Healthcare Information Security

Patient Privacy News

ONC Report Highlights PHI Security Gaps in non-HIPAA Entities

With increased data sharing and collection, the ONC cautions that there are potential PHI security gaps between HIPAA covered entities and non-HIPAA covered entities.

By Elizabeth Snell

The increase in certain technologies that collect and potentially share individuals’ health information, such as wearables and fitness trackers, could create issues when it comes to PHI security, according to the Office of the National Coordinator for Health Information Technology (ONC).

PHI security gaps discussed in recent ONC report to Congress

There is potential risk in the gaps that exist between HIPAA covered entities and non-HIPAA entities, the ONC explained in a report recently issued to Congress.

More businesses are using consumer-facing technology to collect, handle, analyze, and even share individuals’ health information, and National Coordinator Dr. Karen DeSalvo and Office for Civil Rights (OCR) Director Jocelyn Samuels wrote in a blog post.

“This report is the first step in a conversation about these important issues. In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed,” the duo explained.

With individuals becoming more involved in managing their own health through new technologies, it is important that federal agencies work together to ensure that their information remains secure.  

READ MORE: Prioritizing Healthcare Data Security in Aggregation, Sharing

The report, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA, was developed in coordination with the OCR and the Federal Trade Commission (FTC).

Health data privacy and security measures have not necessarily kept pace with evolving technology, according to the report, and there are several challenges in safeguarding electronic health information:

  • New types of entities that collect, share, and use health information are not regulated by HIPAA
  • Individuals may have a limited or incorrect understanding of when data about their health is protected by law, and when it is not
  • Health information collected in more places without consistent security standards may pose a cybersecurity threat (of which individuals may be unaware)
  • Individuals generally have greater rights regarding access to data held by HIPAA covered entities than data held by Non-Covered Entities
  • Lack of understanding of what rules apply may hinder economic growth and development of beneficial products that could help generate better health, smarter spending, and healthier people

A “predictable business environment” must be created, the report’s authors explain, as this will help health data collectors, developers, and other entities ensure PHI security.

Policymakers have already made important steps forward in this area. For example, the FTC will enforce privacy and security violations under the FTC Act. Additionally, the Department of Health and Human Services (HHS) has improved patient PHI access, which can help educate individuals on how their data is potentially used.

“A critical piece of improving health care for patients in today’s system involves the patient being at the center of his or her care,” reads the report. “This includes having access to data about their health, while maintaining the confidentiality and integrity of that data.”

READ MORE: Nearly Half of Surveyed Patients Worried Over PHI Security

The report also investigated five major areas where HIPAA regulations are different than those that apply to non-HIPAA covered entities.

First, there is a difference in individuals’ access rights. Essentially,  the access to information, ability to demand an accounting of certain disclosures, and some control over how the information is used and shared do not exist for the non-HIPAA covered entities.

ONC also reviewed the differences in re-use of data by third parties, as once the data is released, HIPAA rule protections may not apply.

Furthermore, the report investigated the differences in security standards applicable to data holders and users. The same administrative, technical, and physical safeguards may not be put into place. For example, encryption may not be implemented, and a security risk assessment may be misunderstood, the report explained.

The differences in understanding of terminology about privacy and security protections was also reviewed, as well as the inadequate collections, use, and disclosure limitations.

READ MORE: Judge Says HIPAA Regulations Do Not Apply in Organ Donor Case

“Although many [non-HIPAA covered entities] explain their policies on tracking devices such as cookies and web beacons, or inform individuals that the website will not allow advertisers or entities providing services through their websites to collect individual information, some NCEs do not explain what preventing the collection of identifying information means and how that is accomplished,” the report’s authors wrote.

Overall, there is a lack of clear guidance as to how wearable fitness trackers, health social media, and mobile health apps may pose privacy or security threats to health information. Current laws and regulations have not kept pace with the evolving technologies, and improvements must be made “around consumer access to, and privacy and security of, health information collected, shared, and used” by non-HIPAA covered entities.  

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...