
Women’s Health Tech Wednesday Recap – 8/10/22
On August 10th, we were fortunate to host Carolyn Kay, of Roche, for our Women’s Health Tech Wednesday. Here is a glimpse of the conversation:
August 12, 2021 | by Avantika Pathak
Remote health monitoring through wearable technology has become commonly used worldwide to track body weight, workouts, heart rate, and more. But while we focus on monitoring our health, we remain blissfully unaware of having opened a window for data-hungry vendors to do the same.
Testing done by The Wall Street Journal revealed that the Flo Period & Ovulation Tracker, an app with about 25 million users, was sharing data on when users were having their period or even intending to get pregnant with Facebook.1 It also discovered that one of Apple’s most popular heart-rate apps, Instant Heart Rate: HR Monitor by Azumio Inc., was recording its users’ heart rates and immediately sending them to Facebook.1
Earlier this year, a Knight Ink vulnerability research study revealed that vulnerable APIs of 30 popular mobile health (mHealth) apps expose protected health information (PHI) and personally identifiable information (PII) of at least 23 million mHealth users.2 The privacy risks identified by Knight Ink were further corroborated by Tangari et al.’s cross-sectional study that assessed more than 20,000 mHealth apps on the Google Play store.3 Their in-depth analysis found that 88% of apps can access and share personal data, while 87% of data collection operations involved third parties.3 Additionally, despite the routine acquisition of user information by mHealth apps, their data collection processes often lacked transparency and security.3
EXHIBIT 1
With more than 318,000 mHealth apps currently in the market and a 25% increase in health app downloads since the start of the Covid-19 pandemic, the breach of privacy is likely more extensive.4,5 Given the exponential growth in the amount and value of individualized personal data digital health tech companies are collecting, it is crucial for these companies to actively secure user data and disclose what information they are sharing with third-party vendors.
Linda Malek, a partner at Moses and Singer, confirmed that of all the regulatory enforcement activity currently governing the digital health space, data privacy is a top priority for state and federal policymakers. Since HIPAA does not generally apply to health apps and wearables directly, the FTC has become the primary federal agency to enforce consumer data protection in this area. It sets consumer expectations, establishes best practices to build privacy and security into the app, and monitors compliance with broader federal policies around data privacy.6 The agency also created an interactive tool to help health app developers determine which federal laws apply and provide guidance on how to market the app to consumers and implement data security appropriately.6
"Unfortunately, HIPAA regulations do not generally apply to apps and wearables collecting health data because these technologies are often not business associates of other covered entities. The FTC has stepped in to ensure transparency and fairness, but certain gaps remain, which at this point are gradually being filled by evolving state laws."
Malek emphasized a substantial evolution in data privacy oversight at the state level that extends to digital health technology. The three states that currently have the most comprehensive consumer data privacy laws are California, Colorado, and Virginia.7
EXHIBIT 2
It is important to note that sensitive personal data such as genetic and biometric information is a subset of personal data under California and Virginia law and would, therefore, be covered by all provisions pertaining to personal data.8 For digital health technology companies, laws governing biometric information should be of particular interest as it includes any “physiological, biological, or behavioral characteristics” that can be used to “establish individual identity.”9
Although not as restrictive as California and Virginia laws, Colorado’s data privacy law stands out for specific provisions. For example, it applies to nonprofit entities and shares certain obligations with the European Union’s General Data Protection Regulation (“GDPR”), the world’s most rigid privacy and security law.10, 11 Thus, startups that have undergone the EU’s GDPR compliance are primed to succeed in Colorado. Malek also revealed that companies should keep an eye on New York’s newly proposed privacy act, NYPA, which, if passed, would go beyond California and Virginia privacy laws in protecting personal data.
EXHIBIT 3
With no comprehensive federal law on the horizon, states are likely to retain primary control of data privacy legislation.12 However, in response to the wide variation in state legislatures, the Uniform Law Commission has approved the Uniform Personal Data Protection Act. This model bill acts as a template for uniform state privacy legislation.7 Nevertheless, until state laws adopt this template, Malek recommends digital health companies abide by the state with the most stringent policies.
Finally, concerning upcoming federal policies that could impact data collection and transfer in the digital health community, Malek believes the newly adopted information blocking rule is one to watch. The Office of the National Coordinator for Health Information Technology’s (ONC) final rule on information blocking, also known as Section 4004 of the 21st Century Cures Act, is designed to support interoperability and the free but secure flow of patient information across the healthcare ecosystem.13
The rule prevents any healthcare stakeholder such as EHR vendor from engaging in practices that would "interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."
EXHIBIT 4
This rule would essentially enhance patients’ access to their electronic health information through third-party applications that use certified API technology. It would also advance health care provider needs by allowing natural language processing (NLP) and artificial intelligence (AI) tools to extract knowledge from large amounts of medical data.14 However, it is not prudent for digital health companies to jump too quickly to take advantage of one federal agency’s push for free-flowing data; data privacy and security exemptions still apply among the eight exemptions defined under this rule. The implications of how the FTC and states’ legislature will interpret this rule for different digital health technologies are also still unknown. Thus, the privacy and security of personal data should always be a top priority for digital health companies!
Linda serves on the Education Advisory Board of the International Association of Privacy Professionals (IAPP) and has served as Chair of the Health Law and Policy Coordinating Committee of the Health Law Section of the American Bar Association. To learn more about patient data privacy and the evolving digital health regulations, or get in touch, please click here.
About the Author
Avantika Pathak is pursuing a doctorate in pharmacy at the USC School of Pharmacy.
On August 10th, we were fortunate to host Carolyn Kay, of Roche, for our Women’s Health Tech Wednesday. Here is a glimpse of the conversation:
HITLAB, announced today the launch of a new podcast called “The HITLAB Digital Health Podcast”.
The podcast will focus on the change agents that are transforming the healthcare industry through evidence- based digital technologies. Each episode will highlight an expert from different sectors of healthcare, including providers, payers, physicians, pharma, innovators, investors, academics, and scientists.
On August 3rd, we were fortunate to host Joanna Campbell, of Abbvie, for our Women’s Health Tech Wednesday. Here is a glimpse of the conversation:
A new chapter has begun; this upcoming season 4 of Women’s Health Tech Wednesdays is underway as we welcome a brand-new set of speakers. Our symposiums consist of Nina Joshi of Kaiser Permanente, meeting with a powerful guest speaker who has experience in the healthcare field, varying from startup CEO’s creating revolutionary and groundbreaking tech, to executive directors in pharma or big tech corporations….
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google & Pardot Analytics to collect information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!