ONC takes aim at health data outside scope of HIPAA

The Office of the National Coordinator for Health IT has sent a report to Congress detailing the lack of clear guidance around the privacy and security of electronic health information collected, shared, and used by entities not currently covered by HIPAA.

Developed in coordination with the Department of Health and Human Services’ Office for Civil Rights and the Federal Trade Commission, the ONC report focuses on mobile health technologies and health social media that are outside the scope of HIPAA.

The report identifies key gaps in oversight that exist between HIPAA regulated and non-regulated entities when it comes to health data, and recommends filling those gaps in a way that protects consumers “while leveling the playing field for innovators inside and outside of HIPAA.”

Covered entities must comply with HIPAA Privacy and Security Rules. However, those entities not regulated by HIPAA are not subject to the same regulations governing the collection, sharing, and use of individuals’ health information.

For example, when an app is not offered by a HIPAA-covered entity or a business associate, it is outside the scope of HIPAA’s protections. Consequently, mHealth technologies and health social media may present privacy issues, according to the report, and absent the protections of the HIPAA Rules device vendors may also be sharing the data with third parties.


“This report is the first step in a conversation about these important issues,” wrote National Coordinator for HIT Karen DeSalvo, MD, and OCR Director Jocelyn Samuels in a July 19 blog. “In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed. As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure.”

ONC’s report concludes that laws and regulations have clearly not kept pace with these new technologies. And, with about 165,000 mHealth apps alone currently available on the market, lawmakers are getting impatient with the lack of oversight.

Speaking last week at a congressional hearing on health apps, Rep. Michael Burgess, MD, (R-Texas), chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, warned that if privacy and security concerns are not soon addressed, that Congress will be forced to step in and find a legislative solution to the problem.

For reprint and licensing requests for this article, click here.