Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA

Dr. Karen B. DeSalvo and Jocelyn Samuels | July 19, 2016

Many of us now use wearables and other types of health information technology to help us manage our health and the health of our loved ones. These fitness trackers, their related social media sites where individuals share health information, and other technologies are changing the way we interact and control our own health. However, they did not exist when Congress originally enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996.
HIPAA serves traditional health care well and supports national priorities for the safe and secure flow of health information, but its scope is limited. It applies only to organizations known as “covered entities”—health plans, health care clearinghouses, and health care providers conducting certain electronic transactions—and their business associates. Yet these days, scores of new businesses use consumer-facing technology to collect, handle, analyze, and share health information about individuals – sometimes without those individuals’ knowledge.

Today, the Office of the National Coordinator for Health Information Technology (ONC) issued a report to Congress entitled, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. This report—developed in coordination with the Office for Civil Rights (OCR) and the U.S. Federal Trade Commission (FTC)—discusses the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by entities that are not currently covered by HIPAA.

This report is the first step in a conversation about these important issues. In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed. As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure.

Read the full Report submitted to Congress.