Health app developers face their biggest obstacle: Privacy regulations

Mobile apps for health care have broken new ground in monitoring, diagnosis, and treatment. Next week, some of the most advanced will be highlighted at the SXSW Accelerator competition.

These apps have the potential to advance health care, especially in parts of the world where quality care is distant. But they first have to overcome a huge obstacle. In addition to the funding challenges and routine tech hurdles that every startup must clear, healthcare apps have to wrestle with 19-year-old federal HIPAA guidelines, which often frustrate developers, who see the rules as impractical in the mobile world of 2015.

“I think it is one of the major challenges in the space right now and for the foreseeable future,” said David Whelan, chief business officer for Stemp, which makes a mechanism for continuously taking a patient’s temperature via a mobile device and is a finalist in the SXSW competition. “The conflict is the competing priorities between HIPAA requirements and making healthcare data measurable and accessible via mobile technology. HIPAA is outdated in very much the same way that intellectual property rights and copyright law has been outdated.

“We’ve seen this repeatedly over the past 10-15 years with the advent of digital media. These guidelines were written for another time, another era,” Whelan said.

Whelan added that part of the problem is the crowded community of people involved in any mobile healthcare data effort: regulators, insurers, doctors, and patients, all of whom have different perspectives.

Dana Abramovitz is a biochemist who is running the Health & MedTech Expo at next week’s SXSW event in Austin and she echoed Whelan’s concerns about the crowded mobile healthcare communities. But Abramovitz’s chief concern about that crowding is not the large number of players per se, but who is talking to whom — and who isn’t involved.

“The conversation currently is between the policy makers, the companies (making the mobile apps) and the hospitals,” Abramovitz said. “The person — the patient — that is who is being left out of the conversation. Why can I deposit a check on my mobile phone but I can’t e-mail the results of an MRI of my foot to my doctor?”

Is HIPAA even practical?

The essence of the HIPAA argument is that no healthcare personally identifiable information (PII) should be easily accessible to unauthorized people, whether that’s a marketer trying to sell products, an identity thief or a romantic partner who has temporary access to the patient’s phone. Some have interpreted this to forbid saving any information on the phone, opting instead to have it encrypted and securely transmitted to a hopefully secure server.

Another common issue: Any communication via e-mail or text is either banned by HIPAA or must be done in such a cryptic way as to make it useless to thieves if intercepted. (Example: “Dr. Smith, Patient 56729 has a result. Log in to your server to see what it is.”)

The problem is that this approach isn’t always practical, such as when the phone is in an area where Internet access is spotty. Frustratingly, those are precisely the places where these kinds of mobile health care capabilities can do the most good.

Consider MobileODT, which makes a device that leverages a phone’s capabilities to make cervical cancer diagnosis easier and much less expensive. Its device, according to CEO Ariel Beery, “transforms the phone into a long-range microscope” by physically attaching a specialized lens with a light-source and a battery pack.

“We’re adding an additional lens to (the phone’s) lens, making it a mix of a telescope and a microscope. The physician can then see a distance of 30 centimeters away at a magnification of between 10 and 25 times.”

The $1,800 device replaces the standard hospital-based mechanism, which costs more than 10 times as much, Beery said. But in many of the areas MobileODT focuses on, the mobile apparatus wouldn’t replace that large hospital equipment — because in those areas, there is no equipment. Instead, health workers make diagnoses with a flashlight and the naked eye.

Such diagnoses “are more often than not wrong,” resulting in a high rate of miscarriages and infections, Beery said. “They are treating five out of six women unnecessarily.”

Cloud storage to the rescue

Due to the HIPAA restrictions, the images captured by MobileODT’s app have to be shared with a cloud-based server and can’t be stored on the phone. (MobileODT is also a finalist in the SXSW competition.)

Another example comes from another finalist in the SXSW competition: Eko Devices, which creates a mobile-enhanced intelligent stethoscope that routes heart sounds to a phone via Bluetooth LE. It creates four 10-second .wav audio clips–each file is about 800KB–and then sends them to a server, with nothing stored on the phone, according to Eko COO Jason Bellet.

