While the Healthcare Insurance Portability and Access Act (HIPAA) protects personal health information within the provider's realm, it doesn't extend to personal health records or mobile apps. New legislation in California seeks to remedy that problem.
AB 658, which went into effect in January, is an amendment of the state's Confidentiality of Medical Information Act (CMIA), which regulates how entities covered under HIPAA can use and disclose "medical information." As reported recently by the online journal California Healthline, the new law extends that protection to "any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information … in order to make the information available to an individual or a provider of healthcare at the request of the individual of a provider of healthcare, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment or management of a medical condition of the individual."
That distinction is important as more and more healthcare apps seek to collect and transmit personal health information, and as more consumers request access to that information on their own mobile devices.
And it's especially important as more non-healthcare-related companies market apps and PHRs. California Healthline writers Deven McGraw and Susan Ingargiola point out that HIPAA permits the use and disclosure of medical information without individual authorization only for certain purposes, such as treatment, payment and various healthcare operations. "These disclosures are common business activities for healthcare entities but are an odd fit for the business model of most PHRs and mobile apps," the two write.
To wit: Businesses marketing PHRs and mobile apps might have a model that includes marketing and other commercial uses of medical information – in effect, selling that data to third parties. Under California's new law, they'll have to first gather each individual's written authorization, and include precise details on how that information will be used.
"Given that most mobile apps obtain user consent through general assent to terms and conditions, the effect of extending CMIA's authorization requirements to mobile app developers could be significant," McGraw and Ingargiola wrote. "Newly covered businesses that have a business model that includes the sale or marketing use of certain customer information that meets the definition of medical information will have to change their business model or obtain their customers' specific authorization."
The two point out that Apple's new HealthKit app goes even farther than California law. While collecting health data from various sources and enabling apps to share that data between consumers and healthcare providers, Apple isn't allowing any information to be stored in the cloud, not is it allowing any apps that don't have a privacy policy or any apps that share user data acquired through HealthKit with other parties.
"Apple has also stated that apps must not use data gathered from the HealthKit APIs for advertising or other user-based data marketing," McGraw and Ingargiola wrote. "This goes a step further than CMIA by outright prohibiting uses of data that CMIA would permit with specific user authorization. How Apple plans to enforce these provisions – and their effect on the mobile health app market – is uncertain."
In looking forward, McGraw and Ingargiola noted that HIPAA currently focuses on "traditional healthcare entities and their contractors," but the healthcare landscape – and mHealth in particular – is attracting non-traditional interest. Efforts to rein in and regulate those interests might be unclear as of now, but California is headed in the right direction.
