The 1996 U.S. Health Insurance Portability and Accountability Act (HIPAA) was created to regulate the way health care providers handle health and medical data. But mobile technologies have since given rise to a new breed of health data trackers not covered by HIPAA – a trend that is raising concern as well as questions about HIPAA’s relevance.
Mobile health and fitness apps and trackers all are part of a new market that is not necessarily subject to HIPAA rules, which were designed for health care providers.
“HIPAA did not specify specific technologies,” said Andrew Boyd, assistant professor at the University of Illinois’ department of Biomedical and Health Information Sciences. The regulation was written to provide “policies and procedures in the frame of thought. Mobile technologies and the Internet of Things were not envisioned at the time.”
“We’re just now starting to understand what the implications are,” he said. “We’re trying to now understand the policies and what some of the security risks are. … We’re still in the beginning stages of this. So if the Internet of Things and the mobile apps mature to the point where they are fully integrated into the health care enterprise, the policy in HIPAA will apply. And these are things that people need to begin to understand.”
In a recent report, the Office of the National Coordinator for Health Information Technology (ONC) appealed to Congress to tackle the security of shared health data not covered by HIPAA.
“While HIPAA serves traditional health care well and continues to support national priorities for interoperable health information with its media-neutral Privacy Rule, its scope is limited. It applies only to organizations known as ‘covered entities’ – ONC
Securing this information will be a challenge, said Boyd. Security should be built in from the start, although adding too many security layers might create usability barriers.
“If you’re wearing a Fitbit before you go for a run,” he said, “entering in two passwords to make sure it’s you … kind of defeats the usability. So there is this tension, there is this drag between making sure the data is secure and you know exactly who you’re dealing with compared to usability. And so finding that balance is going to be hard.”
But he said HIPAA already has the building blocks and its concepts and principles could be applied to this emerging niche, given good regulation.
HIPAA does not apply if an entity that is not a health care provider is handling health information. It does not apply if the patient divulges his/her own health information online or enters it into a mobile app or wearable device, thereby providing it to a firm that is not a health care provider.
And it does not cover consumer health applications and products, nor was it intended to cover all health data, Health and Human Services’ Deven McGraw, Deputy Director Health Information Privacy at the HHS Office of Civil Rights, told Techtonics.
“It was intended to assure protections attached to identifiable health information collected, used and shared by covered entities,” she said in an email. “In that respect, HIPAA has really stood the test of time, as covered entities and their contractor business associates are required to comply with the regulations, which address privacy, security, and breach notification and are technology neutral.”
Entities covered by HIPAA are required to secure patient information and follow proper handling procedures for the collection, use and sharing of data online. Their associates – cloud services, for example – must have a business associate agreement in place with the vendor to protect the information, said McGraw.
The agreement must include written assurances that the vendor “will implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the information in accordance with the HIPAA Security Rule,” she said. This means a business associate is “directly liable to HHS for compliance” with respect to the patient information it maintains.
If more than 500 records are released or compromised, covered entities are required to notify the Office of Civil Rights and issue a press statement. If you are a small startup not covered by HIPAA, you might have a problem.
“If you are a small company trying to figure out how we get this to be truly successful and you are not part of a covered entity,” cautioned Boyd, “if you have 1,000 initial users hacked, then you have to tell the Office of Civil Rights and it’s up to $250,000 per incident – all the little companies are going to go bankrupt.”
There are currently “no plans to revamp the HIPAA Rules,” said McGraw. They are “technology neutral and provide flexibility to address the privacy and security of individuals’ protected health information, whether on paper or electronic.”
Boyd believes flexibility and creativity are needed to maintain innovation to find new ways of engaging people with trackers, motion sensors and behavior modification. Applying HIPAA to information “that has not been proved to be medically relevant …would be an overreach of regulation,” he argued, although an update might be needed at some point to reflect the volumes of information transacted outside the health care sector.
“Appropriate regulation is going to be necessary,” he said. “But the more regulation we have, the harder it becomes to innovate … and a really novel solution in order to engage patients, in order to improve their health – I don’t think it’s been invented yet.”