- Consumers falsely believing that their PHI is protected under HIPAA regulations, and an overall lack of clear rules as to how non-HIPAA covered entities handle sensitive information is a problem for overall economic growth, according to ONC Chief Privacy Officer Lucia Savage.
While HIPAA has specific prohibitions against the use of identifiable data for marketing, this does not apply to non-HIPAA covered entities, the presentation explained.
These organizations are also not required by law to adhere to minimum security practices, or even give consumers access to their own health information, send it or disclose it per individual requests.
ONC identified five key challenge areas when it comes to protecting consumer PHI:
- New types of entities that collect, share, and use health information are not regulated by HIPAA
- Individuals may have a limited or incorrect understanding of when data about their health is protected by law, and when it is not
- Health information collected in more places without consistent security standards may pose a cybersecurity threat (of which individuals may be unaware)
- Individuals generally have greater rights regarding access to data held by HIPAA covered entities than data held by Non-Covered Entities
- Lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people
- The differences in understanding of terminology about privacy and security protections was also reviewed, as well as the inadequate collections, use, and disclosure limitations.
“Although many [non-HIPAA covered entities] explain their policies on tracking devices such as cookies and web beacons, or inform individuals that the website will not allow advertisers or entities providing services through their websites to collect individual information, some NCEs do not explain what preventing the collection of identifying information means and how that is accomplished,” the report stated.
The investigation covered obvious developments in mHealth technology, including exercise trackers, mobile devices, health related trackers, health social media sites, and personal health records not hosted by covered entities, Savage explained in the meeting.
Research and ONC discussion have shown that consumers don’t really understand where the boundaries of HIPAA end, Savage added. The protections really are limited to traditional healthcare.
“We worry about that because we want consumers to make knowing, thoughtful decisions with what’s going to happen to their health data and we worry that the confusion is presenting that knowingness and that thoughtfulness,” she said.
HIPAA regulations are also very specific about whether information collected can be used in marketing campaigns, and those same rules do not exist outside of HIPAA, Savage added. However, there are fair practices that FTC will enforce.
It is also important for consumers to understand that the requirements for minimum levels of protection, such as data being de-identified before it can be sold, also do not exist outside of HIPAA regulations.
Information sharing in the healthcare industry will also be beneficial in the long-term, according to ONC. Recent funding opportunities aim to strengthen current healthcare cybersecurity measures and will ask an existing ISAO or Information Sharing and Analysis Center (ISAC) to provide cybersecurity information and education on the current cyber threats affecting the healthcare industry.
The ISAO or ISAC should also facilitate information sharing widely within the industry for organizations of all sizes.