Patient privacy laws have some big gaps when it comes to digital health, according to a recent report from the Office of the National Coordinator for Health Information Technology (ONC).
We’ve talked a lot about privacy issues in health apps in the past so this may not come as a shock to some of our regular readers. Prior guidance from the Office of Civil Rights (OCR), which enforces HIPAA rules, went to great lengths to tell us how hard it is for a health app to actually fall under HIPAA. For example, take information on your medical history and medications. If you give it to your doctor, it falls under HIPAA which stipulates all sorts of rules around disclosure, protection, and so on. If you put it into a health app that you download, no such rules apply.
ONC’s report cites several particularly notable scenarios where individuals using health apps basically have no rights or protections, assuming the health app discloses appropriately:
- Personal health records: That information may not actually be yours. Technically, people don’t have a “right” to access that data analogous to their right to access the same data held by a doctor.
- mHealth technologies: Yeup, that includes Fitbits but it also includes devices like blood pressure monitors, sleep monitors, activity monitors, and even home diagnostic tests. An app you download in which you enter sensitive health information like a serious illness or STI? Not covered. If it’s “direct to consumer,” then HIPAA generally doesn’t apply.
The report highlights many holes like those but doesn’t offer specific recommendations, instead leaving that up to Congress (that inspires confidence…). So in the meantime, it’s important to pay be an informed consumer when it comes to health apps and ask how they intend to use & protect your data, especially if you’re entering sensitive information.