Is HIPAA Compliance for Non-Covered Entities a Concern?
Very much so.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
Health information is now collected by apps and computer devices. The types of data collected are often exactly the same as the data collected by healthcare organizations, which are subject to the HIPAA Privacy Rule and the HIPAA Security Rule. And yet, while healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI) and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by these apps and devices. In other words, same data, different rules.
However, in the event of a data breach, the consequences can be just as damaging if the breach occurred on an app or device, as if it occurred at a healthcare organization.
Why is there this disparity in regulatory treatment?
When HIPAA and its subsequent implementing regulations (the Privacy and Security Rules) were enacted, the extent to which health information would be collected and used by apps and consumer devices was unknown. Indeed, the concept of mobile apps and consumer devices was a fairly new one in the mid 1990s when HIPAA was passed. (To offer an illustration of this, smartphones did not offer a camera function until 2002).
On the state, but not federal, level, laws have been introduced to extend privacy and security requirements on app and device manufacturers and the health data the apps and devices collect. These laws, though, at best, will create a patchwork, with consumer protection at the mercy of state legislative priorities.
While HIPAA was updated by the HITECH Act of 2009, which does cover electronic medical records (EMRs, which are sometimes referred to as EHRs, or electronic health records), HITECH does not extend to apps and devices. This is so in spite of the fact that by the year 2009, such apps and devices had become ensconced in the marketplace
But What About Business Associates?