The authors of the HIPAA wrote a law designed to protect the security and privacy of health information in many different locations. They identified healthcare providers, insurance companies and health information clearinghouses as the most likely places where protected information would reside and imposed requirements that covered entities must protect that information.
Today, Fitbits and other fitness trackers, like the Apple Watch and HealthKit, and online communities offer individuals the possibility to engage far more in managing their own health, generating additional personal health information. The authors of HIPAA never imagined this new world of consumer health technology and, as such, HIPAA generally does not apply in these cases.
The holes in HIPAA controls stem from the definition of HIPAA-covered entities. These entities fall into three categories: healthcare providers, health insurers and health information clearinghouses. HIPAA also covers the business associates of covered entities that exchange information with covered entities. Consumer health companies normally do not fit into these categories. For example, the maker of a fitness tracking device doesn’t provide medical care to a patient or receive information from a medical professional, so there is no HIPAA-covered relationship.
Published September 24, 2016 on SearchSecurity.com
Read the full story: HIPAA Controls Don’t Do Enough for Privacy and Security
Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.