Navigating Privacy Regulations for Health Data

By TAP Staff Blogger

Posted on April 18, 2016


The development of health and wellness apps for mobile devices is growing rapidly. According to a recent LA Times article, there are “more than 165,000 involving health and wellness currently available for download.” Some of the most popular apps include Plant Nanny, a reminder to drink water; Sworkit, a personalized exercise video player; and HeartWatch, a heart rate tracker that's hooked up to the Apple Watch. Additionally, the Fitbit counts steps; the June bracelet measures sun exposure; and, the Sleep Cycle app measures the quality of sleep.


The LA Times article points out that “experts see almost unlimited promise in the rise of mobile medical apps, but they also point out that regulation is sometimes lagging the pace of innovation, which could harm consumers.” In addition to misleading medical advice that some apps provide (e.g., a popular app measuring patients' blood pressure missed hypertension more than three-fourths of the time), there are security and privacy concerns regarding the personal health data gathered, stored, and transmitted by these apps.


Some apps are interactive and are capable of transmitting data to health professionals—or other third parties – with or without the consumer’s knowledge. These apps are subject to myriad privacy and data protection laws, depending on the nature and purpose of the app and the data collected.


To help app developers navigate this legal maze, earlier this month the Federal Trade Commission (FTC) launched an interactive online tool for app developers, as well as a Best Practices Guide for mobile health app developers. The FTC developed the tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology (ONC), Office for Civil Rights (OCR), and the Food and Drug Administration (FDA).


“Mobile app developers need clear information about the laws that apply to their health-related products,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection in a press release. “By working with our partner agencies, we’re helping these businesses build apps that comply with the law and provide more protection for consumers.”


Another resource for understanding the privacy regulations relating to personal health data is the upcoming Privacy + Security Forum in October. The Forum is organized by two leading international experts on privacy: Professor Paul Schwartz, UC Berkeley School of Law, and Professor Daniel Solove, George Washington University Law School.

Image: privacy_security_forum.jpg

The sessions relating to healthcare and privacy and security cover topics ranging from health data breaches, health data & big data, HIPAA and Non-HIPAA data, and health data stewardship. Professors Solove and Schwartz have designed an intensive, pre-conference Health Privacy + Security Day that will allow professionals from health and privacy organizations to immerse themselves in focused seminar-style discussions for an entire day. Additionally, several other health privacy and security sessions will be interspersed throughout the two-day forum. These cover issues such as: hot topics in healthcare privacy, Health & Human Services (HHS) initiatives in privacy, and health information research with new technologies.


This will be the second year for the Privacy + Security Forum. University of Maryland law professor Frank Pasquale had this to say of last year’s forum:


The Forum is a must-attend conference for those working in the privacy field. The organizers have managed to attract top-notch speakers, addressing the most cutting-edge (and technically difficult) topics in law, technology, and privacy best practices. Specific topics like health and education are particularly well-covered.


The Privacy + Security Forum is currently offering ‘genius bird’ rates through April 30th.