HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Researchers Raise Concerns About Patient Safety and Privacy with COVID-19 Home Monitoring Technologies

A team of researchers at Harvard University has investigated COVID-19 home monitoring technologies, which have been developed to decrease interpersonal contacts and reduce the risk of exposure to the 2019 Novel Coronavirus, SARS-CoV-2.

A range of technologies have been developed to reduce the risk of exposure to SARS-CoV-2 and diagnose symptoms quickly to allow interventions that improve patient safety and limit the spread of COVID-19. The researchers define a home monitoring technology as “a product that is used for monitoring without (direct) supervision by a healthcare professional, such as in a patient’s home, and that collects health-related data from a person.” These technologies are being used to monitor patients in their homes for signs of COVID-19 and include smartwatches and mobile apps that connect to wireless networks and transmit health data. Algorithms are then applied to the data obtained by those technologies.

The study, recently published in Nature Medicine, raises several concerns about these home monitoring tools as they were found to increase the risks to patient safety and privacy. The technologies collect and transmit sensitive health data and, as such, they need to have appropriate security protections in place to ensure that information remains private and confidential. Many of these home monitoring tools were developed quickly to keep up with demand and to help limit the spread of COVID-19, and that has introduced risks that have not fully been addressed.

Their research confirmed that interventions were required to ensure patient safety and to comply with regulatory requirements, privacy laws, and Emergency Use Authorizations(EUAs).While there are privacy laws in the United States, they only somewhat address the privacy concerns with these platforms. There is a blind spot that could allow health data to be collected by a company and for that information to be freely shared with other companies. While there are valid reasons why information may need to be shared, for contact tracing for example, there are other potential uses that are a cause for concern, such as commercializing data gathered from patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One of the main problems with these technologies is how they are classified by the Food and Drug Administration (FDA). While some of these technologies are classed as medical devices, and are therefore subject to FDA review, others are not considered medical devices and are therefore not scrutinized by the FDA. Currently, the majority of home monitoring technologies are not considered medical devices and are outside the FDA’s area of control.

“The FDA has recently clarified that it does not consider most software systems and apps for public health surveillance to be medical devices,” wrote the researchers. “The FDA noted products that are intended to track contacts or locations associated with public health surveillance are usually not subject to FDA regulation since they generally do not fulfill the medical-device definition.”

HIPAA includes privacy protections for patients which covers home monitoring technologies, but HIPAA only applies if a technology is provided by a HIPAA-covered entity. If a patient chooses to use home monitoring technologies and is not instructed to do so by a HIPAA-covered entity, HIPAA privacy protections will not apply.

The Secretary of Health and Human Services (HHS) declared COVID-19 to be a nationwide public health emergency on February 4, 2020 and issued three Emergency Use Authorization (EUA) Declarations related to medical devices. One covered in vitro diagnostics for the diagnosis and/or detection of SARS-CoV-2, the second covered personal respiratory protective devices, and the third broadly applies to medical devices, including alternative products that are used as medical devices, such as home monitoring devices. The FDA has similarly issued several EUAs for home monitoring devices, with more expected to be issued in the near future.

The researchers warn that “authorization of home monitoring devices via the EUA pathway does give rise to potential risks.” These are uncleared or unapproved medical devices or are cleared or approved devices for an uncleared or unapproved use, so the issuing of an EUA does not suggest that the product is safe or effective for monitoring. “Another criterion for authorization is the performance of a risk/benefit analysis, and it is difficult to determine where to draw the cut-off for authorization on the basis of this type of analysis. Regulators should always make such decisions carefully and thoroughly, even in times of crisis.”

The researchers also note that “when issuing an EUA, the FDA can waive certain requirements that usually help to reduce risks.” These requirements were intended to prevent harm to the end user and to minimize the risks involved in the manufacture of devices. The researchers recommend that the manufacturers of the devices incorporate as many safeguards as possible to ensure that patient safety and privacy is protected.

There is also a risk of a false positive and false negative results with these monitoring devices, which could mean they fail to diagnose symptoms of COVID-19 and that could result in a delay in receiving treatment, which could have life-threatening consequences. A false negative result could also result in a person not self-isolating, increasing the risk of infecting others.

Reducing the risks associated with these technologies would be possible if the developers adopt an ethical approach and provide reasonable assurances that their products are safe and effective. Vendors must also consider the context in which their products will be deployed and should assess the potential challenges caused by the environment and how the devices interact with the user to ensure that their products are successful.

“In the current public health emergency, US healthcare providers and technology companies should make sure — to the best of their ability — to comply with HIPAA and protect people’s privacy,” suggest the researchers. “As a best practice, developers should try to incorporate HIPAA’s requirements, such as encryption, into their home monitoring [devices] even when HIPAA does not directly apply to their products.”

The researchers recommend that the HHS should develop guidance covering the minimum cybersecurity standards required during the COVID-19 pandemic, to facilitate the rapid implementation of new products while also ensuring appropriate safeguards are implemented to mitigate cyberattacks and ensure that there is a fast response to any vulnerabilities discovered.

“Home monitoring technologies have considerable potential to decrease personal contacts between people and thus exposure to COVID-19, concluded the researchers. “However, the rapid development of new products also poses challenges ranging from safety and liability to privacy. The motto ‘ethics by design, even in a pandemic’ should guide makers in the development of home monitoring products to combat this public-health emergency.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.