Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Government
July 19, 2016 01:00 AM

HHS report on privacy gaps fails to present ideas on how to close them

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    (Story updated at 10:43 a.m. ET)

    More than six years late and more than a few requirements short, the federal government has released a report on the privacy and security—or lack thereof—of healthcare information that's gathered by organizations and businesses that are not subject to HIPAA.

    The 32-page report (PDF) says there is a lack of clear guidance to protect the information, according to a joint statement by Dr. Karen DeSalvo, head of the Office of the National Coordinator for Health Information Technology at HHS, and Jocelyn Samuels, director of the Office for Civil Rights at HHS.

    In 2009, Congress tasked the two agencies with conducting a study on the security and privacy requirements for entities or business associates that are not covered by federal privacy laws. They also were instructed to determine which federal agencies should enforce such requirements and come up with a time frame for implementing regulations based on the report's findings. The recommendations would then be submitted to congressional committees to write any related new legislation.

    What HHS and the FTC produced, is a review of current privacy laws and two types of technologies, so-called mHealth systems, which include personal health records systems and wearable fitness trackers, and “health social media,” on which patients share their health conditions and experiences. The FTC can pursue claims over breaches involving both NCEs and HIPAA covered entities if they engage in deceptive or unfair business practices, but the agency's authority is limited in healthcare.

    Developers of these systems are called non covered entities or NCEs, in the report, meaning they are not healthcare providers, insurers, claims clearinghouses and their business associates — the "HIPAA covered entities" to which that federal law applies.

    The NCEs, the report states, have “large gaps in policies around access, security, and privacy,” and that while wearable fitness trackers and mobile app are supposed to engage consumers, laws and regulations have not kept pace with the technology.

    The authors say Congress should determine how to close those gaps.

    “It's complicated to make recommendations in this very complicated legal environment,” said Lucia Savage, chief privacy office at HHS, in an interview. “Laws are enacted by Congress, so we're deferring to them.”

    Consumer ignorance of the limitations of HIPAA, particularly where its protections end, is also a problem noted in the report. For example, the location of a mobile device can be so precise that it can detect the coordinates of a psychiatric hospital or the offices of a heart specialist, inferring the health condition of its wearer. Collecting and storing one person's data in multiple locations “make the data increasingly vulnerable to cyber security attacks,” as well.

    HIPAA does not require non-covered entities to perform and keep a current health data security risk assessment – a requirement for covered entities. Other NCE-related HIPAA protections that are lacking include data access and reporting of disclosures. Covered entities must provide patients copies of their records and an accounting of disclosures; NCEs may not.

    HIPAA has long required covered entities to prepare these disclosure audit reports for patients on demand, but initially exempted from the accounting requirement their disclosures for many healthcare data uses known collectively as TPO -- treatment, payment and “other healthcare operations,” which is itself broad, catch-all category that included many data uses.

    Privacy advocate Dr. Deborah Peel is eager to end a five-year wait for a final rule that would expand that requirement, mandating all providers track and report any disclosures of patient medical records.

    “How can you regulate something when you don't know what the environment is?” said Peel, who estimates a million businesses and other entities are buying or trading personal data. “No one knows where any of the data actually goes. We're flying in the dark, the total dark."

    The report authors avoided medical devices, even those that gather, store and transmit patient information.

    “The report is a good summary of the current issues in the health IT space and highlights some serious problems,” said Joy Pritts, the first chief privacy officer at HHS and Savage's immediate predecessor. It should provide application developers with some useful clarification about the scope of existing privacy laws and rules, but she noted the absence of recommendations.

    “Hopefully, HHS's further engagement with stakeholders will lead to more concrete recommendations and actions,” Pritts said.

    Savage said the delay happened because the agencies were trying to keep up evolving methods of data collection.

    For example, when Congress asked for the study, IT giants Microsoft and Google both had highly publicized personal health record operations. Whether either were subject to HIPAA regulation was in dispute.

    Microsoft's HealthVault still exists but hasn't caught fire. Google Health, meanwhile, went out of business in 2012.

    In the years since then, the Obama administration has issued several executive orders on cyber security across all industries, not just healthcare. It also issued its own policy paper on protecting privacy and last year proposed a consumer privacy “Bill of Rights.”

    A staffer on the House Energy and Commerce committee, speaking on background, said long delays are common with the Obama administration.

    Peel isn't buying the excuses.

    “The truth is, they were supposed to make recommendations,” Peel said, wondering why they didn't.

    There's nothing revelatory in saying there are gaps, Peel said. They've been there since the earliest days of HIPAA, she added.

    “There was never any way that HIPAA could work, because patient information wasn't staying in the hands of HIPAA covered entities,” Peel said. Her argument is that protection should go with the data, effectively making every healthcare data holder a “covered entity.”

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Dr. Anthony Fauci
    Fauci: 'Pandemic phase' over for US, but COVID-19 still here
    greenhouse emission
    5 takeaways from HHS' environmental justice strategy
    Sponsored Content
    Modern Healthcare Alert: Sign up for this breaking news email to be kept in the loop as urgent healthcare business news unfolds.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing