Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices
Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules.
Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities.
It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly.
At the time when HIPAA and the subsequent Privacy and Security Rules were enacted, the extent to which health information would be collected and used by apps and consumer devices could not have been known. Now, new rules are required to ensure that health information is not exposed and remains private and confidential when collected by non-HIPAA covered entities.
Laws have been introduced that do extend to health data collected by apps and consumer devices, including the California Consumer Privacy Act (CCPA), but these laws only apply at the state level and protections for consumers can vary greatly from state to state.
HIPAA was updated by the HITECH Act of 2009, which does cover electronic medical records and health IT, but does not extend to apps and consumer devices. GDPR covers consumer data collected by apps and consumer devices, but only for companies doing business with EU residents.
The Brief, entitled, Risky Business? Sharing Data with Entities Not Covered by HIPAA explores the problem, the extent of data now being shared, and aims to clear up some of the confusion about when HIPAA applies to apps and consumer devices and when it does not and explores other federal guidance and regulations that has been issued by the FDA, FTC, and CMS covering mobile apps and consumer devices.
HIPAA does apply to business associates of HIPAA covered entities that provide apps and devices on behalf of the covered entity. However, if the app or device is not provided by a vendor acting as a business associate of a HIPAA covered entity, HIPAA Rules do not apply. Many healthcare organizations struggle to make the determination about whether a vendor is a business associate and if devices and apps are offered on behalf of the covered entity. The brief attempts to explain the often-complex process.
One area of particular concern is the growing number of people who are using genealogy services and are supplying companies with their DNA. Individuals are voluntarily providing this information, yet many are unaware of the implications of doing so and are unaware of the lucrative DNA market and the potential sale of their DNA profiles.
“Privacy and security in healthcare are at a critical juncture, with rapidly changing technology and laws that are struggling to keep pace,” explained Jennifer Covich Bordenick, Chief Executive Officer, eHealth Initiative Foundation. “Even as new laws like CCPA and GDPR emerge, many gray areas for the use and protection of consumer data need to be resolved. We hope the insights from papers like this help industry and lawmakers to better understand and address the world’s changing privacy challenges.”