This poses several data challenges that private companies and healthcare organizations need to manage, says Aloha McBride, a global health leader at EY.
“Even when health information is in a de-identified format, it can often be reidentified with low effort using machine learning or artificial intelligence approaches,” she says.
Here are three reasons why data security can be problematic for consumer health technologies as they become more popular and essential:
1. HIPAA Protection Does Not Extend to Wearables and Apps
Although HIPAA is the most far-reaching health privacy law in the United States, it covers only information created, received or maintained by or on behalf of healthcare providers and health plans. User data generated by or uploaded to health apps or wearables is not subject to HIPAA rules, the foundation’s report notes.
Once that data is transferred to a consumer’s mobile device, or if it is generated by the device itself, there is no nationwide governance that can protect the data.
Some states, however, are expanding their definitions of personal protected data to include medical or health data, but a nationwide expansion of the definition has yet to exist, says Sara Jodka, a partner with Dickinson Wright who is co-leader of the firm’s U.S. cybersecurity practice and chair of the firm’s Healthcare Information Privacy and Security Task Force.
Although policy-savvy patients might think their self-generated medical information automatically triggers HIPAA protection, “in the case of wearables and limited application of HIPAA outside the actual healthcare context, HIPAA rarely applies,” Jodka says.
2. Private Companies Aren’t Required to Be Protective and Transparent
Many third-party apps do not provide users with clear terms of data usage; 81 percent of apps for depression and smoking cessation share data for marketing and advertising purposes, according to a 2019 report in JAMA Network Open.
Private companies could be using consumer health data to develop new products, to inform advertising or even to sell it to third parties, the foundation’s report finds. Consumers’ lack of awareness can make them overly trusting in what they share with apps and related devices.
“Personal information, including health data, is being collected by internet service providers and third-party analytics companies to be sold to marketing agencies,” McBride says. “Moreover, a culture of social media and data sharing has encouraged people to share personal information on internet forums not regulated under HIPAA.”
A need and opportunity exist for private companies to adopt a health privacy framework that provides accountability for the handling of health data that falls outside the bounds of HIPAA, the report notes.
A self-regulatory model that includes company-specific policies for health data collection and security could exist alongside an expansion of HIPAA, McBride says.