FTC recommends Congress legislate patient information security protocols

As electronic health record systems become more entrenched in the health care industry, the question of data security looms larger as well. Patient information stored in EHR systems is ostensibly protected under the Health Insurance Portability and Accountability Act, but the fast-moving nature of health information technology means that organizations are not always able to keep their security policies in step with threats to data security.

In response to growing concerns about protecting patient information, the Federal Trade Commission conducted a study on the practice of data broker firms, which do not fall under the jurisdiction of HIPAA. These data brokers collect and store sensitive information, some of which is related to patients' health practices. The results of the study prompted the FTC to formally propose more stringent Congressional regulation of health information.

Collecting and storing sensitive data
Though various federal agencies have published final regulations on how health care organizations must protect identifiable patient information moving through their local networks, the use of this information by non-medical companies is not yet governed by any codified policies.

The FTC explored this gray area through a study of the practices of nin.e data brokerage firms, which obtain and sell large amounts of information on consumers, typically without their knowledge. The majority of this data is financial – marketing firms that want information on what consumers are purchasing contact data brokers for insight.

However, the FTC found that some of this financial information contains data on health-related purchases. Currently, data brokers are under no federal obligation to publish information on how they obtain this information or what they use it for, so the FTC concluded the study calling by for official regulation of this industry.

The FTC explained that regulations are necessary because one data broker in the study collected information on more than 1.4 billion transactions, totaling 700 billion data points. Another added 3 billion new pieces of information every month. The scope of data brokerage firms is so large that not a single person in the U.S. can have a reasonable expectation of privacy when it comes to health information, the FTC claimed.

Unauthorized information sharing
While data brokerage firms may be the latest focus of regulation from the FTC, the federal agency has also set its sights on unauthorized information sharing by mobile health and fitness applications. According to ThreatPost, Jah-Juin Ho, an attorney with the FTC's Mobile Technology Unit, announced the agency's findings at a seminar in early May on an investigation into health information entered into mobile smartphone apps.

The FTC reviewed the data sharing trends of 12 popular health and fitness apps and found that though consumers thought the information they entered into the app would be secure, it was then shared with 76 different third party organizations.

All external organizations that had access to the data collected information on the status of consumers' phones, but 58 third parties received information on eating habits and sleeping behaviors. A further 22 companies gathered users' exercises and diet information, details on symptoms and conditions, gender and GPS-enabled location.

"It wasn't uncommon for third parties to identify users by their first name, last initial and then a stream of identifiers," Ho said at the seminar.

Though the health care industry has  taken great pains to protect the information of patients stored within hospitals and other medical facilities, Ho said that the FTC is committed to extending this same level of data security to other sectors the hopes of increasing patient protection regardless of the industry.