HIPAA vs. The NSA: Who Wins When Medical Devices Are Concerned?

In light of the IRS, NSA, and Justice Department Scandals, the efficacy of the privacy protections contained in the Health Insurance Portability and Accountability Act (HIPAA) has been called into question, wrote blogger Westby G. Fisher, MD, FACC in June. Fisher goes on to point out that the U.S. Department of Health and Human Services is enforcing privacy restrictions contained within the new Health Information Technology for Economic and Clinical Health (HITECH) Act, pointing to the case of Blue Cross Blue Shield of Tennessee, which paid HHS $1,500,000 for a data breach. He goes on to argue that the government is using such settlements as "a funding tool for our government health care administration disguised as a beneficent effort to protect the health care data of our populace." (For the record, the IRS is facing a lawsuit alleging that it wrongly seized 60 million personal medical records.)

Fisher's claim that HIPAA fails in offering solid privacy protections seems well warranted, however. HIPAA, which was first enacted in 1996 by President Bill Clinton and the United States Congress, was designed to protect workers' health insurance coverage when they change or lose employment. HIPAA also requires national privacy standards for electronic healthcare transactions.

Under HIPAA, protected health information (PHI) may only be transmitted without a patient's express written authorization to facilitate payment, treatment or healthcare operations. Other disclosures of PHI require written authorization.

While the Privacy Rule does protect patient health records in most cases, private information can be disclosed under certain terms. For instance, HIPAA does not protect a patient's medical records from the National Security Agency and other law enforcement entities. The department of Health and Human Services explains that note that patient health information can be transmitted "to federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3))."

Perhaps more relevant is the growing connectivity between medical devices and consumer devices like smartphones and tablets. As Smarthphone Physical Shiv Gaglani curator has explained, "I don't see wearable technologies working without synching to a phone. And because of the recent news with Snowden and NSA, there could be a growing backlash to having devices that interface with implantable or external health tracking devices. "I think 90 to 95% of the population thinks that convenience outweighs privacy concerns," Gaglani says.