Health App Confusion: (Another) Reason for a Comprehensive Federal Data Privacy Framework

By: Chase Millea, Snell & Wilmer^[1]

We’ve all had heard it from one of our more active friends: 

“Have you tried that latest health app? It tracks your fitness – from what you eat to how you sleep to counting every step you take. You can put in your chronic conditions, medications and the last time you took a sip of water so you can make sure everything is in one place. And since it’s a health app its HIPAA certified so your information is totally secure.”

This example may make some readers of the AzSHA blog chuckle, but the growing number of health apps – from wearable watches to mobile medication management tools – present an interesting challenge for consumers to determine exactly which laws apply to which apps, and, importantly, how their health information is collected, used and disclosed. 

In the nearly thirty years since its promulgation, HIPAA – the Health Insurance Portability and Accountability Act – has gained significant traction as a pop-culture norm: when we hear health, we often think HIPAA, and the constraints it places on the sharing of health information. 

This normalization may constitute a great achievement for public understanding around rights in “protected health information” or “PHI,” the limited type of health information actually regulated under HIPAA; however, odds are (as supported by impromptu polls of friends, family, and even developers of mobile health apps), the general perception of HIPAA applicability may be much wider than the law provides. 

In other words, people hear health in a variety of contexts (whether at a hospital or in a free fitness app) and may think the processing of their health data is always subject to the robust privacy and security protections required under HIPAA. 

Of course, HIPAA does not apply in many health app contexts (as described further below). And with the growing number of such products in the marketplace, now may seem like a good time to review the current legal landscape around these products and to think through how a federal data privacy framework may be needed to resolve consumer confusion by setting national standards on the use of personal information (including identifiable health information).

Before we get into proposing amendments to federal law though, let’s start with the status quo. First recall that HIPAA applies to covered entities (i.e., healthcare providers, health plans and healthcare clearinghouses) and their business associates (i.e., organizations providing services to covered entities).^[2] If an entity is subject to HIPAA, federal law requires that organization to (i) implement administrative, technical and physical safeguards to prevent the unauthorized access, use or disclosure of PHI, and (ii) not disclose a patient’s PHI without the patient’s authorization, or unless an exception applies.^[3]

So, if a primary care physician offers her patients access to an online portal to view their records, as a healthcare provider, that physician is likely required to comply with HIPAA, and it should generally be safe to assume those administrative, technical and physical safeguards (including use and disclosure restrictions) are in place. 

Conversely though, the health app from the large software provider that enables consumers to personally track diet, nutrition, medication management and other notes about the individual’s healthcare – HIPAA? Not this time. Since in this case the app provider is not a covered entity nor business associate, the app provider is not subject to HIPAA and so individuals’ information is not guaranteed those same robust federal safeguards. And without a national consumer privacy law governing the use and disclosure of personal information generally, health information that is not PHI (i.e., regulated under HIPAA) does not receive any substantial protections under federal law.

Some states, including California, Colorado and Virginia are addressing this issue through state consumer privacy laws (e.g., the California Consumer Privacy Act or “CCPA”). Many other states are considering similar (and yet non-standard) approaches.^[4]

Under the CCPA, certain entities (i.e., for-profit organizations processing data about large quantities of California residents) are required to adhere to rules around the processing of “personal information” (which does include healthinformation not covered under HIPAA).^[5] CCPA requires regulated entities to notify consumers of that entity’s uses and disclosures of consumer data (see the “privacy policy” linked at the bottom of nearly every website you visit), and to adhere to consumer requests to review, amend and delete their personal information. Further, the California Privacy Rights Act creates a category of “sensitive personal information” that aims to protect sensitive categories of information (including genetic data, but not health information generally).^[6]

So at least some states are thinking about how to protect some health data that may fall outside of HIPAA, but this is the AzSHA blog, so what do other state laws have to do with us? Well, to the extent an app provider processing your health data is not subject to these laws, the answer is nothing – and that’s kind of the issue. 

Currently, Arizona law only requires organizations processing personal information in Arizona to provide breach notification in the event of an unauthorized disclosure of that data.^[7] However, Arizona does not have a consumer privacy law like CCPA, so does not require organizations to provide Arizona residents with various rights – including  to review, amend, and delete personal information processed about them – as required in states like California.

To avoid a hodge-podge of state consumer privacy laws with good intentions and poor practicality, the obvious solution seems to be a federal standard. There’s been talk about a federal law similar to the EU General Data Protection Rule^[8]for years, however none have gotten across the legislative finish line. And consumer confusion seems to be a persistent consequence.

Much like HIPAA did with PHI, a comprehensive federal framework may bring standardization to the growing variety in the marketplace, and provide an opportunity to build public understanding of uniform requirements around the use of consumer personal information (including health information not covered under HIPAA). 

The proposed American Data Privacy and Protection Act (“ADPPA”), which includes a category of “sensitive covered data” that captures information relating to the “healthcare condition or treatment of an individual” may be the closest shot yet to laying this federal foundation.^[9] This process has been a long one, though, so we won’t hold our breath for the ADPPA to cross the president’s desk just yet.

While we await a federal sea change, maybe it’s best to end with what initiated this blog in the first place: a general perception that consumers are not aware of the laws applicable to the processing of their personal information, including, and maybe especially, their health information. In my practice, I find many consumers (and frankly business teams developing health apps), are confused about when HIPAA applies and which laws protect the processing of what health information. 

So be aware of the confusion and maybe conduct an informal poll or two yourself. And the next time your friend asks, “have you tried that new health app” take a deep breath and just think about how much easier this may be with a federal standard.

---

^[1] This blog represents current, general opinions of the author, and not those of his law firm or colleagues. The content should not be considered legal advice or opinion.   

^[2] See 45 C.F.R. § 160.103.

^[3] See 45 C.F.R. § 164.304. 

^[4] National Conference of State Legislatures, 2022 Consumer Privacy Legislation, available at  https://www.ncsl.org/research/telecommunications-and-information-technology/2022-consumer-privacy-legislation.aspx#:~:text=Creates%20the%20Consumer%20Privacy%20Act,or%20before%20the%20point%20of

^[5] California Consumer Privacy Act, Cal. Civ. Code § 1798.140.

^[6] Id.

^[7] ARS § 18-552.

^[8] Regulation (EU) 2016/679 (General Data Protection Regulation).

^[9] American Data Privacy and Protection Act, HR 8152, 117^th Congress (2022), available at https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-117-8152-P000034-Amdt-1.pdf