From smartwatches like the Galaxy Gear and Apple Watch to electronic optics like the Google Glass and more, wearable electronics have become a hot topic in recent years. But with these devices comes new hurdles for healthcare providers in regards to patient privacy, as some experts are saying that they are not protected by Health Insurance Portability and Accountability Act (HIPAA) privacy laws.
The website ProPublica recently published an eye-opening story in which a security expert stumbled upon the personal data of some 6,000 users. According to the website, a security expert purchased a home paternity test, which included an electronic testing device, to experiment with. When she got on the Internet to access her results, she found that making a small change to her web browser's address allowed her to access a directory of 6,000 customers of the service.
Conventional wisdom should lead you to believe that the home paternity testing company in question is violating HIPAA privacy laws. After all, how can a company leave customers' personal information susceptible to unauthorized access such as this? HIPAA's Privacy Rule and Security Rule do in fact provide security for patients' personal information (known as Protected Health Information). However, not every company or organization is required to abide by HIPAA's Privacy Rule and Security Rule.
HIPAA typically only affects covered entities, which includes healthcare practitioners, insurance companies, healthcare clearinghouses, and Business Associates (BA). Any third-party organization that works in conjunction with a covered entity is classified as a BA.
HHS Responds to the Incident
Naturally, one might assume that the home paternity testing company is BA, and thus, is required to abide by HIPAA's Privacy Rule and Security Rule. When the security expert contacted the Department of Health and Human Services (HHS) to report the incident, however, she was told there was nothing they could do because it was not a covered entity. When the healthcare provider is an electronic device or digital app, it's not classified as a covered entity.
HIPAA was written almost two full decades ago (back in 1996), so it's safe to assume there are some loopholes present. Back then, most patients' records were stored on paper files and placed in manila files. Today, the vast majority of doctors use computers and other electronic devices to store patients' records.
If you are struggling to determine whether or not an entity or organization is required to adhere to HIPAA's Privacy Rule and Security Rule, check out the flowchart published here.