Issues on Sharing Health Data with Non-HIPAA Covered Entities Using Apps and Consumer Devices


The eHealth Initiative Foundation and Manatt Health gave a brief that requires introducing a values framework in order to efficiently protect health data that is gathered, stored, and utilized by organizations that the law does not require to conform to the Health Insurance Portability and Accountability Act (HIPAA) Rules.

Medical information is being collected more and more by many applications and consumer devices. Oftentimes, the types of data obtained by these applications and devices are exactly like the information that healthcare organizations collect and use. Although healthcare organizations must implement safety measures to guarantee the confidentiality, availability and integrity of health data and restrict the uses and disclosures of information, the rules covering the data is not the same if it is collected by different entities.

No matter what kind of organization uses or stores data, when information is exposed, it is likely to cause substantial harm. However this is currently a gray area that is not appropriately covered by current regulations.

During the time when HIPAA and the succeeding Privacy and Security Rules were put into law, the scope of health data gathering and usage by apps and consumer devices might not have been identified. Today, new rules are needed to be sure that health data is not exposed and stays private and confidential whenever non-HIPAA covered entities collect them.

There are laws introduced that cover health information gathered by apps and consumer devices, such as the California Consumer Privacy Act (CCPA). However, these laws are only applicable at the state level and consumer protections vary considerably from one state to another.

HIPAA had an update when the HITECH Act was introduced in 2009, which cover electronic healthcare records and health IT. However, it does not cover apps and consumer devices. GDPR applies to consumer data gathered by apps and consumer gadgets, yet only for firms that have a business with EU residents.

The Brief called Risky Business? Sharing Data with Entities Not Covered by HIPAA studies the problem, the scope of data sharing, and intends to take away some of the confusion between HIPAA and data collected by apps and consumer devices. It further explores other federal guidance and regulations that the FDA, FTC, and CMS issued covering mobile applications and consumer devices.

HIPAA is not applicable to business associates of HIPAA covered entities providing applications and devices in behalf of a covered entity. Nonetheless, if a vendor acting as a business associate of a HIPAA covered entity does not provide the application or device, the HIPAA Rules are not applicable. A lot of healthcare organizations have difficulty determining if a vendor is a business associate and whether devices and applications are provided on behalf of the covered entity. The brief tries to make clear the normally-complex process.

One specific concern is the increase in the number of individuals using genealogy services and are giving businesses their DNA. People volunteer in giving this information, yet a lot of them do not know about the effects of doing so not to mention the lucrative DNA market, where DNA profiles are sold.

Privacy and security are serious issues in healthcare especially with fast changing technology and regulations. Even if there are new laws emerging such as CCPA and GDPR, a lot of gray areas in the use and security of consumer data must be settled. Hopefully, papers such as this can help the industry and policy makers to understand and handle the world’s evolving privacy issues.”