What HIPAA doesn't cover

Protecting patient health data is a top priority for healthcare organizations, and much of the regulation surrounding this data is spelled out in HIPAA, known as the privacy law. However, HIPAA was originally written in 1996, and the designated security rule was published in 2003 and became effective in 2005 — long before wearables and personal trackers became widespread in consumer use.

With wearables and personal devices tracking and transmitting data, concern is mounting over protections for that data. A recent report from ProPublica, co-published with the Washington Post, outlined some of the shortcomings of HIPAA and what information sources aren't protected by the privacy law.

According to the report, HIPAA only covers patient information held by providers, payers, data clearinghouses and their business partners. Currently, the law has no protections in place for data from wearables and fitness trackers, online repositories where people can store health records and even at-home genetic tests like paternity tests and those provided by 23andMe.

Since they aren't regulated under HIPAA, the data produced by these sources can be made public with no ramifications. According to the ProPublica report, in 2011 Fitbit users who entered information about their sexual health to help calculate calories burned found that information was publicly accessible. Also in 2011, an Australian company didn't adequately secure information from hundreds of paternity and drug tests, and that data could be found via a Google search.

"Consumer-generated health information is proliferating," said Julie Brill, FTC commissioner, in a 2014 forum on consumer-generated data. "The potential benefits to consumers are significant. The potential benefits to society are incredibly significant. But also, there are some risks…with respect to health data flows that are appearing outside of HIPAA, outside of the medical context, and therefore outside of any regulatory regime that focuses specifically on health information."

More articles on HIPAA:

Outsourcing HIPAA: How to remain compliant in the cloud
2 data centers first to be accredited for handling PHI
Health IT tip of the day: Encrypt or destroy data for HIPAA compliance

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Webinars

Featured Whitepapers