August 12, 2021 | by Avantika Pathak
Remote health monitoring through wearable technology has become commonly used worldwide to track body weight, workouts, heart rate, and more. But while we focus on monitoring our health, we remain blissfully unaware of having opened a window for data-hungry vendors to do the same.
Testing done by The Wall Street Journal revealed that the Flo Period & Ovulation Tracker, an app with about 25 million users, was sharing data on when users were having their period or even intending to get pregnant with Facebook.1 It also discovered that one of Apple’s most popular heart-rate apps, Instant Heart Rate: HR Monitor by Azumio Inc., was recording its users’ heart rates and immediately sending them to Facebook.1
Earlier this year, a Knight Ink vulnerability research study revealed that vulnerable APIs of 30 popular mobile health (mHealth) apps expose protected health information (PHI) and personally identifiable information (PII) of at least 23 million mHealth users.2 The privacy risks identified by Knight Ink were further corroborated by Tangari et al.’s cross-sectional study that assessed more than 20,000 mHealth apps on the Google Play store.3 Their in-depth analysis found that 88% of apps can access and share personal data, while 87% of data collection operations involved third parties.3 Additionally, despite the routine acquisition of user information by mHealth apps, their data collection processes often lacked transparency and security.3
EXHIBIT 1
With more than 318,000 mHealth apps currently in the market and a 25% increase in health app downloads since the start of the Covid-19 pandemic, the breach of privacy is likely more extensive.4,5 Given the exponential growth in the amount and value of individualized personal data digital health tech companies are collecting, it is crucial for these companies to actively secure user data and disclose what information they are sharing with third-party vendors.
Linda Malek, a partner at Moses and Singer, confirmed that of all the regulatory enforcement activity currently governing the digital health space, data privacy is a top priority for state and federal policymakers. Since HIPAA does not generally apply to health apps and wearables directly, the FTC has become the primary federal agency to enforce consumer data protection in this area. It sets consumer expectations, establishes best practices to build privacy and security into the app, and monitors compliance with broader federal policies around data privacy.6 The agency also created an interactive tool to help health app developers determine which federal laws apply and provide guidance on how to market the app to consumers and implement data security appropriately.6
"Unfortunately, HIPAA regulations do not generally apply to apps and wearables collecting health data because these technologies are often not business associates of other covered entities. The FTC has stepped in to ensure transparency and fairness, but certain gaps remain, which at this point are gradually being filled by evolving state laws."
Malek emphasized a substantial evolution in data privacy oversight at the state level that extends to digital health technology. The three states that currently have the most comprehensive consumer data privacy laws are California, Colorado, and Virginia.7
EXHIBIT 2
It is important to note that sensitive personal data such as genetic and biometric information is a subset of personal data under California and Virginia law and would, therefore, be covered by all provisions pertaining to personal data.8 For digital health technology companies, laws governing biometric information should be of particular interest as it includes any “physiological, biological, or behavioral characteristics” that can be used to “establish individual identity.”9
Although not as restrictive as California and Virginia laws, Colorado’s data privacy law stands out for specific provisions. For example, it applies to nonprofit entities and shares certain obligations with the European Union’s General Data Protection Regulation (“GDPR”), the world’s most rigid privacy and security law.10, 11 Thus, startups that have undergone the EU’s GDPR compliance are primed to succeed in Colorado. Malek also revealed that companies should keep an eye on New York’s newly proposed privacy act, NYPA, which, if passed, would go beyond California and Virginia privacy laws in protecting personal data.
EXHIBIT 3
With no comprehensive federal law on the horizon, states are likely to retain primary control of data privacy legislation.12 However, in response to the wide variation in state legislatures, the Uniform Law Commission has approved the Uniform Personal Data Protection Act. This model bill acts as a template for uniform state privacy legislation.7 Nevertheless, until state laws adopt this template, Malek recommends digital health companies abide by the state with the most stringent policies.
Finally, concerning upcoming federal policies that could impact data collection and transfer in the digital health community, Malek believes the newly adopted information blocking rule is one to watch. The Office of the National Coordinator for Health Information Technology’s (ONC) final rule on information blocking, also known as Section 4004 of the 21st Century Cures Act, is designed to support interoperability and the free but secure flow of patient information across the healthcare ecosystem.13
The rule prevents any healthcare stakeholder such as EHR vendor from engaging in practices that would "interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."
EXHIBIT 4
This rule would essentially enhance patients’ access to their electronic health information through third-party applications that use certified API technology. It would also advance health care provider needs by allowing natural language processing (NLP) and artificial intelligence (AI) tools to extract knowledge from large amounts of medical data.14 However, it is not prudent for digital health companies to jump too quickly to take advantage of one federal agency’s push for free-flowing data; data privacy and security exemptions still apply among the eight exemptions defined under this rule. The implications of how the FTC and states’ legislature will interpret this rule for different digital health technologies are also still unknown. Thus, the privacy and security of personal data should always be a top priority for digital health companies!
Linda serves on the Education Advisory Board of the International Association of Privacy Professionals (IAPP) and has served as Chair of the Health Law and Policy Coordinating Committee of the Health Law Section of the American Bar Association. To learn more about patient data privacy and the evolving digital health regulations, or get in touch, please click here.
About the Author
Avantika Pathak is pursuing a doctorate in pharmacy at the USC School of Pharmacy.
NYC Health Innovation Week (NYCHIW) brings together the executives, founders, and policymakers who decide which innovations move from pilot purgatory to deployment at scale.
Summary of evidence paper of IndyGeneUS Bio
HITLAB today announced a new partnership with VitalFriend to support a comprehensive program of platform assessment, evidence development, and thought-leadership communications.
This white paper presents HITLAB’s independent heuristic evaluation of the Watch Our Own platform, a connected caregiving solution designed to support caregivers in monitoring and assisting individuals requiring additional care through a smartwatch and mobile application ecosystem. The platform aims to enhance safety, coordination, and peace of mind by enabling real-time health monitoring, location tracking, emergency alerts, caregiving group communication, and access to critical medical information.
Please confirm you want to block this member.
You will no longer be able to:
Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.
