By Charles Ornstein, ProPublica
The federal patient privacy law known as HIPAA has not kept pace with wearable fitness trackers, mobile health apps and online patient communities, leaving a gaping hole in regulations that needs to be filled, according to a much-delayed government report (pdf) released today.
The report, which was supposed to be complete in 2010, does not include specific recommendations for fixing the problem, even though Congress asked the U.S. Department of Health and Human Services to provide them.
HHS’ findings largely mirror those in a ProPublica story from last November. The Health Insurance Portability and Accountability Act, the landmark 1996 patient-privacy law, only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners. Falling outside the law’s purview: wearables like Fitbit that measure steps and sleep, at-home paternity tests, social media sites, and online repositories where individuals can store their health records.
“Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” said the report written by HHS’ Office of the National Coordinator for Health Information Technology, in conjunction with other agencies. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.”
The report was mandated under a 2009 law that called on HHS to work with the Federal Trade Commission — which targets unfair business practices and identity theft — and to submit recommendations to Congress within a year on how to deal with entities handling health information that fall outside of HIPAA. Asked why the report did not include any recommendations, an official said readers could draw their own conclusions from the …