Healthcare tech is moving more toward mHealth solutions for consumer use. Apple in particular has made major expansions into healthcare and mHealth technologies over the past few years. Many patients are using wearables such as the Apple Watch to monitor, track, and report healthcare data. But with this new field, mHealth security issues abound and there are still many grey areas surrounding who is legally responsible for protecting the privacy of patient data.
How Wearables Could Impact Your Business
In September, Apple made headlines with its newest version of the Apple Watch. CEO Tim Cook bragged about the watch’s fall detection capability, automatic workout tracking, and a heart sensor with ECG capability. With these advancements, Apple will continue to have a tremendous impact on the healthcare industry. In a recent CNBC interview, Cook said that the health-related work will be Apple’s “greatest contribution to mankind.”
Yet, there have already been HIPAA-related incidents stemming from multiple health tracking apps and wearables across the mHealth industry. In 2018, the popular fitness and nutrition tracking app MyFitnessPal experienced a breach, exposing the names, email addresses, and passwords of 150 million people. In addition, the fitness app Strava revealed the locations of U.S. military personnel on secret bases. According to Forbes, your electronic health records could be worth hundreds or thousands of dollars on the black market, which makes the Apple Watch and mHealth technologies like it prime targets for security breaches.
And of course, this affects healthcare professionals around the country. mHealth security vulnerabilities continue to pose a serious issue to patient privacy. And with these mHealth security and privacy concerns, HIPAA regulatory standards are in a grey area, especially where enforcement is concerned. Wearables like the Apple Watch expose privacy and security vulnerabilities for healthcare consumers, providers, and vendors working in the healthcare space alike.
Who’s Responsible for Wearable Data?
When it comes to HIPAA, covered entities must be compliant with the full extent of the regulation. A covered entity is any healthcare provider, health plan, or healthcare clearinghouse that uses protected health information (PHI) for the purpose of payment, treatment, or operations.
Under the HIPAA Privacy Rule, covered entities must implement the necessary safeguards to ensure that PHI is kept safe. PHI is any demographic information used to identify a patient. Some common examples of PHI include names, email addresses, addresses, and Social Security numbers, to name a few.
That means that if a doctor partners with wearable companies, and is using that biometric data over the course of care, then they are responsible for protecting patients’ PHI. However, the mHealth apps and wearable companies themselves are likely considered business associates under HIPAA. Business associates include any organization that handles PHI on behalf of another HIPAA-beholden entity. The liability in the event of a data breach concerning PHI collected by mHealth devices but used over the course of treatment for a patient presents a new challenge to HIPAA regulation.
However, changes to HIPAA regulation or HIPAA guidance in response to new and evolving technologies is not new. In 2009, the HITECH Act was passed, which made sweeping changes to HIPAA regulation in response to the rise of electronic health records (EHR) platforms and the increasingly digital shift across the healthcare industry.
HIPAA guidance regarding the use of mHealth tech, apps, and wearables will likely be addressed by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in the years ahead. However, in the meantime, covered entities and business associates should guard against the potential for data loss, federal fines, and cybersecurity risk by implementing an effective HIPAA compliance program to protect their business.
HIPAA Compliance Comes First!
As technology continues to develop, organizations within the healthcare industry will still need to comply with HIPAA regulations.
Compliancy Group gives healthcare professionals the tools they need to effectively address the full extent of HIPAA regulation. We give your organization confidence in your compliance with our proprietary Achieve, Illustrate, and Maintain™ methodology, all housed in our cloud-based app, the Guard™. The Guard allows users to address every element of what the law requires to give you peace of mind.
Users will also have help along the way. Our Compliance Coaches™ will walk you through every step of the process and ensure you have a complete understanding of HIPAA.
Compliancy Group is here to simplify compliance so you can confidently focus on your business. Find out how we can help!