- Federal oversight of consumer health information isn’t keeping up with the fast-moving mHealth ecosystem, according to a new report. And it’s up to the healthcare industry to close those privacy and security gaps.
That’s the gist of a 32-page report prepared for Congress by the Office of the National Coordinator for Health Information Technology (ONC). It notes that safeguards now in place – contained in the 20-year-old Health Insurance Portability and Accountability Act – work fine for “traditional” healthcare, but are toothless in an era of mobile devices, instant online access and social media.
But that’s how today’s consumer wants his or her healthcare, and so it’s up to healthcare providers to make that information available in a safe and secure format – or at least educate consumers on how it can and should be done.
“I personally think that would be a very good next step,” says Jodi Daniel, former director of the ONC’s Office of Policy.
Daniel spent more than a decade as the head of health IT policy, directed the ONC’s consumer e-Health program and helped launch the discussion that led to this report, which was originally scheduled to be delivered in 2010. Now an attorney with Crowell & Moring LLP, she sees the ONC report as a call to providers, mHealth vendors, patient safety advocates and federal executives to sit down and map out a new privacy and security framework, complete with standards and enforcement.
In a blog on the ONC website, ONC chief Karen DeSalvo, MD, and Jocelyn Samuels, director of the Health and Human Services Department’s Office of Civil Rights (OCR), which joined with the Federal Trade Commission to help the ONC prepare the report, say the mHealth landscape has long since bypassed the government’s ability to regulate it. Information is being transmitted, used and shared in ways never even comprehended when HIPAA was drafted.
“Many of us now use wearables and other types of health information technology to help us manage our health and the health of our loved ones,” they wrote. “These fitness trackers, their related social media sites where individuals share health information, and other technologies are changing the way we interact and control our own health. However, they did not exist when Congress originally enacted (HIPAA) in 1996.”
“HIPAA serves traditional healthcare well and supports national priorities for the safe and secure flow of health information, but its scope is limited,” they added. “It applies only to organizations known as “covered entities” - health plans, healthcare clearinghouses and healthcare providers conducting certain electronic transactions - and their business associates. Yet these days, scores of new businesses use consumer-facing technology to collect, handle, analyze, and share health information about individuals - sometimes without those individuals’ knowledge.”
Speaking with mHealthIntelligence.com, Daniel said one statement in the report stood out to her: “Lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people.” This, she says, indicates that the healthcare industry’s reticence in adopting mHealth and adapting to consumer mHealth trends is holding the country back.
“Basically, you have this big wall in the middle,” she says, with healthcare on one side and the mHealth industry on the other.
Many of today’s mHealth companies and social media sites aren’t covered under HIPAA, the report notes, yet the increasingly mHealth-savvy public has no way of knowing what is and what isn’t covered. As a result, consumers are sharing protected information where they shouldn’t, and a vast majority of apps and sites aren’t taking steps to protect that data. Studies have found that less than half of social media sites protect sensitive user information, while only 30 percent of the top 600 mHealth apps have any safeguards in place.
HIPAA’s limitations aren’t new to healthcare – the issue has come up in telehealth and mHealth conferences for the past several years. And other industries are taking notice as well: The Consumer Electronics Association (CEA) has been working on privacy principles for the health and wellness technology sector, and across the Atlantic, the European Commission recently drafted its own 23-page code of conduct for mHealth app developers.
Daniel feels that the mHealth industry wants to steer a wide path around HIPAA, for fear of getting caught up in confusing regulations, while federal agencies have been hampered by politics in setting standards – as evidenced by the six-year delay in this report.
It’s up to healthcare providers, she says, to step forward and get this conversation going. That includes laying down standards for mHealth use and data protection, ensuring transparency throughout the industry, and making sure there’s accountability and enforcement.
“They should be starting this dialogue,” she says. “That would be most effective.”