July 21, 2016
Remember the concept of HIPAA “covered entities?” Today HIPAA requirements of covered entities are to health data privacy and security as muskets are to modern police protection — outdated and inadequate. The traditional HIPAA model regulates health plans, health care providers, health clearinghouses, and their business associates with strict provisions for securing our “protected health information” (PHI) so that it remains, first and foremost, ours. But today, Americans share a vast amount of our health information with uncovered entities, often without realizing it. As a result, our protected health information may be more at risk than ever.
Fast forward from the early 2000’s to 2016 and to a whole new set of healthcare players — non-covered entities with whom we willingly share our most private health data. Anyone who uses health-related internet services or personal digital technology is potentially at risk. We are giving our PHI away without the foggiest notion that HIPAA protection is nowhere to be found.
A new report from ONC spells out the problem. “Health information is increasingly collected, shared, or used by new types of organizations…currently NOT covered by HIPAA, such as peer health communities, online health management tools, and websites used to generate information for research.” Health information also is collected through mHealth technologies, e.g. tablets, smartphones, software applications, and wearable sensors that often enable individuals to monitor vital signs or other biometric data. According to a study by ITOnline, reported by Forbes Magazine, two-thirds of Americans have already shown a preference for digital health management over physical. The study also shows 79 percent of Americans are willing to use a wearable device to manage their health, with 45 percent wanting tracking of symptoms.
Device-based applications can provide a great benefit to those of us who want to manage our healthcare more knowledgeably. Users have grown into the millions. Healthcare related “apps” enable us to become more engaged in our health and are a convenient means for real-time collection of valuable health information, some of which we share with our caregivers. But, according to ONC, “Absent the protections of the HIPAA Rules, device vendors may share the data with multiple other parties.” (The sharing could be subject to FTC rules on unfair or deceptive conduct, but the latter is a long stretch from stringent health-centric HIPAA rules.)
When an app that collects our health data is not offered by a HIPAA covered entity or a business associate, it is outside the scope of HIPAA’s protections.
The ONC report also focuses on popular health-related social networking and patient peer-networking / support websites. Tech-savvy baby boomers and individuals with specific health conditions have fostered enormous expansion of this phenomenon; just take a look at sites devoted to diabetes, arthritis, autoimmune conditions, and Parkinson’s to witness how “members” are using them to more directly understand and manage their health. From ONC: “Social media are interconnected, multi-directional means of communication and allow sharing of information, preferences, and views among individuals and groups, (including) self-disclosure of health information.” ONC says at least 27 percent of internet users and 20 percent of adults have tracked their weight, diet, exercise routine, symptoms, or another health indicator online.
Some websites in which individuals share their health information are hosted or sponsored by HIPAA covered entities, such as health plans or provider networks. But many of the websites operate independently, often through a direct relationship to the individual.
Benefits can be realized through using such social media, but individuals are often unaware of possible future uses of their health information and the potential consequences. ONC cites a study examining social networking sites for diabetics that found that “less than half of the sites offered safeguards for protecting the individuals’ personal health information. The study also identified conflicts of interest, such as ties to the pharmaceutical industry, which were not disclosed to individuals using these sites.”
Findings from ONC’s report highlights areas where organizations may be lacking “openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.” Specific circumstances where health information about individuals may be outside the scope of HIPAA’s access rights provisions may include:
ONC’s analysis also indicates that non-covered entities may not be incorporating basic security protections within their sites or apps. In particular, encryption practices are not uniform, and data about them may not available. For example, ONC notes that only six percent of free health apps and 15 percent of paid health apps always use encrypted SSL connections when sending data to third parties. Other basic security protections are also often missing, such as authentication of a person’s identity prior to allowing access to health information and requiring sufficiently complex passwords.
Even mHealth privacy notices are suspect. While mHealth apps may post privacy notices, the consumer cannot assume that HIPAA privacy and security protections are being applied to the technology that is collecting the consumer’s health data. Without this assurance, users may choose to enter data that immediately is at risk for misuse and re-disclosure.
While ONC has done us the service of outlining the many security and privacy risks of technologies and online social and other health-related sites offered by non-covered entities, it offers essentially no solutions. ONC readily admits that our health privacy and security laws and regulations have not kept up with new technologies: “Large gaps in policies around access, security, and privacy continue, and confusion persist among both consumers and innovators.”
ONC is clear in stating that these gaps should be filled. Surprisingly, it offers no proposals or recommendations for doing so. In the meantime, without defined leadership and funding devoted to fixing the problem, it will get substantially worse. mHealth apps and health social sites are skyrocketing in numbers and technological sophistication.
We are in a time when major HIPAA breaches among covered entities are a frequent and painful reality, and when many organizations are investing more than ever in preventing them. Yet, tens of thousands of non covered entities are slipping through an ever-widening health data privacy and security crack. The ONC report may be a first step in raising awareness — or maybe not. Let’s hope for something with real muscle very soon.