ONC Raises Issue of Lack of mHealth Privacy and Security

Ken Terry

July 20, 2016

The Office of the National Coordinator for Health Information Technology (ONC) has sent a report to Congress about the gaps in the privacy and security of personal health information collected on mobile devices as well as on social networking sites designed for patient support.

Produced in conjunction with the Federal Trade Commission (FTC) and the Office for Civil Rights (OCR) in the US Department of Health & Human Services, the ONC report does not propose any specific legislation. Instead, ONC views it "as the first step in a conversation about these important issues," said Karen DeSalvo, MD, national coordinator for Health IT, and Jocelyn Samuels, director of OCR, in a blog post on the ONC site.

"As individuals become more and more involved in managing their own health through new technologies, we must work together to ensure they know what happens to their information and that it remains safe and secure," they added.

In traditional healthcare, the report notes, the privacy and security of protected health information (PHI) is governed by the Health Insurance Portability and Accountability Act (HIPAA), which applies to covered entities such as healthcare providers, health plans, and clearinghouses. The HITECH Act of 2010 also requires business associates of HIPAA-covered entities to safeguard PHI. In addition, about half of the states have rules regarding the privacy of certain types of PHI, such as a person's HIV/AIDS status and mental health. Finally, the FTC protects consumers against unfair and deceptive practices, whether by covered or noncovered entities.

Most vendors of mHealth devices and apps are not HIPAA-covered entities. However, consumers may not be aware that their health information is not HIPAA-protected when they share it with an mHealth vendor or store it in an online personal health record (PHR).

Similarly, social media sites may be used to discuss treatment options and to provide support networks, the report notes. In many cases, they allow people to enter personal health information to monitor blood sugar, eating habits, or sleeping patterns. Other health data websites may provide information or send emails with information about medications or specific chronic conditions. Twenty-seven percent of Internet users and 20% of adults have tracked weight, diet, exercise, symptoms, or other health indicators online.

Consumers Often Unaware

According to the report, a recent study found that under half of social networking sites offered safeguards for protecting personal health information. Some had conflicts of interest such as ties with pharmaceutical companies.

A 2014 study found that of 600 commonly used mHealth apps, only about 30% had privacy policies and that two thirds of those privacy policies did not specifically address the app itself, the report said.

Consumers often don't realize that the information they share with a non-HIPAA-covered entity may be out of their control and that the company may share the data with other parties, perhaps for a fee. Noncovered entities engage in practices such as online advertising and marketing, commercial use or sale of individual information, and behavioral tracking practices. Some PHR vendors warn of advertising in advance, while others may offer a free version of the PHR with advertising and a paid version without.

Consumers generally have greater rights regarding access to data held by covered entities than to data held by noncovered entities, the report points out. HIPAA gives individuals rights to access specific information from covered entities. These rights include the provision of the information in a timely manner, in the form and format requested by the individual, and in electronic form if the information is maintained electronically. Noncovered entities don't have to do any of this.

The lack of privacy and security regulations governing mobile app data has been a growing concern in the United States In a recent report, experts from Dartmouth and other universities observed that this challenge is increasing with the rapid growth of mobile technologies, new incentives to keep populations healthy, and significant cyber threats targeting healthcare.

Last year, BMC Medicine published a study of mobile health apps accredited by the National Health Service in the United Kingdom. The study found that these apps do not adequately protect the privacy of users' personal health information. Of 79 apps studied, 70 transmitted information to online services. None of the apps encrypted data on personal devices, and two thirds that sent personal identification information over the Internet did not use encryption.

The ONC report, similarly, cited a study that found that only 6% of free health apps and 15% of paid health apps always used encrypted connections when sending data to third parties. Moreover, noncovered entities may not use other security safeguards such as patient identity verification because they are not required to.

For more news, join us on Facebook and Twitter .


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: