The ONC issued a report to Congress today laying out the gaps that exist in health data protection. The report opines at length about non-covered entities (NCEs), the large swath of consumer-facing companies that aren’t subject to HIPAA.

“The wearable fitness trackers, social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA),” ONC writes. “While HIPAA serves traditional health care well and continues to support national priorities for interoperable health information with its media-neutral Privacy Rule, its scope is limited.”

The report lays out the many ways in which data collected by NCEs, primarily direct-to-consumer activity tracker companies and patient social networks, is unprotected. There are considerably fewer limits on what those companies can do with that data, for instance, and consumers who don’t understand the limits of HIPAA might not be aware of that fact. It also affects the flip side of HIPAA: consumers’ rights to their own data. With NCEs, consumers may not have the right to access their own health data. Finally, the report contends, a lack of regulatory clarity could have the effect of stifling innovation in the mobile health space.

ONC points out that FTC has stepped in to protect consumers at least against the most egregious misuses of their data, using section 5 of the FTC Act, which gives it the power to sanction companies for “unfair or deceptive acts or practices”.

“The FTC has brought numerous cases against businesses alleging privacy and security-related violations, including a number of cases to protect consumers from companies’ deceptive and unfair practices with regard to their health data,” the report says. “One recent example of a privacy-related violation involving health information is the Commission’s settlement with medical billing company PaymentsMD and its former CEO, Michael C. Hughes. The complaint alleged that the company deceived thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information about them from pharmacies, medical labs, and insurance companies.”

While the report doesn’t lay out a plan for shoring up health data privacy concerns that fall outside of HIPAA, it offers a starting point for creating such a solution by attempting to lay out the exact boundaries of the problem. 

The report also acknowledges industry attempts at self regulation, but it’s safe to say it takes a dim view of that tack.

“The private sector has attempted to fill the gaps as well, through published codes of conduct that private sector organizations can adopt if they choose,” the report says. “For example, in October 2015, the Consumer Electronics Association (CEA) issued ‘Guiding Principles on the Privacy and Security of Personal Wellness Data.’ These guidelines can be adopted by companies, but are not required of CEA members. As of July 2016, we have been unable to identify any companies that have adopted the guidelines.”