everythingpossible - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why HIPAA controls don't do enough for privacy and security

HIPAA controls have failed to keep up with the health industry, but that may not be a bad thing. Expert Mike Chapple discusses the shortcomings in HIPAA privacy and security.

The authors of the HIPAA wrote a law designed to protect the security and privacy of health information in many different locations. They identified healthcare providers, insurance companies and health information clearinghouses as the most likely places where protected information would reside and imposed requirements that covered entities must protect that information.

Today, Fitbits and other fitness trackers, like the Apple Watch and HealthKit, and online communities offer individuals the possibility to engage far more in managing their own health, generating additional personal health information. The authors of HIPAA never imagined this new world of consumer health technology and, as such, HIPAA generally does not apply in these cases.

The holes in HIPAA controls stem from the definition of HIPAA-covered entities. These entities fall into three categories: healthcare providers, health insurers and health information clearinghouses. HIPAA also covers the business associates of covered entities that exchange information with covered entities. Consumer health companies normally do not fit into these categories. For example, the maker of a fitness tracking device doesn't provide medical care to a patient or receive information from a medical professional, so there is no HIPAA-covered relationship.

What currently falls through the cracks?

Consumers and patients may incorrectly assume that HIPAA provides privacy and security for their health information, no matter how such information is gathered, distributed or used. As a result, they may agree to information practices of noncovered entities collecting their health information, incorrectly believing that they are protected by HIPAA. A 2014 study published in the Journal of the American Informatics Association suggested that less than one third of mobile health applications had privacy policies and that, on average, these policies were written at the reading level of a college senior.

Without the requirement to observe the HIPAA Security Rule, consumers have little insight into the quality of the security controls used by consumer health companies. These companies may gather substantial health information about individuals and in a generally unregulated fashion.

Should HIPAA controls apply to consumer health companies?

HIPAA is likely to be too onerous for many health-related applications. If HIPAA controls were imposed on fitness companies and similar businesses, the burden of compliance would prevent them from operating effectively and would limit the services that they make available to the public. These companies currently don't have the expertise required to comply with the many technical nuances of HIPAA and would be forced to hire compliance staffers and implement expensive controls that are probably overkill for many of their businesses.

This means that simply adding consumer health companies to the scope of HIPAA is not a viable solution. Indeed, the blanket application of HIPAA controls to consumer health companies would likely cause many of them to eliminate or reduce the services they provide or raise their costs to cover the new requirements. If Congress wishes to regulate consumer health technology, it must consider dedicated legislation that specifically addresses the nuances of this space.

Other ways to protect personal health information

Fortunately, there are other potential paths to protecting personal health information that does not currently fall under the auspices of HIPAA. Two of the current tools available to regulators include:

  • The FTC Act: The Federal Trade Commission applies statutes and rules that oblige businesses to protect consumer data, and to refrain from unfair or deceptive acts or practices. The FTC Act is the main federal statute regulating privacy and security practices for consumer health companies that do not fall under HIPAA and could be an area of increased focus for regulators.
    The FTC Health Breach Notification Rule: This rule requires that certain types of organizations dealing with personal health records notify individuals, the FTC, and possibly even the media if a health information breach occurs.

Currently, the United States does not have an overarching consumer privacy framework similar to the one found in the European Union. While it's unlikely that the U.S. will see this type of legislation in the near future, a general privacy framework would likely be the best solution to the issues the U.S. experiences with gaps in its current patchwork of laws.

Next Steps

Discover the effects of the FTC controlling cybersecurity regulations

Learn how to meet HIPAA requirements with personal cloud storage

Find out why wearable health devices and apps aid patient engagement

This was last published in September 2016

Dig Deeper on HIPAA