- Gaps in privacy and security law may be hindering the development and expansion of health IT and EHR use across the industry, a recent report from the Office of the National Coordinator for Health Information Technology suggests.
The report details the privacy and security provisions in place to facilitate secure exchange of health data across various technologies. These safeguards include the HIPAA Privacy, Security, and Breach notification laws, FTC consumer protection laws, and the various statewide health data privacy laws set in place to protect specific issues.
Although these provisions are expansive and have set out to protect various areas of health IT, including EHRs and mHealth devices, gaps are emerging. These gaps in security law are making it difficult for health technology developers to create new systems, and are potentially leaving patients exposed when transmitting their own health information.
This poses a problem, especially as innovators outside of the healthcare industry tries their hand at health technology creation.
“Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” ONC explains in its report.
“Moreover, even entrepreneurs, particularly those outside the health care industry, seeking to take advantage of health information technology and develop mHealth technologies and health social media, may not have a clear understanding of where HIPAA oversight begins and ends.”
When developers begin a new health IT innovation project, it may not be clear which privacy and security rules apply to the kind of health information being handled. This issue is being seen as more developers are sharing data with their patients through unprecedented technologies.
In June, FDA attempted to account for that confusion in releasing a draft guidance on health data sharing over new health technologies. The agency did this in an attempt to clear up confusion for developers so that they can continue with their innovations in a safe and responsible manner.
“FDA believes that providing patients with access to accurate, useable information about their healthcare when they request it (including the medical products they use and patient-specific information these products generate) will empower patients to be more engaged with their healthcare providers in making sound medical decisions,” noted the document.
However, ONC maintains that unclear privacy regulations may stunt health IT innovation.
“This lack of clarity may impede innovation that could improve health or otherwise benefit individuals or the nation,” the agency wrote in its report. “For example, for HIPAA covered entities, it is often unclear to developers which information is considered to be or defined as ‘individually identifiable health information’ that is subject to protection by the HIPAA Rules, and which is not.”
And this issue may persist heading into the future as health technologies continue to adopt new capabilities and handle more health information.
“Additionally, if the way in which technology is used evolves over time, federal requirements for health information privacy may apply to the new uses but not the old ones, or vice versa, resulting in shifting regulatory requirements and expectations for developers and entrepreneurs,” ONC wrote.
These concerns are pressing considering the industry’s emphasis on patient engagement and access to health data. More technologies are emerging which foster that activation, but security guidelines are not keeping up. This is prohibiting the innovation and development of healthcare technology.
Going forward, healthcare security experts will need to acknowledge those gaps in security protocol and develop new strategies to ensure secure data exchange in new tools. In doing so, they can help foster the growth of the health IT market, and in turn, the health and engagement of individual patients.