By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    headphones can create health problems
    The Harmful Health Effects of Using Headphones
    September 24, 2021
    Headache causes
    4 Causes Of Headache You Probably Didn’t Know About
    December 28, 2021
    follow these steps to recover from your injury
    What Steps Should You Take to Recover More Quickly from an Injury?
    April 12, 2022
    Latest News
    Getting Back in the Game: Sports Injuries Rehabilitation Tips
    May 31, 2023
    4 Signs It’s Time to See a Therapist
    May 24, 2023
    11 Ways To Modernize Your Private Practice
    May 17, 2023
    How to Recognize the Signs of Hormonal Imbalance in Men
    May 29, 2023
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Video: ICD-10 National Provider Call
    October 24, 2011
    private
    Private Exchanges: Getting Ready for Individual Health Insurance to Be the Standard
    January 9, 2014
    Are We on the Verge of a Primary Care Renaissance?
    May 16, 2012
    Latest News
    MRI Sedation Options: What You Should Know Before Screening
    May 17, 2023
    What is the Process of Creating Medicine from Nature?
    May 2, 2023
    Choosing the Right Treatment Option for Varicose Veins
    May 2, 2023
    What Are Wrong-Site Surgeries and How Do They Occur?
    April 27, 2023
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: “What we need is more regulation . . . .”
Share
Sign In
Notification Show More
Aa
Health Works CollectiveHealth Works Collective
Aa
Search
Have an existing account? Sign In
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > “What we need is more regulation . . . .”
eHealthPolicy & Law

“What we need is more regulation . . . .”

David Harlow
Last updated: 2017/09/26 at 2:21 PM
David Harlow
Share
9 Min Read
privacy-policy-510731_1920
SHARE

We are awash in digital health data. And we are awash in multiple regulatory schemas designed to protect privacy, security and appropriate access to all this data. Some data is “traditional” health care data governed by the familiar patchwork of federal and state statutes and regulations (rhymes with “HIPAA”). Some are the product of new consumer health tracker devices and apps which are not reached by HIPAA (except for some provided to individuals by health care providers or insurers). Privacy, security, and access is guaranteed with respect to much of the health data not governed by HIPAA thanks to the oversight of the FTC (and cognate state agencies), with a twist: while most specific federal and state health data privacy and security rules are spelled out in detail, the FTC takes a different approach, simply enforcing through individual actions its general consumer protection authority, which bars unfair or deceptive business practices. (There is also the FTC breach notification rule, which parallels the HIPAA breach notification rule, but is applicable to non-covered-entity PHRs.) There is an alphabet soup of other agencies, statutes, frameworks, etc. that have overlapping jurisdiction over these issues as well. ONC recently issued a report to Congress (and shared on its blog) in collaboration with OCR and the FTC, entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA, which considers HIPAA, the FTC Act and something called FIPPS, Fair Information Practice Principles – but does not examine the interplay with state law or with other related federal regulatory structures such as FCRA, COPPA, GLBA, FERPA. FIPPS, by the way, is an overarching statement of principles regarding health data privacy, security and access, dating back to HEW (!) in 1973, including things not necessarily provided for by law, and most recently pulled together in the 2008 ONC Privacy & Security Framework. These principles are:

  1. Individual access
  2. Correction
  3. Openness and transparency
  4. Individual choice
  5. Collection, use and disclosure limitation
  6. Data quality and integrity
  7. Safeguards
  8. Accountability

