When technology is so rapidly developing, it’s no surprise that HIPAA has had a hard time with keeping up with the times. The Health Insurance Portability and Accountability Act, the landmark 1996 patient-privacy law, only covers patient information kept by health providers, insurers, and data clearinghouses, as well as their business partners. The popularity of wearable technologies, mobile health apps, and online patient communities have created a gap in regulations according to a government report released by the Department of Health and Human Services.
The report says that usage of social fitness trackers and sharing of personal health information on unregulated networks has been its own source of problems for patient privacy due to the fact that HIPAA doesn’t extend to health technology firms. The report explains that these entities collect, share and use health information in different ways, but are not regulated by HIPAA. This makes the information easily accessible to anyone who has access to a computer, smartphone or other web enabled mobile device.
These non-covered entities are capable of doing essentially anything they want with the data that has been provided to them as long as those terms are included in the terms and agreements -which are rarely read by users- including selling it. A report from Privacy Rights Clearinghouse found that 40% of 43 fitness apps collected data that could be considered high risk, including addresses, financial information, full name, health information, location and date of birth. Of these 43 apps it was found that 55% shared data with third party analytics services that could link data from these fitness and health apps to other apps, potentially linking health data to other identifying information about the user.
The distribution of this information has led the FTC to step in against the most deceptive practices regarding healthcare information. None of the HHS reports have laid out a plan to properly resolve the data security concerns, but have attempted to provide a starting point by drawing the boundaries for these issues and determining what must be corrected in order to protect the privacy of those making use of these mobile health apps. The reports do acknowledge that the private sector has made some attempts at creating its own codes of conduct, such as the Consumer Electronic Association (CEA) issued ‘Guiding Principles on the Privacy and Security of Personal Wellness Data’ released in October 2015, but these guidelines have not been identified to have been adopted by any companies as of July 2016.