Close Server: KOPWWW05 | Not logged in

Welcome to Health Care POV | sign in | join
ADVANCE Perspectives: Healthcare Information Professionals

Steal Signs

Published November 18, 2015 3:18 PM by ADVANCE Perspectives

By Tamer Abouras

It feels a bit like beating a dead horse, but the vulnerability of health information is a staple of the news cycle these days. Hacking happens and it’s unclear as to whether or not the wide-scale repercussions of so much data being stolen have truly been felt yet.

You’ve heard about how many healthcare organizations have suffered breaches — and how dangerous that can be for patients — but those organizations, as well as Congress, have been working pretty feverishly to head off any potential disasters, with bills such as CISA.

As well-intentioned as those many maneuvers are, it’s still inevitably the case that adequate disaster preparedness is oftentimes borne out of initially inadequate disaster response. You wouldn’t be faulted for your hurricane preparations if you’d never experienced one before — but you’d be ready the next time one came around.

In this case, what compounds the problem is that the proverbial hurricane — the warp speed march of digitized health information — is one that no one has ever experienced. And so preparations for the so-called “worst” that could happen are necessarily a little weak in certain places.

What’s sure to infuriate medical professionals and patients alike, however, are unforced errors. And that's what makes this story from Consumerist about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) not covering health apps, wearables, at-home paternity tests and fitness trackers so troubling.

SEE ALSO: Cyber Threat Detection

Originally appearing in ProPublica and Washington Post, Consumerist Content Editor, Kate Cox, relayed the story about how a simple paternity test, being used to review the tech and have a little bit of fun, led security expert Jacqueline Stokes to make an interesting discovery.

“She bought a home paternity test for fun, to experiment with the tech. And when she went to look at the results, she discovered a Maury-friendly surprise: one little tweak in her browser’s address bar gave her instant access to an enormous directory containing over 6000 customers’ data.”

As Cox goes on to explain, contrary to popular opinion, “ … HIPAA isn’t universal; not all businesses have to adhere to it. Covered entities — the people and organizations that are subject to following HIPAA restrictions — include healthcare practitioners, health insurance companies and plans and ‘healthcare clearinghouses,’ which are businesses that process health information between other health companies.”

See the problem? While the government offers a handy flowchart to anyone curious about which types of entities may or may not be covered, the Department of Health and Human Services’ response to Stokes when she reported what she’d assumed to be a violation was telling — it wasn’t a violation, “ … because use-at-home tests sold to consumers aren’t covered entities.”

While the 1996 HIPAA law has been updated over time, its last such accommodation was made in 2009. Nearly seven years later and in a day and age where more and more of us are volunteering our healthcare information to these apps and portable devices, Cox concludes that it’s overdue for another.

“In 2009, Congress passed a law updating HIPAA and requiring HHS and the FTC, which has oversight of privacy and data breaches, to work together and submit recommendations on how to handle sensitive health data that isn’t covered under HIPAA. Six years later, that report is still in progress.”

You Might Also Like...

Protecting Patient Portal Information

Building best practices for securing electronic heath records accessed online by consumers.

Mitigating Mobile Patient Data Risks

Preventing data breaches is vital to maintaining patient confidentiality in an increasingly wireless world.

Advanced Persistent Threats

Steps to thwart cybercriminals, protect patients and secure critical data.

Securing Vulnerabilities

Strategies to meet meaningful use and HIPAA compliance at the patient point of care.


By Tamer Abouras Many of our grandparents — and many people over the age of 50 — have probably uttered

February 12, 2016 7:12 AM

leave a comment

To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Enter the security code below:


About this Blog

    ADVANCE Editorial Staff
    Occupation: Editor
    Setting: ADVANCE for Healthcare Information Professionals
  • About Blog and Author

Keep Me Updated