Dear Angel,
There is so much technology available these days where you share health information. Things such as wearable fitness trackers, social media sites, and health apps did not exist when Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in the 90’s. When it comes to HIPAA and privacy of personal health information, is there anything being done to keep pace with these new technological developments?
Thanks!
Kip N. Pace
—–
Dear Kip,
From what I’ve read, the U.S. government is aware of the situation you described and is taking action to keep pace with technology. In fact, the U.S. Office of the National Coordinator for Health Information Technology (ONC) issued a report to Congress this week laying out the gaps that exist in health data protection.
HHS had three goals in its report to Congress:
- analyze the scope of privacy and security protections of an individual’s health information for these new and emerging technology products not regulated by HIPAA;
- identify key gaps that exist between HIPAA-regulated entities and those not regulated; and
- recommend addressing those gaps in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA.
While the report doesn’t lay out a plan for solving health data privacy concerns that fall outside of HIPAA, it offers a starting point for creating such a solution. According to the report, “Wearable fitness trackers, health social media and mobile health apps are premised on the idea of consumer engagement,” HHS said. “However, our laws and regulations have not kept pace with these new technologies. The report identifies the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared and used by [entities not covered by HIPAA].”
The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
HIPAA was passed with the best of intentions: to protect individual patient’s medical records from being disclosed to just anyone who asks to see their contents. The law requires doctors and other healthcare providers to get written authorization from a patient before they can share most health information about him or her with a “third party” — and that includes most caregivers, even those who are close relatives. At the Farr Law Firm, a HIPAA authorization form is part of our incapacity planning.
I will let you know if I hear of any updates when it comes to HIPAA and privacy in health technology.
Purrs,
Angel
Print This Page