The popularity of health apps raises significant issues in terms of patient privacy. HIPAA rules apply when protected health information (PHI) is created, received, maintained, or transmitted by covered entities (such as health plans and most healthcare providers) and business associates (such as individuals and companies that provide certain services for covered entities). HIPAA rules, however, generally do not protect the privacy or security of a patient’s health information when it is created through or stored on personal cell phones or tablets, or fitness trackers. The rules do not protect the privacy of an individual’s internet search history, information an individual voluntarily shares online, or an individual’s geographic location information.
Colin J. Zick, a partner with Foley Hoag in Boston, Massachusetts, where he is co-chair of the firm’s Privacy & Data Security Practice Group, said a health app may be linked to a patient’s medical record, but that doesn’t necessarily mean that HIPAA protects the information on that health app. “It’s important to keep in mind that HIPAA does not apply and was never intended to apply to general health and wellness applications. It’s also true that some of that information can be very sensitive and perhaps should be, as a policy matter, protected. But that’s not HIPAA’s job,” Zick said.
With regard to mobile health apps overall, Zick noted that they bring a lot of good with them. However, like any tool, patients and clinicians need to know and understand how to use them safely. “I think it’s important that physicians know and understand what apps their patients are using and how they’re using them,” Zick said. This is a major new challenge given that physicians have less and less time with their patients. Clinicians may benefit from reviewing health apps patients use, he said. This may be a good first step to understanding what patients are using in the context of a physician practice.
OCR Complaints and Fines
The latest numbers of HIPAA complaints are rather eye-opening. Since the compliance date of the Privacy Rule in April 2003, the federal Office for Civil Rights (OCR) has received over 369,107 HIPAA complaints and has initiated more than 1191 compliance reviews. OCR claims it has resolved 99% of these cases (365,993). OCR has investigated and resolved more than 31,071 cases by requiring changes in privacy practices and corrective actions.
OCR has successfully enforced the HIPAA rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR settled or imposed a civil money penalty in 148 cases resulting in a total dollar amount of $143,728,972. OCR has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
“It is time for a significant HIPAA update in order to keep up with new technology and AI,” Zick said. “For 20 years since the HIPAA regulations came out in December of 2000, I defended them and said that they were flexible and adaptable, and that the HIPAA privacy regulations could fit almost any circumstance that was needed,” he said. “My views on that have changed as the healthcare environment has changed, particularly with the advent of artificial intelligence and the increasing universality of electronic health information.”
HIPAA Needs a ‘Little Freshening Up’
Historically, HIPAA has served the medical community well. It enabled the creation of the current environment of electronic health records, health information exchanges, and health IT to exist in the way that it does today in the United States, Zick said. “But like anything, it could use a little freshening up after 20 years,” Zick said. “I think it’s time to review HIPAA in light of where the technology is today and where we anticipate it will be tomorrow.”
Areas of concern include healthcare companies conducting wide-ranging intake questionnaires. These may seem innocuous, but may include gender identity, sexual orientation, and mental health history. Today, these questionnaires are being monetized with targeted ads. Another concern that has been raised is that mental health data could be used by employers to vet new hires or by extremist groups trolling for vulnerable patients. “They have a challenging job at OCR, and all my interactions with that agency have suggested to me that they’re working hard, acting professionally and with an understanding of the circumstances in which HIPAA covered entities and business associates find themselves,” Zick said.
Stop Fining Ransomware Victims?
However, he questions the way OCR currently handles ransomware and fining the victims of ransomware attacks that result in HIPAA breaches. “It seems to me that we need to have a system that doesn’t punish the victims of crimes. Perhaps let a ransomware victim use its resources not to pay fines when those resources could be better spent on defensive activities by the affected institutions. After all, a healthcare provider who is hit with ransomware is actually the victim of an attack from a nation state like China, Russia or North Korea. It’s hardly a fair fight.”
Just like the federal government is sometimes hacked, healthcare providers and other covered entities will be hacked with little or no fault of their own, and little or nothing they could do to prevent being breached. “We should encourage their efforts at compliance and hardening their defenses. Especially in a time where healthcare resources are particularly difficult to come by,” Zick said.
A Valuable Cybercriminal Target
According to data analyzed by the cybersecurity company NordLayer, more than 45 million patients had their information exposed in the first half of 2024 because healthcare organizations have become one of the most targeted industries by cybercriminals. The sensitive data stored at these institutions is valuable to hackers because it includes such information as social security numbers, names, home addresses, and health history. Cybercriminals can use this information to create believable phishing emails or sell it online to steal your identity, according to NordLayer, which provides network security for businesses of all sizes.
Lisa Pierce Reisz, a member of the law firm Epstein Becker Green in Columbus, Ohio, said healthcare providers or health plans that create or offer health apps to their patients or members must be aware of how these apps are collecting, using, storing, and guarding PHI. Similarly, developers who are creating health apps for a covered entity are likely to be that entity’s business associate and will have their own HIPAA obligations.
“Further, these particular health app developers should be building privacy and security protections into their apps that meet the standards required by HIPAA,” Reisz said. “Ongoing vigilance regarding uses and disclosures of PHI, especially with respect to innovative technology such as health apps, should be a hallmark of each provider or health plan’s HIPAA compliance program.”
Ensuring that health apps created or offered by a HIPAA-covered entity are actually baked into the covered entity’s HIPAA compliance plan can be challenging, she noted. “It requires that the practice identify which technologies have been adopted, ensure that the practice has done some due diligence to ensure that the health app has been developed in a HIPAA-compliant manner, and understands how the health app collects, uses, and discloses PHI,” Reisz said.
link