Tuesday, August 2, 2016

ONC attempts to seek out way to balance HIPAA protection

Confusion growingly encircles the privacy and security of electronic health data collected, shared and utilized by entities not covered by HIPAA, and eradicating that uncertainty sustains to be a work in progress, claims Lucia Savage, chief privacy officer in the Office of the National Coordinator for Health IT.


Although, there is no convenient solution to the dilemmas posed by a latest report on the disparity in information protection regarded to HIPAA, which raised problems for legislators to consider but did not detail possible solutions.


Speaking at previous week’s joint meeting of the Health IT Policy and Standards committees, Savage analyzed that consumers, in specific, falsely assume that HIPAA secures their health information when the law, in fact, might not.


“The protection of HIPAA doesn’t implement to entire health data everywhere it is gathered, accessed, used or stored,” she informed the committees. “Customers do not actually comprehend that the boundaries of HIPAA end with few forms of economic activity.”


Previous month, ONC declared that it sent a report to Congress drawing attention to a deficiency of clear guidance relating to the HIPAA-regulated entities and those not regulated by HIPAA. Savage commented that the deficiency of clear rules in this section also impedes innovation. Particularly, the report of ONC concentrates on mobile health technologies and health social media that are outside the scope of HIPAA.


In accordance to Savage, HIPAA is implemented by the Office for Civil Rights and state attorneys general to give nationwide privacy, security and violation notifications for health information accessed, utilized, revealed or held by covered entities and their business associates.


Although, she disclosed that non-covered entities (NCEs) are technologies handled by vendors that accumulate electronic heath data about people but aren’t considered “covered entities” or “business associates” under HIPAA.


These technologies involve:




  • Mobile health technology, like entities that give direct-to-consumer mHealth apps, remote health monitoring tools or wearable health-tracking devices.

  • Personal health records not hosted by covered entities.



  • Health social media, involving social networking websites for health intentions, which may be approached on computers or smartphones and other mobile devices.


Savage noticed that NCEs aren’t needed by law to adhere to minimum security practices, while HIPAA describes minimum security standards. Additionally, she claimed that NCEs aren’t needed by law to offer customers access to their health information, or to send it (reveal it) as customers wish, while HIPAA guarantees this right.


“Within HIPAA, people have a right to access the information about themselves in a way that has meaning to them, and to require said information be sent to the place they select—that isn’t true for non-covered entities,” in accordance to Savage.


ONC’s report to Congress mentioned these gaps in policies around access, security and privacy that exist between HIPAA-regulated and non-regulated entities when it comes to electronic health data. To deal the issue, ONC suggested filling those gaps in a way that secures consumers “while leveling the playing field for innovators inside and outside of HIPAA.”


Nevertheless, as Health IT Policy Committee co-chair Paul Tang, MD, pointed out to Savage, the agency’s report doesn’t give particular recommendations on how to fill those gaps.


“The report is there to assist facilitate discussion,” stated Savage. “The content of the report is final and doesn’t consist of suggestions for legislation, task forces by ONC, regulatory revisions by OCR or a specific activity of the Federal Trade Commission.”


 

No comments:

Post a Comment