- Fitness trackers and online health or medical applications are increasing in popularity, with consumers often submitting sensitive personal health information into them. The health application security measures in place though, do not always align with HIPAA regulations.
Data aggregators often collect this information and will then often market their assumptions about the data to potential employers, insurers, mortgage brokers or other third parties, IIT Chicago-Kent College of Law Professor Lori Andrews wrote in a recent Chicago Tribune contribution.
HIPAA regulations have a loophole, as any health information individuals put on social media, in emails, through web searches or via apps can be used by data aggregators, she warned.
“While some data aggregators claim to protect sensitive personal information, they adopt a puzzling definition of ‘sensitive,’” Andrews said. “Healthline Networks Inc., for example, says that it does not reveal sensitive health information about individuals such as information about HIV/AIDS, impotence or eating disorders.”
She added that Healthline does collect and reveal online information about other conditions, including anxiety and bipolar disorder.
Studies have shown that individuals are more reluctant to share their health information online when they find out how vulnerable the data might be, Andrews wrote. The Department of Health and Human Services (HHS) has not put forth enough regulations, with consumer educating being a large area that could benefit from improvement.
Data aggregators counter that consumers are already educated by the privacy policies of websites and apps. But who reads these terms of service? And what does it mean when they say they share your health info with ‘affiliates’? Researchers at Carnegie Mellon University found that it would take a person 25 full days a year just to read the privacy policies of the online services he or she routinely uses. Most people just click ‘accept.’
Instead, Andrews suggests that Illinois take a page out of California’s book and adopt legislation that extends certain HIPAA rules. Since 2014, California has had a law requiring medical apps to meet "the same standards of confidentiality required of a provider of health care."
Andrews is not alone in her concerns over potential health application security and privacy issues. In June 2016, the Office of the National Coordinator (ONC) announced it had collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR) to create an online tool addressing privacy and security concerns.
Mobile app developers can use the website to ensure that they are properly adhering to federal requirements and ensure they know where to find the right information on what regulations would apply to their particular app.
“Federal laws and regulations originating with FTC, FDA and the OCR all could influence the development of a new health-related product,” ONC Chief Privacy Officer Lucia Savage, JD and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN explained. “And while these may not be the only applicable federal laws and regulations, they are often important requirements to consider when developing a health-related app.”
The tool highlights how HIPAA regulations, the FTC Act, the FTC’s Health Breach Notification Rule, and the Federal Food, Drug and Cosmetics Act (FD&C Act) would potentially apply to mobile applications.
OCR also added a list of health app use scenarios in which HIPAA regulations would apply in February 2016. Part of OCR’s mHealth Developer Portal, the scenarios aim to educate mHealth app developers on how to create HIPAA compliant apps and apps that protect user and patient privacy.