Monitoring your own healthcare has never been easier. You can track calories, prescriptions, symptoms and sleep patterns from a mobile device in your pocket or on your wrist. It seems like a terrific advancement in healthcare tech.
Are Mobile Health Apps Covered by HIPAA?
Mobile health (mHealth) apps provided by commercial vendors for use by individuals are not covered by HIPAA because the vendor is not a covered entity or business associate. However, HIPAA will apply if a covered entity receives information from a patient’s mHealth app – the HIPAA Privacy and Security rules require covered entities and business associates to keep protected health information (PHI) secure with appropriate safeguards. The app maker itself could become a business associate if it contracts with a provider to help care for patients.
Privacy and Mobile Health Apps
Mobile health apps are great for patients who want to track and share their health information. On the other hand, mHealth opens up risks to privacy and potential for data breaches. These risks are not widely known, but lurking just beneath the surface. A recent study published in the British Medical Journal reveals there are data privacy risks associated with a majority of the apps currently in use. Most people using them are not aware of the risks.
Researchers looked at over 20,000 mHealth apps available in the Google Play marketplace and found that 88 percent contained code that had the ability to collect user data, like location, contact information, and device identifiers.
The study explains:
Although the potential of mHealth apps to improve access to real time monitoring and health care resources is well established, they pose problems concerning data privacy because of the sensitive information they can access, the use of a business model that is [centered] on selling subscriptions or sharing user data, and the lack of enforcement of privacy standards around the world…
One of the big problems with apps of all kinds, from a privacy perspective, is that the “Terms and Condition” that almost no one reads (but you must accept to use it), allows the app to track and share (sell) data. In the health arena, this means protected health information is potentially share-able, and not for the user’s benefit, but for the app developer’s or third parties’ benefit. The Terms and Conditions of most apps are long, dense and hard to read. Are users reading them, and if so, do they understand how data is shared?
The mHealth apps do not address privacy and security adequately. According to the study, most data collection operations involved third-party providers, and 23 percent of data transmissions took place on insecure communication protocols. In addition, only 47 percent of data transmissions complied with the app’s privacy policies, and 28 percent of apps did not provide a privacy policy at all.
The biggest issue uncovered by the study is the lack of transparency in privacy policies and the lack of privacy policies altogether. At least 25 percent of user data transmissions violated the app’s privacy policy. However, in an analysis of mHealth app customer reviews, few users expressed privacy concerns. In our view most users are unaware that the privacy of their PHI is fair game to be sold or used by third parties.
Mobile Health Apps are Growing
The mHealth apps arena is competitive, with the Apple Watch and Google’s Fitbit leading the pack so far, but there are thousands on the market. Google paid $2.1 billion to buy Fitbit earlier this year, and has since allocated significant numbers of staff and research dollars toward expanding Fitbit’s functions. In 2018 Apple started a Health Record Systems trial with 12 major health systems nationwide, from Cedars-Sinai in Los Angeles to Johns Hopkins in Baltimore. The service reportedly links users’ iPhones to their health system patient portal. The Apple Watch has also received FDA approval for an atrial fibrillation feature.
While many apps mainly track fitness and tend not to be “medical” apps, developers are rapidly bringing the two together by encouraging users to monitor and manage healthcare they obtain from providers. Developers are also actively engaging with providers to bring fitness and health together, as Apple did with the Health Record Systems trial mentioned above.
Another trend in mHealth apps is the assembly of a patient’s medical records in one place. Patients have the right to access their own records, and many are now requesting that providers send their records to a third party app where they are organized and maintained for ready access by a patient whenever needed. One example is Ciitizen.com.
It’s notable that under the proposed changes to HIPAA currently pending, the rule will make it easier for individuals to exercise the right of access by directing that electronic records be sent to a third party, as long as individual’s request is clear, conspicuous, and specific (and it may be orally or in writing).
Innovation Could Help Monitor a Future Pandemic
Although Google stumbled with its contact tracing app during COVID-19, in the future digital apps will likely have a role in helping monitor and contain transmissions. More needs to be done to ensure privacy concerns are met, and educating the public about how it can work is essential.
Evidence that HHS supports innovation is the design competition for digital health related to at home COVID diagnostic testing sponsored by HHS. One of the goals of the competition was “to ensure that all SARS-CoV-2 diagnostic tools can securely transmit test results to local and national public health authorities, as well as health care providers and patients, ensuring a timely public health response.”
Covered Entities and Business Associates Should Understand Mobile Health
Patients who understand and monitor their own health have better outcomes and their healthcare often costs less. So federal public health policy supports patient engagement – and when technology can make it more convenient, the U.S. Department of Health and Human Services (HHS) is on board.
As with all technology however, HHS expects covered entities and business associates to maintain the privacy and security of PHI. HIPAA requires there be Administrative, Physical and Technical safeguards in place, and that covered entities and business associates conduct an annual Risk Analysis. If mHealth apps become part of your treatment plan, be sure to validate the app’s HIPAA compliance and make sure your patients understand potential risks to their data privacy.