In July, the Office of the National Coordinator for Health Information Technology (“ONC”) released a report that examines the oversight of the privacy and security of health data collected by entities not regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The report primarily focuses on two areas of emerging technologies provided by entities that are not regulated under HIPAA. The first is “mHealth technologies,” which includes entities that collect or deal in personal health records (“PHRs”) and cloud-based or mobile software tools that collect health information directly from individuals and enable sharing of such information (e.g. wearable fitness trackers). The second is “social health media,” which are internet-based sites through which individuals create or take advantage of specific opportunities to share health conditions and experiences.
In the report, the ONC analyzes the scope of privacy and security protections for these new technology products, identifies the key gaps that exist between HIPAA regulated entities and those not regulated by HIPAA, and recommends addressing the gaps in a manner that protects consumers and levels the playing field. While the ONC does not offer specific solutions to the gaps identified in the report, the ONC urges the private sector and other interested stakeholders to work together to develop solutions. To read more about the ONC-identified gaps between HIPAA-regulated and non-HIPAA regulated entities, view the full report here.
This article was authored by Rachel Ludwig, Jackson Kelly PLLC. For more information on the author, see here.
 The ONC notes in its report that PHRs are not regulated by HIPAA when the entity offering PHRs to consumers is not a HIPAA covered entity.