ONC struggles to find way to balance HIPAA protection

Consumers don’t grasp differences in protection enforced by HHS Office of Civil Rights, but recent report to Congress lacks potential solutions.


Confusion increasingly surrounds the privacy and security of electronic health information collected, shared and used by entities not covered by HIPAA, and eliminating that uncertainty remains a work in progress, says Lucia Savage, chief privacy officer in the Office of the National Coordinator for Health IT.

However, there is no easy solution to the dilemmas posed by a recent report on the disparity in data protection related to HIPAA, which raised issues for legislators to consider but did not detail potential solutions.

Speaking at last week’s joint meeting of the Health IT Policy and Standards committees, Savage observed that consumers, in particular, falsely assume that HIPAA protects their health data when the law, in fact, may not.

“HIPAA protection does not apply to all health information everywhere it is collected, accessed, used or stored,” she told the committees. “Consumers don’t really understand that the boundaries of HIPAA end with certain kinds of economic activity.”

Last month, ONC announced that it sent a report to Congress drawing attention to a lack of clear guidance regarding HIPAA-regulated entities and those not regulated by HIPAA. Savage commented that the lack of clear rules in this area also impedes innovation. Specifically, ONC’s report focuses on mobile health technologies and health social media that are outside the scope of HIPAA.

According to Savage, HIPAA is enforced by the Office for Civil Rights and state attorneys general to provide nationwide privacy, security and breach notifications for health information accessed, used, disclosed or held by covered entities and their business associates.

However, she revealed that non-covered entities (NCEs) are technologies managed by vendors that collect electronic heath information about individuals but are not considered “covered entities” or “business associates” under HIPAA.

These technologies include:

  • Mobile health technology, such as entities that provide direct-to-consumer mHealth apps, remote health monitoring devices or wearable health-tracking devices.

  • Health social media, including social networking websites for health purposes, which might be accessed on computers or smartphones and other mobile devices.

  • Personal health records not hosted by covered entities.

Savage pointed out that NCEs are not required by law to adhere to minimum security practices, while HIPAA specifies minimum security standards. In addition, she said that NCEs are not required by law to give consumers access to their health information, or to send it (disclose it) as consumers wish, while HIPAA guarantees this right.

“Within HIPAA, individuals have a right to access the data about themselves in a way that has meaning to them, and to require said data be sent to the place they choose—that is not true for non-covered entities,” according to Savage.

ONC’s report to Congress highlighted these gaps in policies around access, security and privacy that exist between HIPAA-regulated and non-regulated entities when it comes to electronic health information. To address the problem, ONC recommended filling those gaps in a way that protects consumers “while leveling the playing field for innovators inside and outside of HIPAA.”

Nonetheless, as Health IT Policy Committee co-chair Paul Tang, MD, pointed out to Savage, the agency’s report does not provide specific recommendations on how to fill those gaps.

“The report is there to help facilitate discussion,” said Savage. “The content of the report is final and does not contain specific recommendations for legislation, task forces by ONC, regulatory revisions by OCR or a particular activity of the Federal Trade Commission.”

More for you

Loading data for hdm_tax_topic #care-team-experience...