“We certainly didn't have mobile health care apps when the HIPAA security rule went into effect (in 2005),” Nahra said. Security breaches, both in healthcare and outside with commercial records, and heightened federal attention to cybersecurity as a part of national defense are combining to put a spotlight on the privacy and security of all electronic records, he said.
The Federal Trade Commission, the FDA, as well as the Defense Department are getting further involved in the data privacy and security regulatory game.
In healthcare, the upshot is a new awareness that the HIPAA paradigm of placing rules around covered entities and their business associates is “very narrow,” according to Nahra, who served as co-chair of the federal confidentiality, privacy and security workgroup of the American Health Information Community, an advisory panel to HHS in the George W. Bush administration. “It's not a general rule protecting healthcare information (and) there is a ton of healthcare information that's not covered by the circle of HIPAA.”
The mobile device debate highlights tensions with the role of patients in their own healthcare, according to Nahra. “We're seeing it with things as simple as can doctors have e-mail conversations with their patients. I think this is going to lead to a lot of pressure to a have a broader interpretation of HIPAA beyond covered entities.”
A variety of bills before Congress dealing broadly with information privacy and security may touch on the healthcare industry, he said. Meanwhile, the government is very focused on cybersecurity.
“At a minimum, we're going to see new standards for people who are not involved in the healthcare industry that are not directly covered by HIPAA,” he said. “We need to keep an eye on that.”
Follow Joseph Conn on Twitter: @MHJConn