eHealthPolicy & Law

“What we need is more regulation . . . .”

5 Mins read

We are awash in digital health data. And we are awash in multiple regulatory schemas designed to protect privacy, security and appropriate access to all this data. Some data is “traditional” health care data governed by the familiar patchwork of federal and state statutes and regulations (rhymes with “HIPAA”). Some are the product of new consumer health tracker devices and apps which are not reached by HIPAA (except for some provided to individuals by health care providers or insurers). Privacy, security, and access is guaranteed with respect to much of the health data not governed by HIPAA thanks to the oversight of the FTC (and cognate state agencies), with a twist: while most specific federal and state health data privacy and security rules are spelled out in detail, the FTC takes a different approach, simply enforcing through individual actions its general consumer protection authority, which bars unfair or deceptive business practices. (There is also the FTC breach notification rule, which parallels the HIPAA breach notification rule, but is applicable to non-covered-entity PHRs.) There is an alphabet soup of other agencies, statutes, frameworks, etc. that have overlapping jurisdiction over these issues as well. ONC recently issued a report to Congress (and shared on its blog) in collaboration with OCR and the FTC, entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA, which considers HIPAA, the FTC Act and something called FIPPS, Fair Information Practice Principles – but does not examine the interplay with state law or with other related federal regulatory structures such as FCRA, COPPA, GLBA, FERPA. FIPPS, by the way, is an overarching statement of principles regarding health data privacy, security and access, dating back to HEW (!) in 1973, including things not necessarily provided for by law, and most recently pulled together in the 2008 ONC Privacy & Security Framework. These principles are:

  1. Individual access
  2. Correction
  3. Openness and transparency
  4. Individual choice
  5. Collection, use and disclosure limitation
  6. Data quality and integrity
  7. Safeguards
  8. Accountability

The report is a useful summary of the current state of HIPAA, the FTC Act, the FTC breach notification rule, and FIPPS. It identifies the gaps in coverage that — in an ideal world — Congress would patch, or even undertake a broader rip-and-replace, enacting a comprehensive health data privacy, security and access schema integrating a single approach to PHI governed by HIPAA, data practices covered by the FTC Act, and everything in between and beyond. Don’t hold your breath. Aside from the current congressional logjam, gridlock, or whatever your preferred metaphor may be, consider the fact that we are now embarking upon the general election season, which tends to add an additional layer of grandstanding and substantive paralysis to the usual fever dreams of the Potomac. Consider, too, that in the 43 years folks have been thinking about FIPPS (HEW! That really got to me), we have largely confined ourselves to thinking about FIPPS. The ONC Privacy & Security Framework is reiterated in the ONC’s Interoperability Roadmap – a recently-issued ten-year roadmap to a goal that many believe should have been realized as a part of implementing the Meaningful Use program (enacted as part of the HITECH Act, which also updated HIPAA and added the FTC breach notification rule requirements). Yes, there is greater awareness of the burgeoning volume of health data (HIPAA-regulated PHI and other), there is a growing belief that improving health status and reducing health care costs may well be accelerated through implementation of value-based care systems that rely in part on patient-generated data and a network of digital activity trackers, and there is growing concern that the complexity of health data privacy regulations leaves many of us unprotected in a variety of contexts. I think I am more realist than pessimist when I conclude that, however, well-founded these concerns and proposals may be, comprehensive, sensible, Congressional action in this realm is not imminent. Things are both better and worse than the authors of the report would have us believe. For example, the report seems to elevate the helpfulness of OCR’s enforcement efforts in dealing with over 20,000 cases, noting that significant improvements in the regulated community’s attention to privacy, security, and access have resulted from these undertakings, while minimizing the compliance record of “non-covered entities” or NCEs in the report’s parlance, highlighting a couple of horribles in the PHR department. Well, not to put too fine a point on it, but some of the most respected academic medical centers have had multimillion-dollar fines assessed for their HIPAA privacy and security breaches, and OCR seems to be in the business of perennially issuing clarifications and exhortations regarding the patient access rules. This bespeaks a broad-based attitude towards compliance that is not necessarily better than that of NCEs as a whole. There are good guys and bad guys in both camps. And even the good guys are sometimes undermined by the complexity of the rules, the complexity of the tech, human frailties, and the devilish cleverness of the bad guys. In addition, many NCEs, including many that I advise, have taken it upon themselves to behave as if subject to HIPAA even though they are not. Why? To instill confidence in their operations among at least three distinct audiences: (a) consumers, who are more and more interested in and concerned about the health data privacy policies and practices of their app providers and activity tracker vendors (though, to be sure, they could be more concerned); (b) business partners that may include covered entities and/or business associates under HIPAA that are sensitive to these issues even if not all of their business partners are themselves subject to HIPAA (even by virtue of their relationships with CEs or BAs); and (c) regulators such as the FTC who would likely be just as impressed as OCR by a good story told by a company unfortunate enough to experience an audit, a breach or a complaint investigation – that good story being composed of fully implemented and documented HIPAA-compliant policies and procedures, risk assessments, etc. Don’t forget: There is a lot more protection in place than that afforded by the two sets of rules considered in the report. Are there gaps? Yes: For example, as noted in the report, the FTC Act may not regulate nonprofits or insurance companies under all circumstances, and there is no explicit provision there guaranteeing access. (However, on that latter point, since the FTC Act is interpreted through case law rather than regulation, I would be surprised if an individual right of access to records is long in coming to the world of the FTC.) Are there ways in which things are getting better in the absence of new legislation? Sure. For example, consider the recent collaboration between Fitbit and the Center for Democracy and Technology that involved an examination of the Fitbit internal policies on research. This process infused an already good process with expert advice on data privacy and it may well expand beyond the initial scope of the project. Given Fitbit’s status as a market leader, its efforts in this area are likely to spur similar activity among other activity tracker manufacturers if they wish to retain the confidence of their key constituencies. We will certainly revisit this issue again (and again).

80 posts

About author
DAVID HARLOW is Principal of The Harlow Group LLC, a health care law and consulting firm based in the Hub of the Universe, Boston, MA. His thirty years’ experience in the public and private sectors affords him a unique perspective on legal, policy and business issues facing the health care community. David is adept at assisting clients in developing new paradigms for their business organizations, relationships and processes so as to maximize the realization of organizational goals in a highly regulated environment, in realms ranging from health data privacy and security to digital health strategy to physician-hospital relationships to the avoidance of fraud and abuse. He's been called "an expert on HIPAA and other health-related law issues [who] knows more than virtually anyone on those topics.” ( His award-winning blog, HealthBlawg, is highly regarded in both the legal and health policy blogging worlds. David is a charter member of the external Advisory Board of the Mayo Clinic Social Media Network and has served as the Public Policy Chair of the Society for Participatory Medicine, on the Health Law Section Council of the Massachusetts Bar Association and on the Advisory Board of FierceHealthIT. He speaks regularly before health care and legal industry groups on business, policy and legal matters. You should follow him on Twitter.
Related posts

How RFID Solutions Can Improve Patient and Doctors Experience

4 Mins read
The request for RFID implementation becomes more and more popular in custom healthcare software development. Radio-frequency identification is a relatively simple technology…
eHealthHealth care

How Online Pharmacies are Changing Healthcare

2 Mins read
For over a century, the basic business model of prescribing medicine remained the same. Patients would consult their doctors and the doctors…

Best Tips to Take Stunning Food Photos on Instagram for More Engagement

4 Mins read
When you have a restaurant business to manage, your goal is to take stunning photos of food and share them on Instagram….