The report is a useful summary of the current state of HIPAA, the FTC Act, the FTC breach notification rule, and FIPPS. It identifies the gaps in coverage that — in an ideal world — Congress would patch, or even undertake a broader rip-and-replace, enacting a comprehensive health data privacy, security and access schema integrating a single approach to PHI governed by HIPAA, data practices covered by the FTC Act, and everything in between and beyond. Don’t hold your breath. Aside from the current congressional logjam, gridlock, or whatever your preferred metaphor may be, consider the fact that we are now embarking upon the general election season, which tends to add an additional layer of grandstanding and substantive paralysis to the usual fever dreams of the Potomac. Consider, too, that in the 43 years folks have been thinking about FIPPS (HEW! That really got to me), we have largely confined ourselves to thinking about FIPPS. The ONC Privacy & Security Framework is reiterated in the ONC’s Interoperability Roadmap – a recently-issued ten-year roadmap to a goal that many believe should have been realized as a part of implementing the Meaningful Use program (enacted as part of the HITECH Act, which also updated HIPAA and added the FTC breach notification rule requirements). Yes, there is greater awareness of the burgeoning volume of health data (HIPAA-regulated PHI and other), there is a growing belief that improving health status and reducing health care costs may well be accelerated through implementation of value-based care systems that rely in part on patient-generated data and a network of digital activity trackers, and there is growing concern that the complexity of health data privacy regulations leaves many of us unprotected in a variety of contexts. I think I am more realist than pessimist when I conclude that, however, well-founded these concerns and proposals may be, comprehensive, sensible, Congressional action in this realm is not imminent. Things are both better and worse than the authors of the report would have us believe. For example, the report seems to elevate the helpfulness of OCR’s enforcement efforts in dealing with over 20,000 cases, noting that significant improvements in the regulated community’s attention to privacy, security, and access have resulted from these undertakings, while minimizing the compliance record of “non-covered entities” or NCEs in the report’s parlance, highlighting a couple of horribles in the PHR department. Well, not to put too fine a point on it, but some of the most respected academic medical centers have had multimillion-dollar fines assessed for their HIPAA privacy and security breaches, and OCR seems to be in the business of perennially issuing clarifications and exhortations regarding the patient access rules. This bespeaks a broad-based attitude towards compliance that is not necessarily better than that of NCEs as a whole. There are good guys and bad guys in both camps. And even the good guys are sometimes undermined by the complexity of the rules, the complexity of the tech, human frailties, and the devilish cleverness of the bad guys. In addition, many NCEs, including many that I advise, have taken it upon themselves to behave as if subject to HIPAA even though they are not. Why? To instill confidence in their operations among at least three distinct audiences: (a) consumers, who are more and more interested in and concerned about the health data privacy policies and practices of their app providers and activity tracker vendors (though, to be sure, they could be more concerned); (b) business partners that may include covered entities and/or business associates under HIPAA that are sensitive to these issues even if not all of their business partners are themselves subject to HIPAA (even by virtue of their relationships with CEs or BAs); and (c) regulators such as the FTC who would likely be just as impressed as OCR by a good story told by a company unfortunate enough to experience an audit, a breach or a complaint investigation – that good story being composed of fully implemented and documented HIPAA-compliant policies and procedures, risk assessments, etc. Don’t forget: There is a lot more protection in place than that afforded by the two sets of rules considered in the report. Are there gaps? Yes: For example, as noted in the report, the FTC Act may not regulate nonprofits or insurance companies under all circumstances, and there is no explicit provision there guaranteeing access. (However, on that latter point, since the FTC Act is interpreted through case law rather than regulation, I would be surprised if an individual right of access to records is long in coming to the world of the FTC.) Are there ways in which things are getting better in the absence of new legislation? Sure. For example, consider the recent collaboration between Fitbit and the Center for Democracy and Technology that involved an examination of the Fitbit internal policies on research. This process infused an already good process with expert advice on data privacy and it may well expand beyond the initial scope of the project. Given Fitbit’s status as a market leader, its efforts in this area are likely to spur similar activity among other activity tracker manufacturers if they wish to retain the confidence of their key constituencies. We will certainly revisit this issue again (and again).

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
David Harlow July 28, 2016
Share this Article
Facebook Twitter Copy Link Print
Share
By David Harlow
Follow:
DAVID HARLOW is Principal of The Harlow Group LLC, a health care law and consulting firm based in the Hub of the Universe, Boston, MA. His thirty years’ experience in the public and private sectors affords him a unique perspective on legal, policy and business issues facing the health care community. David is adept at assisting clients in developing new paradigms for their business organizations, relationships and processes so as to maximize the realization of organizational goals in a highly regulated environment, in realms ranging from health data privacy and security to digital health strategy to physician-hospital relationships to the avoidance of fraud and abuse. He's been called "an expert on HIPAA and other health-related law issues [who] knows more than virtually anyone on those topics.” (Forbes.com.) His award-winning blog, HealthBlawg, is highly regarded in both the legal and health policy blogging worlds. David is a charter member of the external Advisory Board of the Mayo Clinic Social Media Network and has served as the Public Policy Chair of the Society for Participatory Medicine, on the Health Law Section Council of the Massachusetts Bar Association and on the Advisory Board of FierceHealthIT. He speaks regularly before health care and legal industry groups on business, policy and legal matters. You should follow him on Twitter.
Previous Article 5 Ways Health Providers Can Help Reduce Patient Stress Without Drugs
Next Article mosquito-562066_1280.jpg Can the Internet Cure the Zika Virus?

Stay Connected

1.5k Followers Like
4.5k Followers Follow
2.8k Followers Pin
136k Subscribers Subscribe

Latest News

test
Essential Steps for Starting Your Journey as a Fitness Instructor
Fitness June 5, 2023
mimosa pudica
Health Benefits of Mimosa Pudica: The Marvel of Nature
News June 2, 2023
medical bills
Who is Responsible for Paying the Medical Bills After an Injury?
News June 1, 2023
sports injury rehabilitation
Getting Back in the Game: Sports Injuries Rehabilitation Tips
Health May 31, 2023

You Might also Like

MRI sedation options
Global Healthcare

MRI Sedation Options: What You Should Know Before Screening

May 17, 2023
medicines from nature
Global Healthcare

What is the Process of Creating Medicine from Nature?

May 2, 2023
varicose veins treatments
Health

Choosing the Right Treatment Option for Varicose Veins

May 2, 2023
wrong-site surgery
Policy & Law

What Are Wrong-Site Surgeries and How Do They Occur?

April 27, 2023
//

We influence million of users and is the most authentic source of information on healthcare business and technology news.

Quick Links

  • About
  • Contact
  • Privacy
Subscribe

Subscribe to our newsletter to get our newest articles instantly!

Follow US

© 2008-2023 HealthWorks Collective. All Rights Reserved.

Welcome Back!

Sign in to your account

Lost your password?