With the fast adaptation of technology in healthcare, such as wearable technology and genetic testing kits, protecting private health information has become increasingly important. Currently the HIPAA Privacy and Security Rules protect health data in traditional settings, however, it doesn’t extend to health apps compliance. Many of the companies providing these technologies share consumers’ data with other entities, with no regard for privacy, without repercussion. 

For instance, the pregnancy tracking app Ovia, used the data collected in their app and sold it to employers. Ovia claims that they are HIPAA compliant, since they anonymize the data before sharing it. However, privacy experts noted that when the data is cross-referenced with other information, it can be re-identified.  Additionally, multiple health apps share data with Google or Facebook without informing users. 

In April, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an FAQ stating that providers aren’t liable for third-party apps releasing patient data, “The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA-covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.” 

Protecting Personal Health Data Act Will Mandate Health Apps Compliance

Senators Amy Klobuchar and Lisa Murkowski are proposing the Protecting Personal Health Data Act that would extend the HIPAA Privacy Rule to these such technologies. The new legislation would prompt the HHS Secretary to release regulations to strengthen the privacy and security for health apps. In addition, it would establish a National Task Force on Health Data Protection. 

The task force would be responsible for:

  1. Evaluate the long-term effectiveness of data de-identification methods for biometric and genetic data;
  2. Provide insight on security standards development such as encryption for consumer devices;
  3. Address cybersecurity risks related to consumer devices;
  4. Address protection standards and privacy concerns in relation to employee and consumer health data; and
  5. Create resources to advise and educate consumers about the risk, limits, and benefits of direct-to-consumer genetic testing. 

Klobuchar states, “New technologies have made it easier for people to monitor their own health, but health tracking apps and home DNA testing kits have also given companies access to personal, private data with limited oversight. This legislation will protect consumers’ personal health data by requiring that regulations be issued by the federal agencies that have the expertise to keep up with advances in technology.”

Health apps compliance is essential to protecting PHI in a modern era. Murkowski states the bill, “takes important steps to ensure guidelines are created for security and privacy protections of modern health information. Our policies must evolve to keep up with advancements in recent technology.”