Proliferating health and fitness devices is eroding the privacy of U.S. citizens, and current government policy is falling woefully short of addressing the privacy gap.

These privacy gaps were revealed in a new report by the U.S. Department of Health and Human Services, according to Morning Consult.

The report found that the 1996 Health Insurance Portability and Accountability Act (HIPAA) does not cover health technology firms, who are creating legions of new health and fitness trackers.

“New types of entities that collect, share, and use health information are not regulated by HIPAA,” said the report.

It continues by explaining that the HIPAA only covers some electronic transactions by insurance companies, healthcare providers and clearing houses, along with health-related companies holding personally identifiable medical information.

However, the HIPAA does not address patient privacy concerns created by these new devices created by companies out of the traditional health care industry which are routinely sharing loads of personal medical data on unregulated networks.

“Health information is increasingly collected, shared, or used by new types of organizations beyond the traditional health care organizations currently covered by HIPAA,” said the report. It adds that these include “peer health communities, online health management tools, and websites used to generate information for research, any of which might be accessed on computers or smart phones and other mobile devices.”

Policy having trouble staying ahead of tech

This study comes amid increasing concerns about privacy of health information and fears of increased theft of personal medical data. Accenture released a report that predicted that more than 25 million people—or approximately one in 13 patients—will have their medical and/or personal information stolen from their healthcare provider’s digitized records between 2015 and 2019.

Meanwhile, the HIPAA study did not outline specific procedures that would address these privacy gaps, but instead gave suggestions on how regulations could address this issue.

“To ensure privacy, security, and access by consumers to health data, and to create a predictable business environment for health data collectors, developers, and entrepreneurs to foster innovation, the gaps in oversight identified in this Report should be filled,” said the report.