Healthcare Information Security

Patient Privacy News

ONC Joint HIT Committee Discusses HIPAA Regulation Report

ONC Chief Privacy Officer Lucia Savage discussed the recent HIPAA regulation report and why this was an important investigation to conduct.

By Elizabeth Snell

Consumers falsely believing that their PHI is protected under HIPAA regulations, and an overall lack of clear rules as to how non-HIPAA covered entities handle sensitive information is a problem for overall economic growth, according to ONC Chief Privacy Officer Lucia Savage.

Consumers should understand the extent of HIPAA regulations

In a recent collaboration meeting of the Health IT Policy and Standards Committees on July 27, Savage and Devi Mehta, JD, MPH, ONC Privacy Policy Analyst, presented on the recent ONC report sent to Congress that discussed potential gaps in health data privacy and security for organizations not liable to HIPAA rules.

While HIPAA has specific prohibitions against the use of identifiable data for marketing, this does not apply to non-HIPAA covered entities, the presentation explained.

These organizations are also not required by law to adhere to minimum security practices, or even give consumers access to their own health information, send it or disclose it per individual requests.

ONC identified five key challenge areas when it comes to protecting consumer PHI:

  • New types of entities that collect, share, and use health information are not regulated by HIPAA
  • Individuals may have a limited or incorrect understanding of when data about their health is protected by law, and when it is not
  • Health information collected in more places without consistent security standards may pose a cybersecurity threat (of which individuals may be unaware)
  • Individuals generally have greater rights regarding access to data held by HIPAA covered entities than data held by Non-Covered Entities
  • Lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people
  • The differences in understanding of terminology about privacy and security protections was also reviewed, as well as the inadequate collections, use, and disclosure limitations.

“Although many [non-HIPAA covered entities] explain their policies on tracking devices such as cookies and web beacons, or inform individuals that the website will not allow advertisers or entities providing services through their websites to collect individual information, some NCEs do not explain what preventing the collection of identifying information means and how that is accomplished,” the report stated.

The investigation covered obvious developments in mHealth technology, including exercise trackers, mobile devices, health related trackers, health social media sites, and personal health records not hosted by covered entities, Savage explained in the meeting.

Research and ONC discussion have shown that consumers don’t really understand where the boundaries of HIPAA end, Savage added. The protections really are  limited to traditional healthcare.

“We worry about that because we want consumers to make knowing, thoughtful decisions with what’s going to happen to their health data and we worry that the confusion is presenting that knowingness and that thoughtfulness,” she said.   

HIPAA regulations are also very specific about whether information collected can be used in marketing campaigns, and those same rules do not exist outside of HIPAA, Savage added. However, there are fair practices that FTC will enforce.

It is also important for consumers to understand that the requirements for minimum levels of protection, such as data being de-identified before it can be sold, also do not exist outside of HIPAA regulations.

Information sharing in the healthcare industry will also be beneficial in the long-term, according to ONC. Recent funding opportunities aim to strengthen current healthcare cybersecurity measures and will ask an existing ISAO or Information Sharing and Analysis Center (ISAC) to provide cybersecurity information and education on the current cyber threats affecting the healthcare industry.

The ISAO or ISAC should also facilitate information sharing widely within the industry for organizations of all sizes.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks