Protecting Patient Privacy

Digital Health Data Regulations

August 12, 2021  |   by Avantika Pathak

Share on facebook
Share on twitter
Share on linkedin
Share on email

Remote health monitoring through wearable technology has become commonly used worldwide to track body weight, workouts, heart rate, and more. But while we focus on monitoring our health, we remain blissfully unaware of having opened a window for data-hungry vendors to do the same.

Testing done by The Wall Street Journal revealed that the Flo Period & Ovulation Tracker, an app with about 25 million users, was sharing data on when users were having their period or even intending to get pregnant with Facebook.1 It also discovered that one of Apple’s most popular heart-rate apps, Instant Heart Rate: HR Monitor by Azumio Inc., was recording its users’ heart rates and immediately sending them to Facebook.1

Earlier this year, a Knight Ink vulnerability research study revealed that vulnerable APIs of 30 popular mobile health (mHealth) apps expose protected health information (PHI) and personally identifiable information (PII) of at least 23 million mHealth users.2 The privacy risks identified by Knight Ink were further corroborated by Tangari et al.’s cross-sectional study that assessed more than 20,000 mHealth apps on the Google Play store.3 Their in-depth analysis found that 88% of apps can access and share personal data, while 87% of data collection operations involved third parties.3 Additionally, despite the routine acquisition of user information by mHealth apps, their data collection processes often lacked transparency and security.3

EXHIBIT 1

With more than 318,000 mHealth apps currently in the market and a 25% increase in health app downloads since the start of the Covid-19 pandemic, the breach of privacy is likely more extensive.4,5 Given the exponential growth in the amount and value of individualized personal data digital health tech companies are collecting, it is crucial for these companies to actively secure user data and disclose what information they are sharing with third-party vendors.

Linda Malek, a partner at Moses and Singer, confirmed that of all the regulatory enforcement activity currently governing the digital health space, data privacy is a top priority for state and federal policymakers. Since HIPAA does not generally apply to health apps and wearables directly, the FTC has become the primary federal agency to enforce consumer data protection in this area. It sets consumer expectations, establishes best practices to build privacy and security into the app, and monitors compliance with broader federal policies around data privacy.6 The agency also created an interactive tool to help health app developers determine which federal laws apply and provide guidance on how to market the app to consumers and implement data security appropriately.6

"Unfortunately, HIPAA regulations do not generally apply to apps and wearables collecting health data because these technologies are often not business associates of other covered entities. The FTC has stepped in to ensure transparency and fairness, but certain gaps remain, which at this point are gradually being filled by evolving state laws."

—Linda Malek, Partner, Moses and Singer

Malek emphasized a substantial evolution in data privacy oversight at the state level that extends to digital health technology. The three states that currently have the most comprehensive consumer data privacy laws are California, Colorado, and Virginia.7

EXHIBIT 2

It is important to note that sensitive personal data such as genetic and biometric information is a subset of personal data under California and Virginia law and would, therefore, be covered by all provisions pertaining to personal data.8 For digital health technology companies, laws governing biometric information should be of particular interest as it includes any “physiological, biological, or behavioral characteristics” that can be used to “establish individual identity.”9

 

Although not as restrictive as California and Virginia laws, Colorado’s data privacy law stands out for specific provisions. For example, it applies to nonprofit entities and shares certain obligations with the European Union’s General Data Protection Regulation (“GDPR”), the world’s most rigid privacy and security law.10, 11 Thus, startups that have undergone the EU’s GDPR compliance are primed to succeed in Colorado. Malek also revealed that companies should keep an eye on New York’s newly proposed privacy act, NYPA, which, if passed, would go beyond California and Virginia privacy laws in protecting personal data.

EXHIBIT 3

With no comprehensive federal law on the horizon, states are likely to retain primary control of data privacy legislation.12 However, in response to the wide variation in state legislatures, the Uniform Law Commission has approved the Uniform Personal Data Protection Act. This model bill acts as a template for uniform state privacy legislation.7 Nevertheless, until state laws adopt this template, Malek recommends digital health companies abide by the state with the most stringent policies.

Finally, concerning upcoming federal policies that could impact data collection and transfer in the digital health community, Malek believes the newly adopted information blocking rule is one to watch. The Office of the National Coordinator for Health Information Technology’s (ONC) final rule on information blocking, also known as Section 4004 of the 21st Century Cures Act, is designed to support interoperability and the free but secure flow of patient information across the healthcare ecosystem.13

The rule prevents any healthcare stakeholder such as EHR vendor from engaging in practices that would "interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."

EXHIBIT 4

This rule would essentially enhance patients’ access to their electronic health information through third-party applications that use certified API technology. It would also advance health care provider needs by allowing natural language processing (NLP) and artificial intelligence (AI) tools to extract knowledge from large amounts of medical data.14 However, it is not prudent for digital health companies to jump too quickly to take advantage of one federal agency’s push for free-flowing data; data privacy and security exemptions still apply among the eight exemptions defined under this rule. The implications of how the FTC and states’ legislature will interpret this rule for different digital health technologies are also still unknown. Thus, the privacy and security of personal data should always be a top priority for digital health companies!

Linda serves on the Education Advisory Board of the International Association of Privacy Professionals (IAPP) and has served as Chair of the Health Law and Policy Coordinating Committee of the Health Law Section of the American Bar Association. To learn more about patient data privacy and the evolving digital health regulations, or get in touch, please click here.

About the Author

Avantika Pathak is pursuing a doctorate in pharmacy at the USC School of Pharmacy.

  1. Schechner S, Secada M. You Give Apps Sensitive Personal Information. Then They Tell Facebook. Wall Street Journal. 22 Feb 2019. https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636
  2. Chmielewski D. Mobile Health Apps Systematically Expose PII and PHI Through APIs, New Findings from Knight Inc and Aproov Show. Business Wire. 9 Feb. 2021. https://www.businesswire.com/news/home/20210209005461/en/Mobile-Health-Apps-Systematically-Expose-PII-and-PHI-Through-APIs-New-Findings-from-Knight-Ink-and-Approov-Show
  3. Tangari G, Ikram M, Ijaz K, Kaafar MA, Berkovsky S. Mobile health and privacy: cross sectional study. BMJ. 2021 Jun 16;373:n1248.
  4. Franklin R. 11 Surprising Mobile Health Statistics. Mobius MD. 20 Mar 2019. https://mobius.md/2019/03/20/11-mobile-health-statistics/
  5. Evenstad L. Covid-19 has Led to a 25% Increase in Health App Downloads, Research Shows. Computer Weekly. 12 Jan 2021. https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows
  6. Mobile Health App Developers: FTC Best Practices. Federal Trade Commission. Apr 2016. https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-app-developers-ftc-best-practices
  7. State Laws Related to Digital Privacy. National Conference of State Legislatures. 22 Jul 2021. https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx
  8. Smith S, Cooney J, Powers B, Julian D. Analysis and Comparison: The Virginia Consumer Data Protection Act and California Privacy Laws. Paul Hastings. 17 Feb 2021. https://www.paulhastings.com/insights/ph-privacy/analysis-and-comparison-the-virginia-consumer-data-protection-act-and
  9. Robert B. Biometrics and the CCPA. Terms Feed. 22 Mar 2021. https://www.termsfeed.com/blog/ccpa-biometrics/#Is_Biometric_Information_Personal_Information_Under_The_Ccpa
  10. Bergsieker R, Erickson S, Ziykovic L, Hornbeck E. The Colorado Privacy Act: Enactment of Comprehensive U.S. State Consumer Privacy Laws Continues. Gibson Dunn. 9 Jul 2021. https://www.gibsondunn.com/the-colorado-privacy-act-enactment-of-comprehensive-u-s-state-consumer-privacy-laws-continues/
  11.  Wolford B. What is GDPR, the EU’s New Data Protection Law. GDPR.EU. https://gdpr.eu/what-is-gdpr/
  12.  Rakoski R. Expanded New York Data Privacy Laws Loom in 2021. Secure World. 2 Feb 2021. https://www.secureworld.io/industry-news/new-york-data-privacy-laws-loom
  13. Anderson R, Murray A, Mamillapalli S. The New Information Blocking Rules: What Providers Need to Know Before the April 5 Deadline. Connecticut Health Law Blog. 26 Feb 2021. https://cthealthlawblog.com/?p=924 
  14.  Cures Act Information Blocking Rule Takes Effect. Foresee Medical. 26 Mar 2021. https://www.foreseemed.com/blog/information-blocking-final-rule

Say Hello