The 1996 Health Insurance Portability and Accountability Act (HIPAA) is America’s statutory foundation to ensure patient privacy and the security of protected health information. Patients rely on HIPAA to protect health information communicated during a doctor’s visit.
However, that same health information is not similarly protected if patients input or record that information on social media, health tech apps, or smart tech, as none of those technologies are subject to HIPAA regulation.
As future Harvard-educated lawyers, your roles will be critical in the important issue of protecting patient privacy in emerging technologies.
As lawyers, you can apply your legal and analytical skills to carefully comb through the standard terms and conditions of software applications before electing whether to enter your protected health information in that medium. However, it is doubtful that many Americans without a lawyer’s training can understand the terms to which they are consenting.
In 2014, nearly one-third of U.S. smartphone owners, comprising 46 million individuals, used fitness and/or health apps. This is clearly a trend that has grown widely, and it is a pivotal item on the agenda for lawmakers and health privacy advocates to address.
When an individual opens a shiny new gadget, it is doubtful that the proud owner considers the ramifications of entering personal health habits into that device or whether any of the health information that the device tracks is protected. Since these technologies are not classified as covered entities, they are not bound by HIPAA regulations.
One interesting twist when considering the reach of mobile apps is the interoperability of these apps with covered entities. For instance, if an individual uses an app to track steps, and then transmits the data to a physician, the app is still not considered a covered entity under HIPAA, and the data used by the app is not protected. However, once that data is transmitted to a doctor’s office, the data held by the provider is then under the protection of the covered entity, and in that context is bound by HIPAA.
A few months ago, there was news of a collaboration between an eye health product company and a software company that planned to deliver an app for physician use in coordinating care for cataract surgery. While this is an exciting development, it is important for lawyers to consider the risks mentioned earlier.
One, two companies with economic interests in eye health and software technology are producing this app.
Two, there are currently limited standards to prevent those companies from advertising their products within a forum that stores a patient’s pre-surgical information.
Three, there are limited protections against data mining and using a patient’s protected health information which was entered in that forum.
Finally, while eye physicians are HIPAA-bound, the software vendors are not.
In the meantime, apps are only held to federal standards on a limited basis. Health app vendors are considered non-covered entities, and since they are not acting as business associates to covered entities, they are not bound by HIPAA. However, they are subject to penalties by the Federal Trade Commission in its capacity as a consumer protection enforcement authority as emphasized in a 2016 Department of Health and Human Services report. In this role, the FTC has the capacity to protect the public against devices or apps with false or deceptive claims. For example, the FTC took action against a company that claimed their app was capable of diagnosing melanoma.
If you have decided that you are not at ease with sharing your protected health information with entities unbound by HIPAA, at least you are making an informed decision. Yet, the decision to provide this data is not always voluntary. As outlined in the HHS report, some companies offer wellness programs in which employees log their health performances and, optimistically, their improvements. The employees receive financial incentives for participating in these programs.
In the case mentioned earlier, if you are a patient and your surgeon strongly recommends that you use a particular app to record your health as you are scheduled for surgery in two weeks and your surgeon would like to coordinate your care with other physicians on the team, it is doubtful that you would decline the use of that app.
In 2006, 27% of Internet users and 20% of adults have used online tools to track their weight, exercise routines, food logs, and symptoms. For instance, social media homepages are filled with photos of friends’ dinner preparations or diet goals. As in the case of software, social media is not considered a covered entity or a business associate, so it is not bound by HIPAA. Therefore, data recorded and then stored in these forums is not protected by HIPAA. A study found that of diabetes websites monitored, only 50% of those sites had material that was consistent with medically recommended guidance. Out of ten sites, seven sites did not permit users to restrict the visibility of their profiles, five included advertisements that were not labeled, and three professed to offer cures for diabetes.
Although social media sites provide the positive benefits of offering social support as individuals embark on daunting new diets, and Twitter is used to identify public health trends, it is important to be alert to the digital breadcrumbs you are sprinkling. When using such sites, patients leave behind digital footprints on an uncovered entity (or its business associate), and therefore, those footprints are not protected by HIPAA. As apps, social media sites, and wearable technology companies are not subject to HIPAA, these entities are not even obligated to provide their consumers with access to their own health data unless otherwise stipulated in their standard terms and conditions.
Ransomware and hackers are also consequences to consider as consumers of these products. Unfortunately, there have recently been multiple cases of ransomware being targeted to infect hospital systems to the point where hospitals have resorted to paying thousands of dollars to rescue that data and to treat their patients.
As we usher in the digital age, ransomware will be among one of the major risks that stem from the promise of interconnectivity offered through cloud computing. Covered entities such as hospitals are legally bound by HIPAA to act against those threats and to remain constantly vigilant to protect patient data.
With the rapid spread of these trends, personal health information that is recorded in these forums is being recognized as a critical resource that should be protected. At the foundational level, consumers must learn about the impact of recording their health information in these forums and have the ability to decline to do so.
The allure of smart tech to health care will skyrocket in the next few years, as will no doubt your legal careers. For those of you planning to work in legislation, it is up to you to draft laws that safeguard the privacy of the protected health information of your fellow Americans within these emerging technological forums. For those of you pursuing careers as court attorneys or judges, you will argue or arbitrate within the framework of these and future established laws. For those of you joining tech startups as legal advisors, it is up to you to faithfully counsel your company as to the legal implications of the reach of your product, and to identify future legal risks posed by the powerful potential of your creation.
As you identify your niche within the legal profession, remember the broad purpose of HIPAA to protect the personal health information of all Americans, and aspire to continue the mission of those ideals within the current age of innovation.