The United States Federal Trade Commission (FTC) has called for tougher laws to protect the information of healthcare patients. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, employers are required to take both physical and technical measures to prevent the disclosure of patient information, but the FTC says this isn't enough.
We live in age where more and more organizations are connecting their devices to the Internet, increasing the risk of malicious cyber attacks. In the healthcare industry, Internet of Things (IoT) devices may include remote health monitoring, emergency notification systems, blood pressure monitoring systems, specialized heart sensors, and more, many of which collect and store HIPAA-protected data.
The FTC's report on the Internet of Things is a follow-up to its recent workshop, which it hosted in November 2014. It includes insight from healthcare professions, recommendations by the FTC, and opinions from the general public. The workshop's health panel consists of Scott Peppet, professor at the University of Colorado Law School, Joseph Lorenzo Hall, technologist at the Center for Democracy and Technology, Jay Radcliffe, data analyst for InGuardians, Anand Iyer, WellDoc president, and Stan Crosley, directory of the Indiana University Center for Law and Ethics.
So, why is the FTC calling on strengthened HIPAA laws? In its report, the FTC said that health apps – which collect sensitive patient information – are not currently protected under HIPAA. Many doctors, practitioners, hospitals and other healthcare facilities use apps to keep track of patient information. Unfortunately, however, patient data collected in such manner isn't covered by HIPAA.
“Increasingly, however, health apps are collecting this same information through consumer facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses,” said the FTC in its report.
The FTC adds that healthcare organizations should consider taking a “data minimization” approach, or in other words collect and store patient information for a finite length of time before deleting it. This isn't a foil-proof way for healthcare providers to protect their patients' data, but it would certainly help to mitigate the risk of disclosure.
You can access the FTC's complete Internet of Things report by visiting FTC.gov.