The idea is that the mobile app uses active noise-filtering and digital amplification software, creating a high-quality sound file that heart specialists anywhere in the world can listen to and diagnose. Bellet argues that this has huge cost implications, partially because there is little emphasis on diagnosing stethoscope sounds in medical schools today.

“There is an over-reliance on technology. We’re seeing $3,000 echocardiograms being used instead of a $15 exam,” Bellet said, suggesting that his device “creates an environment to hear heart sounds more clearly and more accurately” — and to share them more easily.

Although few health care mobile developers say that HIPAA strikes the right balance between privacy and innovation, some maintain that wholesale changes to HIPAA may not be necessary.

“I don’t disagree that (HIPAA) is horribly long and convoluted. But we haven’t found it to be too cumbersome,” MobileODT’s Beery said. “Just like most regulatory guidelines, HIPAA can be challenging to read and a bit clunky, especially since so much has changed in the digital sphere since it was written. That said, it shouldn’t be a barrier to health-interested startups.”

Innovation that honors HIPAA

Chandra Haas is the CEO of Securasi Rx Vault, which makes a health care app for psychiatrists. His position is that many of the HIPAA obstacles can be addressed with much more extensive use of encryption on mobile devices, something that some developers resist. It short, he puts the onus on developers, not HIPAA, to be more flexible.

Developers are “not innovating enough to allow for easy-to-use compliance within the existing rules. High levels of encryption should be baked into these products,” Haas said. “Typically, companies hash the password and use that as the encryption key and that’s simply not secure enough.

“It’s possible to innovate in a way that honors HIPAA. It is really not necessary to change HIPAA.”

There are also many mobile app developers who are not even sure what HIPAA permits, and are therefore nervous about how to proceed.

Swatee Surve is CEO of Litesprite, another finalist in the SXSW competition. Litesprite uses mobile games to treat stress and related psychological conditions and Surve said there is much frustration about where the boundaries and where they should be.

“HIPAA is not a regulation as much as it’s a guideline,” Surve said. “There is no inspector who will come into your office say you’re not HIPAA compliant or you are.”

Surve said that this debate involves fundamental issues about society. “It is fundamentally a question of consumer perception. What do we want as a society? How much privacy are we willing to give up?”

Another way to look at that question is to ask how much inconvenience and cost are we willing to put up with in order to secure private data. That answer changes, logically enough, based on the value of the protected data.

Put more ominously: How much damage could a bad guy do with the protected data?

Perfect security: Next to impossible

Many of today’s mobile health care apps deal with only a small sliver of information, such as a heartbeat, a temperature history, a blood test, etc. But Tute Genomics — yet another SXSW finalist — is dealing with the full genome and touches on extensive DNA analysis. In your doctor’s hands, this could be a powerful diagnostic and preventative tool. In the wrong hands, such data could be devastating.

Tute’s director of bioinformatics, Bryce Daines, said today’s mobile HIPAA issues need to be resolved, but with genomes, he thinks a balance emphasizing medical capabilities over security and privacy should be considered.

“From a practical point of view when dealing with genetics testing, (HIPAA) is only limiting,” Daines said. “We certainly have to have an eye on security, but I don’t think we should limit ourselves just because of potential privacy issues.”

Stemp’s product collects repeated temperature data points from sensors attached to the patient. This is helpful, for example, with a sleeping sick child, so that you can monitor the temperature without waking the patient. This also gives physicians a complete history of temperatures, which is often much more medically useful than a single temperature reading.

But such data collection on the phone could easily violate HIPAA. “It might not be possible for this to work without saving to cache [on the phone],” said Whelan. “That (HIPAA) set of requirements might not be reasonable.”

Whelan makes the case that reasonable security/privacy might be achieved by keeping all data points small, which would theoretically mean that capturing any single one would pose minimal risk.

“Consumers might have pieces of data settling between their device and (cloud servers). If you’re moving data over devices like this, there is not going to be complete security. It’s next to impossible,” Whelan said.

“There could always be another loophole that gets in between where the data is coming from and where you want it to go.”