Health apps could be heading into a HIPAA showdown

Some of the steam has gone out of the fitness wearables space, and the market for wearables (and accompanying apps) that collect more serious health data (like blood sugar levels) seems to be gaining steam.

Recent announcements from Samsung and Apple of their intentions to operate large health data platforms to collect and store health data for such apps and devices will only accelerate the growth of the space.

Samsung’s SAMI platform and Apple’s HealthKit platform also provide a place where healthcare providers might access the health data, as the two companies’ partnerships with high-profile medical centers prove. Both companies are also said to be working with Epic, a leading electronic health record vendor for large medical groups and hospitals.

But when a consumer app or device starts sharing personal data with a healthcare provider, people start getting very concerned about security and privacy issues. In the health world, the privacy of personal health data is regulated under the Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 to provide a set of rules protecting personal health information. So the question becomes: under what circumstances does the health data collected by consumer devices and app become “protected health information (PHI)”.

Consumer apps & HIPAA

It depends on who is using them, says Adam Greene, a partner in the Health IT/HIPAA practice at the Washington DC law firm Davis Wright Tremaine.

“Right now, there’s a big distinction between between apps that were created for use by healthcare providers and apps that were intended for use by consumers,” Greene’s last job was at the Department of Health and Human Service’s (HHS) Office of Civil Rights, which acts as an enforcement arm for HIPAA.

“It’s certainly something that the tech companies have to be aware of, but in general HIPAA doesn’t apply to consumer data,” Greene says. “Whether or not it applies is more about who is handling the data than about the content of the data itself.”

Greene says that if a consumer app containing even the most sensitive health information would not be subject to HIPAA laws, because the app is acting on behalf of a consumer, not a health system.

Feedback loops

But things might get a little more complicated once the next generation of consumer health apps begin transmitting data to the cloud, where healthcare providers can access it. We may enter a system where health data is moving from consumer apps and devices to provider information systems and back again.

“If an app just captures data on a mobile device and stores it on your phone, it isn’t that useful,” says Jason Wang, founder and CEO of TrueVault, makes an API that readies health apps for HIPAA compliance.

“Consumers want to be able to share their health data with their doctor and have him or her send back feedback like ‘you need to run more’ or ‘you need to eat less.’”

It’s that feedback loop that really benefits the consumer, Wang says, but it’s also the thing that may put consumer app developers under the watchful eye of HIPAA.

“Any information that’s used in the course of a healthcare service is protected health information and needs to be HIPAA compliant,” he says.

HIPAA adapts to digital health

The problem for many health app developers is that the spector of HIPAA remains a moving target. They speculate on scenarios in which their apps might become subject to the law, while at the same time, HHS’s conception of its role in digital health seems to be evolving.

Only last year the government widened the scope of HIPAA. The law was was originally aimed at clinics, hospitals, and insurers but was last year expanded to address computer systems that manage health information.

In a January update to its rules, HHS expanded the scope of HIPAA to cover “business associates”, which commonly refers to information-systems vendors or contractors but could include app developers if their app sends or receives PHI. The agency also upped the maximum fine per HIPAA violation to $1.5 million.

HHS has put it on insurers and providers to comply with HIPAA and continually monitor the privacy of the health data they handle. But the agency is becoming more aggressive. HHS has said it plans this year to survey 1,200 covered entities and business associates to identify candidates for auditing.

Apple, meet HIPAA?

Apple and Samsung will need to take careful steps to stay clear of HHS and HIPAA rules. That might be difficult.

By definition, an information system that “manages and transmits” protected health information (PHI) is subject to the privacy rules in HIPAA, explains Dr. Travis Good, MD, CEO and Co-founder of Catalyze, Inc. Good is an expert in HIPAA compliance and security issues concerning health information systems.

“It’s hard to argue that a platform called HealthKit is not collecting personal health information and that they would not have to follow the same healthcare privacy requirements that other healthcare information systems are forced to comply with,” Good says.

When Samsung and Apple opened up the door to Epic and other health information systems, they indicated that they intended to transmit personal health information, Good says.

So far, Apple and Samsung have said little about how they intend to secure the data in their health data in their platforms.

For app developers, integrating with the big health platforms might force them to think seriously about HIPAA compliance.

“It is my understanding that Apple HealthKIt allows app developers to share data between apps,” says Jeff Brandt, a health data security expert known for developing the first secure Personal Health Record (PHR).

“This could lead to more opportunities for data breach. If healthcare providers are going to recommend or collect data from these apps, they will need BAA (Business Associates Agreement) from each of the app developers,” Brandt says.

This may actually put Apple and Samsung in the odd position of making sure that apps reporting into their platforms are HIPAA compliant. It’s a safe assumption that those companies don’t want to get into the compliance business. It’s unlikely that privacy compliance will be a criteria for acceptance into the app stores anytime soon.

To be sure, we’re in the very early days of consumer health platforms. But it’s clear that the data privacy obligations of both platforms and apps will play a big role in shaping the consumer-driven health movement in coming years.