The ONC recently released a report describing privacy and security gaps at non-HIPAA covered entities that collect health data. These entities collect large amounts of personal data from devices like fitness trackers but are not regulated by HIPAA privacy rules. This poses risks to individual privacy as data could be misused. The report also finds a lack of encryption and other security measures protecting this health information. It recommends increasing education about appropriate privacy policies and restrictions on how personal data can be used and shared.
ONC Report Finds Privacy Risks From Non-HIPAA Data Collection
1. ONC Report Describes Privacy and Security Gaps at Non-HIPAA Covered Entities [Study]
Almost every individual on the Internet of Things (IOT) grid already has a copious amount of
personal data that stem from things like the monitoring of exercise, glucose levels, and personal
location and other movements, which are constantly added to the cloud on a daily basis. Even
small amounts of this information, according to a 2013 FTC report, could be indiscriminately
used to gain pricing advantages and also used to unfairly target certain demographic groups in
advertising and marketing campaigns. So, it’s more important than ever to be aware of the
number of ways that medical data can be used for inappropriate and unethical means in the
marketplace.
The oversight-gaps between HIPAA-covered entities that collect health data and those that
are not regulated by HIPAA poses risks to individuals who share their information electronically.
And these risks often outweigh the benefits of the virtual world and the Internet of Things.
The recent FTC report on IOT and privacy issues shed light on the various other ways that
information can potentially be compromised in the electronic age, with a lack of vigilance and
due diligence. The use of multiple “smart devices” often makes life easier and saves the modern
citizen a lot of valuable time and energy. But while it’s true that these “tools of convenience”
bring with them many positives, the use of devices such as wearable fitness and medical bands,
watches and monitors, home surveillance and security systems, appliance smart meters, and
GPS and transponder boxes, are also data transmitters that can jeopardize the privacy
concerns of HIPAA-related matters.
Since there no regulatory policies in place for these smart devices, the Universityof Miami’s
article from the Office of HIPAA Privacy and Security underscores some of these concerns
and raises questions as to how consumers can combat the risks that come with the collection of
enormous amounts of data stored by file and date sharing on sites such as Instagram, Google
2. Drive and Microsoft OneDrive, DropBox, search engines queries, and the ubiquitous social
media outlets. There is also the issue of how personal benefits can still compromise a much
larger societal problem of increased risk/benefit concerns that comes with trying to improve
health-care through data collection. Yes, consumers can take steps to maximize privacy
settings on their personal devices, but that still doesn’t address what regulatory policies, if any,
should be put into place to increase security measures for the user.
HIPAA’s Electronic Data Interchange Rule (EDI) “strictly govern(s) the way data is
electronically transferred from one computer to another,” and offers some hope for heightened
data security, but is highly technical and requires sophisticated understanding, possibly even
demanding the use of a consultant in some cases to achieve compliance with HIPAA standards.
Although the aim of EDI is to lighten the data reporting load in the healthcare industry, there are
still several factors that may determine whether or not you need to seek the advice of a
consultant in order to meet compliance standards: concerns regarding the use of intermediaries
for electronic claims versus a direct-pay method by the provider, and the overall acumen and
sophistication of in-house IT departments. EPI stresses that as long as a provider is in
compliance the methodology is discretionary when it comes to electronic transmission
procedures. But it still remains a vitally important consideration for issues facing the healthcare
industry’s privacy policies.
A little over a month ago, the HIPAA Journal reported on another recent report issued by the
ONC. The ONC concluded that the explosion of IOT has led to the collection of data by non-
HIPAA entities not subject to the regulatory policies of HIPAA, thus compromising the health
information of many individuals and placing them at risk for data theft and unwanted
disclosures. The report also points to a need for better education policies to increase public
awareness on what information is and is not protected under regulatory guidelines.
3. Moreover, data from a non-HIPAA-entity may not even be available to the individual upon
request, something that is an unquestionable right under HIPAA policies. And further, terms of
use, data terminologies, rights of use, and information about collection and dissemination of
limitations and third-party access are often vague, if not non-existent.
Though the report stresses the progress made in these areas from efforts to inform private
sectors of abuse, deception, and/or general malfeasance, the ONC still emphasizes the areas
where individuals may not be protected, even under HIPAA, if they are lax in self-disclosure
through such entities as social media platforms, or if they participate in self-pay boutique clinics
for medical services that are not subject to HIPAA.
But this leads to the larger point of a lack of public education policies which will ostensibly lead
to a greater understanding of what does or does not apply to individuals who utilize the
tremendous benefits of IOT. Marketers and advertisers may almost certainly balk at this. They’ll
cry that it hinders their ability to develop and contribute more and more beneficial commodities
for the overall public health issues and accompanying economic concerns over rising healthcare
costs. But even those that cater to the industry may not fully understand the implications and
ramifications of the long-term risks in healthcare and privacy issues that work from compliances
with HIPAA regulations.
The downside is that creativity and innovation may be thwarted for fear that industry regulatory
policies are too cumbersome and tedious to conform to. It is clear that some kind of federal
intervention needs to take place as technology continues to evolve.
Because the study found that lack of encryption and the lack of other general security
safeguards are currently the greatest threats to health information breaches, the ONC
recommendation is to strive to increase awareness and understanding of appropriate policies
(and the terms within), as well as greater restrictions regarding privacy-policy changes that
4. occur in tandem with the consumer’s permission--not mere Internet data tracking methods
without an informed consent.
Resource Links:
http://www.asha.org/practice/reimbursement/hipaa/hipaa_edi_faq/
http://www.hipaajournal.com/large-privacy-security-gaps-non-hipaa-covered-
entities-onc-report-3512/
http://privacyoffice.med.miami.edu/awareness/tips/the-internet-of-things-and-
privacy
https://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf
https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-
staff-report-november-2013-workshop-entitled-internet-things-
privacy/150127iotrpt.pdf
https://www.healthit.gov/sites/default/files/non-
covered_entities_report_june_17_2016.pdf
Meta: Health data is being collected by entities not covered by HIPAA regulations
and may be at risk—according to a recent report released by the ONR .
Keywords: health data, healthcare data privacy, healthcare data security,
healthcare information technology, ONR , HIPAA, non-HIPAA covered entities