Office for Civil Rights (OCR) and the U.S. Federal Trade Commission (FTC), focuses on the gaps in policy related to the privacy and security of health information collected and used by mHealth technologies (such as wearable fitness trackers) and health social media, and the challenges of protecting this information. MHealth technologies fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA) and are referred to as "non-covered entities."
As the increase in the use of wearable fitness trackers and other types of mobile technologies have changed the way people interact and engage in their health, the need to ensure this information is private and secure has also increased. However, as the report notes, many of these technologies and tools didn’t exist when HIPAA was first enacted in 1996 and there hasn’t been federal legislation aimed at closing these gaps since the 2009 HITECH Act. While HIPPA applies to health plans and health care providers, many new organizations that use consumer-facing technology to collect, analyze, and share health information are not regulated by HIPAA and may inadvertently put that data, and the individual, at risk. As the report finds, the lack of clarity and guidance over the privacy and security of these non-covered entities must be addressed and the gaps in policy must be fixed in order to create greater predictability for researchers and developers to foster innovation.
Accompanying the report was a blog post co-written by Dr. Karen DeSalvo, and Jocelyn Samuels, Director of the OCR.