Feds acknowledge 'large gaps' in HIPAA regulation of health apps, wearable tech

A report says the rise of health-focused mobile applications has left gaps in regulations meant to protect consumers' data
A report says the rise of health-focused mobile applications has left gaps in regulations meant to protect consumers' data

The rise of health-focused mobile applications, websites and wearable technologies has left gaps in regulations meant to protect consumers' data, according to a long-awaited federal report.

The report, released Tuesday by the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology, identifies gaps that exist between data covered by HIPAA and the information collected by non-traditional healthcare organizations that aren't included in HIPAA's coverage. The report was originally supposed to be completed in 2010.

“Individuals who share their health information with [non-covered entities] might not fully understand where the protections afforded by HIPAA begin and end,” the report reads. “In short, consumers may not be equipped to evaluate the privacy and security implications that attach to the [non-covered entities] with which they interact every day.”

The report clarifies that healthcare apps offered by HIPAA-covered entities or business associates fall within the scope of protections, but many popular apps and items — like wearable fitness trackers — do not.

That lack of protection leaves consumers with little control on how their data is can be used, shared and accessed. Organizations offering these technologies are not bound by law to provide consumers access to data about themselves, the report notes.

There are currently no federal requirements for health technology makers to inform consumers about the privacy or security of their information; a recent study found just one-third of commonly used health apps had privacy policies, ProPublica reported. Some states have adopted legislation on the topic, but many haven't, leaving a “patchwork approach” to consumer safety, the HHS report said.

“Large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators,” the report reads.

The HHS report offers no specific suggestions on how to address the protection gaps, noting that policymakers and the healthcare technology industry have made some collaborative efforts to “identify best practices while keep pace with the rapid development of technology.”