Last month, the Department of Health and Human Services sent a long-delayed report to Congress identifying “key gaps” in HIPAA’s ability to protect personal data generated by wearable fitness trackers and other mobile apps. Prepared in conjunction with HHS’ Office for Civil Rights and the Federal Trade Commission, the 32-page report concluded that as non-covered entities (NCEs) under the Health Information Portability and Accountability Act, regulators have little authority to act on potential data breaches.
The exception is when NCEs engage in deceptive or unfair business practices by not reasonably protecting someone’s health information, in which case the FTC could step in. The report highlights several areas where mHealth apps are offering privacy protection substantially below what would be required of healthcare providers and other entities covered under HIPAA.
Yet today, many companies use consumer-facing technology to gather, analyze, and share consumers’ health information, often without their knowledge.
A recent study in the Journal of the American Medical Association found many health apps may be sharing patients’ health data without their knowledge. Of 211 diabetes apps it examined, 81% did not have privacy policies and those that did often didn’t actually protect privacy. Only four polices said they would seek users’ permission to share data.
HHS' report, which was originally due in 2010, calls out a number of concerns regarding the security of information logged on mobile devices, including:
- HIPAA allows patients to access personal identifiable health information held by covered entities. With NCEs, “it is unclear whether individuals have any rights to access data about themselves held by others.”
- Mobile app users may assume that HIPAA applies in this case and inadvertently agree to unanticipated forms of information sharing and use by mHealth companies. While the FTC monitors firms for deceptive practices, its oversight doesn’t provide the same level of protection as HIPAA, the report says.
- Health information collected in multiple places without uniform security standards is a sitting duck for cybersecurity attacks.
- Lack of understanding of where HIPAA protections end could hamper development of new beneficial mHealth technologies. For example, “if the way in which technology is used evolves over time, federal requirements for health information privacy may apply to the new uses but not the old ones, or vice versa, resulting in shifting regulatory requirements and expectations for developers and entrepreneurs,” according to the report.
Lacking any definitive federal regulations, industry groups have drawn up voluntary guidelines, but companies have been slow to adopt them, Clinical Innovation+Technology reports.
“This has always been a problem," says Waseem Sheikh, senior HIT advisor for Colington Security in Burke, VA. "Regulations are always behind technology, because it’s moving at such a fast pace,”
Indeed, technology tracker BCC Research estimates the global mHealth market will reach $21.5 billion in 2018, The Economist reports. The majority of those smartphone apps fall into the categories of wellness and fitness. These include Fitbit, Digifit, Zunammy, WellnessFX, and Bioforce HRV.
The issue has assumed more urgency as companies encourage employees to log onto mobile apps as part of wellness programs. “It goes beyond someone voluntarily saying I want this app,” Paul Stephens, director of policy and advocacy at the Privacy Right Clearinghouse, told ProPublica. “There are basically going to be financial incentives to use the app.”
Meanwhile, health and fitness companies, following the example of the tech industry, offer multi-page end-user license agreements, with links to privacy policies, which can overwhelm consumers, Sheikh says. “The result is a consent that is informed by NOT comprehended,” he wrote in an email. “Furthermore, comparing results, volunteering information on social media sites, community blogs, causes disclosure without even realizing the consequences.”
He believes that every device that captures healthcare data should be a covered entity.
The report says these gaps in government oversight of mHealth technologies should be addressed by updating laws and regulations, but stops short of making actual recommendations. Security experts are hoping engagement with stakeholders in the near future will lead to more concrete advice.
Sheikh says that, to keep pace with future advances, lawmakers need to not only understand the dynamics and infrastructure behind new innovations but also pass “scalable legislation” that anticipates future implications stemming from scalability of those technologies.
That means bringing in younger people who grew up with these technologies to help lead the decision-making. “We are dealing with uncharted waters because the technology is so young,” he says, noting that there is no Facebook expert with 25 years of experience.