HIPAA Compliance for Medical Practices
60.5K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Are wearables violating HIPAA?

Are wearables violating HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

With the development of wearable technologies such as the Nike Fuel Band, Fitbit, and Apple Watch, consumers suddenly have more options to monitor their fitness performance than ever before. These devices are also making inroads into medicine as physicians begin to experiment with using Google Glass  to connect ER doctors to specialists in order to reduce patients’ wait times.


Whether it’s for the weight room or the emergency room, manufacturers and software developers are collaborating to draw health further into the digital realm.


And the way these devices capture data poses serious privacy and security issues to individually-identifiable health information that must be addressed.


Real world privacy concerns


The central challenge devices such as Google Glass and Jawbone UP pose stems from the fact that they employ cloud-based data storage. By purchasing these products, customers agree to a company’s Terms of Service, and in some cases, these terms can be fairly permissive in what they allow companies to do with that data.


According to Google Glass’s current Terms of Sale, for instance, the product falls under the company’s general Terms of Service. Although these grant the user intellectual property rights over data they store on Google servers, the company can still reproduce, modify, publicly display, distribute, and generally use this data to promote and enhance existing products and create new ones. Thus, although users may not be relinquishing ownership of their IP rights, it is clear that they are giving up a substantial degree of control over their data.


Google’s shift to a unified privacy policy in March 2012 further bolstered its ability to improve services through the collection and analysis of customer data. This new policy enabled the company to consolidate data on individual users from across its product portfolio and create unique user profiles, giving Google a fuller picture of individuals’ preferences and activities.


All personal health data is not created equal


Not all personal data is equal in the eyes of the law. That is the central issue when applying these practices to health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the analysis and sharing of individually-identifiable health information when directly related to patient care, but it is more restrictive. The law permits health information to be used in assessments of physician and hospital performance, but allows patients to request that their data not be shared with third parties. HIPAA also requires consent before a healthcare provider uses health information for advertising purposes.

In a medical context that means: mining individually-identifiable health information could constitute a breach of patient privacy if the analysis falls outside of the scope of HIPAA. It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law. And an even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.


HIPAA and wearables: What’s next?


If wearable device manufacturers want to store health information in the cloud, they must bring their Terms of Service and privacy policies in line with HIPAA privacy and security requirements.

The vendors making wearables should take several steps to achieve this goal.

  • Analyzing health data: Where privacy is concerned, companies must only analyze health data within the confines of what is permissible under HIPAA. If companies want to mine customer data for other purposes, they should keep health information separate from non-medical data.
  • Sharing health data: Companies would also need to grant patients and consumers greater transparency into how their data is being used as well as who has access to it. HIPAA would also require obtaining a patient’s consent before using their health information in any part of the advertising process.
  • Securing health data: When it comes to HIPAA-mandated security controls, companies should also protect health information with baseline access control and encryption measures, in addition to maintaining an “audit trail” of who has edited a patient’s information and when.


These measures would make the manufacturers of wearable health tech more accountable to the patients and consumers that their products serve — and it follows that any consumers, doctors and healthcare organizations using wearables in any capacity should seek out vendors will to adhere to those tenets moving forward.

more...
No comment yet.
Scoop.it!

FTC suggests stronger data privacy law, HIPAA not enough for health data

FTC suggests stronger data privacy law, HIPAA not enough for health data | HIPAA Compliance for Medical Practices | Scoop.it
This week the Federal Trade Commission published a report focused on privacy and security issues related to the massive Internet of Things (IoT) trend, which includes the growing number of connected health devices. The report summarizes the discussions that took place at an FTC-hosted workshop in November 2013, and it also includes recommendations for the industry from FTC’s staff, which they put together based on the workshop’s discussion.

The workshop’s health panel included five people: Scott Peppet, a professor at the University of Colorado Law School; Stan Crosley, director of the Indiana University Center for Law, Ethics, and Applied Research in Health Information, and counsel to Drinker, Biddle, and Reath; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; Jay Radcliffe, a senior security analyst for InGuardians; and Anand Iyer, president and COO at WellDoc. A full transcript of the entire workshop can be found here (PDF) — the health-related discussion starts on page 164.

Notably, one FTC Commissioner — Jeffrey Wright — filed a dissenting opinion and argued that the FTC should not have published recommendations for IoT companies based on one workshop and public comments.

“If the purpose of the workshop is to examine dry cleaning methods or to evaluate appliance labeling, the limited purpose of the workshop and the ability to get all relevant viewpoints on the public record may indeed allow the Commission a relatively reasonable basis for making narrowly tailored recommendations for a well-defined question or issue. But the Commission must exercise far greater restraint when examining an issue as far ranging as the ‘Internet of Things’ – a nascent concept about which the only apparent consensus is that predicting its technological evolution and ultimate impact upon consumers is difficult. A record that consists of a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, however well-intended, is neither likely to result in a representative sample of viewpoints nor to generate information sufficient to support legislative or policy recommendations,” Wright wrote.

He goes on to argue the FTC should have researched a rigorous cost-benefit analysis prior to offering its recommendations — and not just acknowledge in passing that the FTC recommendations would carry potential costs and benefits.

The report notes that, in general, IoT brings up a number of security risks for consumers.

“IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.”

Some of the FTC staff’s recommendations include a push for Congressional action related to general data security regulation — not specific to IoT — and a broad-based approach to privacy legislation: “Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices,” the write.

While it is pushing for a broad-based law, the agency specifically cited health-related data and that HIPAA doesn’t cover all health-related data.

“Workshop participants discussed the fact that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain entities, such as a doctor’s office or insurance company,” the wrote. “Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses.”
more...
No comment yet.
Scoop.it!

Are wearable makers violating HIPAA?

Are wearable makers violating HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

It’s a question that has been asked before: With the wearables craze, is all that patient data really safe? The answer is complicated - and might not even exist within the law.


“The way these devices capture data poses serious privacy and security issues to individually identifiable health information that must be addressed,” asserted Julie Anderson, a SafeGov expert. “The central challenge devices such as Google Glass and Jawbone UP pose stems from the fact that they employ cloud-based data storage.”

Anderson explains how it gets thorny: Simply by buying one of these wearables, a customer agrees to the vendor's terms of service, which can be “fairly permissive” in what can and cannot be done with the data.


“Mining individually identifiable health information could constitute a breach of patient privacy if the analysis falls outside of the scope of HIPAA,” Anderson wrote in an article on mHealth News sister site Government Health IT. “It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law. And an even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.”


Anderson recommends that vendors analyze, secure and share data in ways that increase their understanding of baseline access and enable an audit trail to identify who has edited a patient’s information.

The fact that many of these vendors are not experienced HIPAA-covered entities will no doubt complicate matters even more.


more...
No comment yet.