Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA

Many of us now use wearables and other types of health information technology to help us manage our health and the health of our loved ones. These fitness trackers, their related social media sites where individuals share health information, and other technologies are changing the way we interact and control our own health. However, they did not exist when Congress originally enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996.
HIPAA serves traditional health care well and supports national priorities for the safe and secure flow of health information, but its scope is limited. It applies only to organizations known as “covered entities”—health plans, health care clearinghouses, and health care providers conducting certain electronic transactions—and their business associates. Yet these days, scores of new businesses use consumer-facing technology to collect, handle, analyze, and share health information about individuals – sometimes without those individuals’ knowledge.

Today, the Office of the National Coordinator for Health Information Technology (ONC) issued a report to Congress entitled, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. This report—developed in coordination with the Office for Civil Rights (OCR) and the U.S. Federal Trade Commission (FTC)—discusses the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by entities that are not currently covered by HIPAA.

This report is the first step in a conversation about these important issues. In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed. As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure.

Read the full Report submitted to Congress.

One Comment

  1. Shama Hussain says:

    Dear Doctor DeSalvo,

    Great article and I hope we can continue a healthy dialogue to address the gaps challenge in Healthcare. I have over 13 years of Data security, governance and Data Privacy under my belt. I have worked in the EU and quite familiar with EU and SE Asia and Middle East mandates. Most countries have faith in EU regulations as data protection in the USA was a tad bit late and there are still kinks that we need to address as a Nation.

    First and foremost we need to simply the legal jargon and simplify the regulatory documents so that an average reader can understand and adapt. Executives who are monitored to meet the profitability margins and numbers have no time to read exhaustive documents. Yes they troops should be assigned to do the job, but in reality it is not happening, hence every mandate is adapted according tp his or her level of notion of understanding.
    Ethics play a big part and that is a trait either you have it or you do not, and it is deep rooted in our society, it is a unspoken reality. In the end the customer suffers. Executives and senior management tout security, governance, and data privacy in conferences but in reality they are sure that loss of healthcare data cannot harm anyone.
    Rather than conducting an overall old fashion assessments, vendors are pushing expensive products, tools to meet their numbers and promise a lot; they also have shady relationships with inside resources who push the vendor’s agenda. The sophisticated tool or technology is purchased but it does address the disparity around the entire enterprise.
    The CIO office does not have all the crown jewels under their umbrella, business units have created their own solutions (e.g. Life Sciences) hired their own vendors to implement the new product, controls and vulnerabilities are not monitored uniformly which has created a nightmare for the industry.
    PHI data resides in the wrong hands who do not understand or respect our regulations, it is being shipped across the continental USA, despite the client demanding to keep the data within the walls of the states. Vendors tell the client yeah but do the contrary. Some vendors are selfish, ruthless, and unethical they are focused on their bottom line rather than doing it right for the client. Vendor executives paint a rosy picture to the client by forcing security leaders to take information from other clients and make it appear like the existing client.
    Thieves and fraudulent activities are more insider acts
    PHI data and patient data is being poorly and carelessly handled.
    When leaders of these organizations are caught sending data via emails, than IM techniques are used. A security leader reporting to an an inexperienced off shore leader cannot win as IT only focuses on tactical aspects of security and it too is not an effective outcome. Please note if we lost 11 billion dollars just in the month of June we are probably facing challenges which can have a severe impact like the Enron saga. This issue can be solved as follows:

    Vendors need to prove Business Value through their performance and technology solutions sales. Emphasis should be on value across the board not on the most expensive product or technology.
    Awareness at C-level board level both at client and vendor side needs to understand that an Security leader is not a tactical role but a more strategic role across the enterprise
    Customers at board and CEO level need to get involve and align with their respective security officer to ensure security weaknesses are addressed across people, process, data, the board must align with their Security officer and be prepared where necessary to invest in tools, technology and the right resources.
    Increase audit
    Increase CMS audits
    Eliminate Nepotism
    Ethics and background checks must be the imperative.

    There are loads of areas where work is needed but security is not just an opportunity to sell new products but to morally do right to improve our Healthcare industry and we need ethical vendors and an independent set of eyes to monitor them or have random unannounced audits.

    Thank you,


Leave a ReplyComment Policy