The healthcare and fitness tech industry is booming, with millions of users across the US using these devices and apps to track everything from their weight, sleeping habits, heart rate, and food consumption. Some of this information is similar to that collected by healthcare organisations when monitoring their patients. However, there is a vast difference in the responsibilities of these organisations and the healthcare tech industry when it comes to the protection of this data.
Healthcare organisations and their businesses associates are legally required to ensure that adequate safeguards are in place to prevent unauthorised individuals from gaining access to this data. There is a good reason for this; healthcare information has a substantial black-market value, and hackers often see hospitals and clinics as easy targets to harvest this data. When sold, the information could be used for fraud or other nefarious purposes. The Health Insurance Portability and Accountability Act ensures that healthcare industries take their responsibility to protect consumer data seriously.
In contrast, the creators of these apps or devices that collect such potentially sensitive information are not legally required to ensure the same protections are in place, even if the data collected is the same.
In March, the eHealth Initiative Foundation and Manatt Health issued a joint brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organisations that are not required by law to comply with HIPAA Rules.
The Brief, entitled Risky Business? Sharing Data with Entities Not Covered by HIPAA argues that the type of organisation that collects the data should be irrelevant, the consequences of a data breach would be equally harmful in any case. They call for clarity in this regulatory grey area.
HIPAA and its Rules were created at a time in which the ubiquity of healthcare apps and devices could not be predicted. As such, the legislation is somewhat outdated because of the significant advances in technology. Experts are calling for new legislation to address health information collected by non-HIPAA covered entities.
Some states have taken action to address this gap in federal legislation. For example, California introduced the California Consumer Privacy Act (CCPA), which extends existing legislation to health data collected by apps and consumer devices. These laws only apply at the state level, and consumer privacy rights can vary significantly from state to state.
HIPAA was updated by the HITECH Act of 2009, which does cover electronic medical records and health IT, but does not extend to apps and consumer devices. In Europe, the new GDPR covers consumer data collected by apps and consumer devices, showing that legislators are recognising the potential problem this discrepancy can pose and taking steps to fix it.
The Brief gives an outline of the problem, discusses the extent of data now being shared, and aims to clear up some of the confusion about when HIPAA applies to apps and consumer devices and when it does. The Brief also comments on other federal guidance and regulations that have been issued by the FDA, FTC, and CMS covering mobile apps and consumer devices.
It is important to note that HIPAA does apply to business associates of HIPAA covered entities that provide apps and devices on behalf of the covered entity. However, HIPAA does not apply if the app or device is not provided by a vendor acting as a business associate of a HIPAA covered entity. There is some confusion within the healthcare industry as to whether a vendor is a business associate and if devices and apps are offered on behalf of the covered entity. The Brief attempts to clarify this distinction.
One area of particular concern is the growing number of people who are using genealogy services and are supplying companies with their DNA. Individuals are voluntarily providing this information, yet many are unaware of the implications of doing so and are unaware of the lucrative DNA market and the potential sale of their DNA profiles.
“Privacy and security in healthcare are at a critical juncture, with rapidly changing technology and laws that are struggling to keep pace,” explained Jennifer Covich Bordenick, Chief Executive Officer, eHealth Initiative Foundation. “Even as new laws like CCPA and GDPR emerge, many grey areas for the use and protection of consumer data need to be resolved. We hope the insights from papers like this help industry and lawmakers to understand better and address the world’s changing privacy challenges.”