![ONC Report Describes Privacy and Security Gaps at Non-HIPAA Covered Entities [Study]
Almost every individual on the Internet of Things (IOT) grid already has a copious amount of
personal data that stem from things like the monitoring of exercise, glucose levels, and personal
location and other movements, which are constantly added to the cloud on a daily basis. Even
small amounts of this information, according to a 2013 FTC report, could be indiscriminately
used to gain pricing advantages and also used to unfairly target certain demographic groups in
advertising and marketing campaigns. So, it’s more important than ever to be aware of the
number of ways that medical data can be used for inappropriate and unethical means in the
marketplace.
The oversight-gaps between HIPAA-covered entities that collect health data and those that
are not regulated by HIPAA poses risks to individuals who share their information electronically.
And these risks often outweigh the benefits of the virtual world and the Internet of Things.
The recent FTC report on IOT and privacy issues shed light on the various other ways that
information can potentially be compromised in the electronic age, with a lack of vigilance and
due diligence. The use of multiple “smart devices” often makes life easier and saves the modern
citizen a lot of valuable time and energy. But while it’s true that these “tools of convenience”
bring with them many positives, the use of devices such as wearable fitness and medical bands,
watches and monitors, home surveillance and security systems, appliance smart meters, and
GPS and transponder boxes, are also data transmitters that can jeopardize the privacy
concerns of HIPAA-related matters.
Since there no regulatory policies in place for these smart devices, the Universityof Miami’s
article from the Office of HIPAA Privacy and Security underscores some of these concerns
and raises questions as to how consumers can combat the risks that come with the collection of
enormous amounts of data stored by file and date sharing on sites such as Instagram, Google](https://image.slidesharecdn.com/81a2638b-f533-499a-91aa-ca64910645bf-160831221034/85/ONR-Blog-1-1-320.jpg)
ONR Blog 1
- 1. ONC Report Describes Privacy and Security Gaps at Non-HIPAA Covered Entities [Study] Almost every individual on the Internet of Things (IOT) grid already has a copious amount of personal data that stem from things like the monitoring of exercise, glucose levels, and personal location and other movements, which are constantly added to the cloud on a daily basis. Even small amounts of this information, according to a 2013 FTC report, could be indiscriminately used to gain pricing advantages and also used to unfairly target certain demographic groups in advertising and marketing campaigns. So, it’s more important than ever to be aware of the number of ways that medical data can be used for inappropriate and unethical means in the marketplace. The oversight-gaps between HIPAA-covered entities that collect health data and those that are not regulated by HIPAA poses risks to individuals who share their information electronically. And these risks often outweigh the benefits of the virtual world and the Internet of Things. The recent FTC report on IOT and privacy issues shed light on the various other ways that information can potentially be compromised in the electronic age, with a lack of vigilance and due diligence. The use of multiple “smart devices” often makes life easier and saves the modern citizen a lot of valuable time and energy. But while it’s true that these “tools of convenience” bring with them many positives, the use of devices such as wearable fitness and medical bands, watches and monitors, home surveillance and security systems, appliance smart meters, and GPS and transponder boxes, are also data transmitters that can jeopardize the privacy concerns of HIPAA-related matters. Since there no regulatory policies in place for these smart devices, the Universityof Miami’s article from the Office of HIPAA Privacy and Security underscores some of these concerns and raises questions as to how consumers can combat the risks that come with the collection of enormous amounts of data stored by file and date sharing on sites such as Instagram, Google
- 2. Drive and Microsoft OneDrive, DropBox, search engines queries, and the ubiquitous social media outlets. There is also the issue of how personal benefits can still compromise a much larger societal problem of increased risk/benefit concerns that comes with trying to improve health-care through data collection. Yes, consumers can take steps to maximize privacy settings on their personal devices, but that still doesn’t address what regulatory policies, if any, should be put into place to increase security measures for the user. HIPAA’s Electronic Data Interchange Rule (EDI) “strictly govern(s) the way data is electronically transferred from one computer to another,” and offers some hope for heightened data security, but is highly technical and requires sophisticated understanding, possibly even demanding the use of a consultant in some cases to achieve compliance with HIPAA standards. Although the aim of EDI is to lighten the data reporting load in the healthcare industry, there are still several factors that may determine whether or not you need to seek the advice of a consultant in order to meet compliance standards: concerns regarding the use of intermediaries for electronic claims versus a direct-pay method by the provider, and the overall acumen and sophistication of in-house IT departments. EPI stresses that as long as a provider is in compliance the methodology is discretionary when it comes to electronic transmission procedures. But it still remains a vitally important consideration for issues facing the healthcare industry’s privacy policies. A little over a month ago, the HIPAA Journal reported on another recent report issued by the ONC. The ONC concluded that the explosion of IOT has led to the collection of data by non- HIPAA entities not subject to the regulatory policies of HIPAA, thus compromising the health information of many individuals and placing them at risk for data theft and unwanted disclosures. The report also points to a need for better education policies to increase public awareness on what information is and is not protected under regulatory guidelines.
- 3. Moreover, data from a non-HIPAA-entity may not even be available to the individual upon request, something that is an unquestionable right under HIPAA policies. And further, terms of use, data terminologies, rights of use, and information about collection and dissemination of limitations and third-party access are often vague, if not non-existent. Though the report stresses the progress made in these areas from efforts to inform private sectors of abuse, deception, and/or general malfeasance, the ONC still emphasizes the areas where individuals may not be protected, even under HIPAA, if they are lax in self-disclosure through such entities as social media platforms, or if they participate in self-pay boutique clinics for medical services that are not subject to HIPAA. But this leads to the larger point of a lack of public education policies which will ostensibly lead to a greater understanding of what does or does not apply to individuals who utilize the tremendous benefits of IOT. Marketers and advertisers may almost certainly balk at this. They’ll cry that it hinders their ability to develop and contribute more and more beneficial commodities for the overall public health issues and accompanying economic concerns over rising healthcare costs. But even those that cater to the industry may not fully understand the implications and ramifications of the long-term risks in healthcare and privacy issues that work from compliances with HIPAA regulations. The downside is that creativity and innovation may be thwarted for fear that industry regulatory policies are too cumbersome and tedious to conform to. It is clear that some kind of federal intervention needs to take place as technology continues to evolve. Because the study found that lack of encryption and the lack of other general security safeguards are currently the greatest threats to health information breaches, the ONC recommendation is to strive to increase awareness and understanding of appropriate policies (and the terms within), as well as greater restrictions regarding privacy-policy changes that
- 4. occur in tandem with the consumer’s permission--not mere Internet data tracking methods without an informed consent. Resource Links: http://www.asha.org/practice/reimbursement/hipaa/hipaa_edi_faq/ http://www.hipaajournal.com/large-privacy-security-gaps-non-hipaa-covered- entities-onc-report-3512/ http://privacyoffice.med.miami.edu/awareness/tips/the-internet-of-things-and- privacy https://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf https://www.ftc.gov/system/files/documents/reports/federal-trade-commission- staff-report-november-2013-workshop-entitled-internet-things- privacy/150127iotrpt.pdf https://www.healthit.gov/sites/default/files/non- covered_entities_report_june_17_2016.pdf Meta: Health data is being collected by entities not covered by HIPAA regulations and may be at risk—according to a recent report released by the ONR . Keywords: health data, healthcare data privacy, healthcare data security, healthcare information technology, ONR , HIPAA, non-HIPAA covered entities