mHealth Growth Creates Privacy, Security Challenges
Much has changed in the years since HIPAA was enacted, not the least of which is the use of mobile technology in healthcare. Does HIPAA need to be updated to reflect the current state of health IT?
The deputy director of the HHS Office for Civil Rights believes it's time to consider filling the regulatory gaps in dealing with mHealth issues of seciurty and privacy
“Making your rules—which operate on a much more deliberative timeframe—and keeping up with technology, which seems to change at the pace of the speed of light, is a difficult challenge,” concedes Deven McGraw, deputy director for health information privacy in the HHS Office for Civil Rights.
McGraw, who is responsible for HIPAA policy and enforcement at OCR, says the most effective way for the agency to modernize its rules is to “provide more guidance to the regulated community about how the rules that we have apply to new technology environments.”
Having said that, she acknowledges that “we will always be bumping up against the fact that HIPAA doesn’t cover all health data, and our authorities at OCR to regulate health data are limited to when that data are collected, used, and disclosed by covered entities and business associates. A lot of the mobile health community operates outside of those parameters.”
HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain covered entities, such as providers, insurers and certain business associate. Yet, increasingly, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply.
“It’s a regulatory gap for sure, but it’s not within my authority to say whether or not it should be addressed,” McGraw says. “That’s not an issue that I can resolve. That’s an issue for Congress to resolve.”
In January 2013, the Department of Health and Human Services announced a new HIPAA final omnibus rule. However, some critics say the rule was a missed opportunity to address the privacy and security realities and vulnerabilities in today’s mobile health environment.
McGraw disagrees. “We had a set of requirements in HITECH that were our first priority for implementation in that rule, and we addressed most of what were required to address,” she says. “We still have some work to do on a few things. But, we do not regulate the entire mobile health community, so there’s no possible way that our omnibus rule could have stretched further than our own legislative authorities.”
At the same time, McGraw emphasizes that OCR continues to put out guidance about the “application of our role” in mobile health. “Our security rule was designed to be flexible and to be applicable to a wide range of ePHI environments with respect to the entities that we regulate,” she says. “I think there is plenty of coverage of mobile health tools when they are utilized by covered entities and business associates.”
But, Gary McGraw, chief technology officer of app security firm Cigital (no relation to Deven), blames HIPAA for the healthcare industry’s general shortcomings in the area of internal software security programs and practices.
“HIPAA caused healthcare firms for the most part to over-focus on patient data privacy and not spend enough time thinking about security,” he argues. “If the only concern you have when you’re building a medical device that may be implanted in somebody’s body is whether it leaks patient data, you’re not going to concern yourself with whether it can be hacked to injure or kill them.”
However, Deven takes exception with that assertion. “Those two—privacy and security—are inextricably linked and I find it hard to understand why someone would bifurcate those two and suggest an emphasis on one means that people don’t pay attention to another,” she says. “The reason to have security protections is to make sure that your access, use, and disclosure of sensitive health information is consistent with the rules. Without those rules, I don’t even know why you need a security program. It’s about how you make sure that access to data is only by authorized persons.”
At the same time, Deven acknowledges that some healthcare providers may be in a situation where they just recently had to comply with the HIPAA security rule, which applies to electronic protected health information. “Security compliance may be more new to them but to say that we did them a disservice by having a privacy rule and a security rule strikes me as odd,” she comments.
In an effort to reach out to the mHealth community, OCR recently launched a new online platform to provide mobile health developers with a sounding board to ask questions and voice concerns about the HIPAA privacy and security rules.
“There’s lots of confusion out there about when a mobile health product is regulated under HIPAA and when it’s not,” Deven says, and OCR will use feedback provided through the website to inform the development of future guidance.
She adds that posting or commenting on a question on the portal—which is done anonymously—will not subject anyone to enforcement action.