Pramote Lertnitivanit/istock via
The Quest to Improve Security, Privacy of Third-Party Health Apps
WEDI and the Confidentiality Coalition proposed recommendations for improving the transparency, security, and privacy of third-party health apps with access to PHI.
Third-party health applications fall outside HIPAA's purview, positioning them in a regulatory gray area where transparency, security, and privacy obligations are left open to interpretation. Consumers may not realize that the way third-party apps choose to use their health data is largely up to individual companies rather than predetermined regulations.
The Federal Trade Commission (FTC) and state Attorneys General have tried to fill the gaps and enforce against health apps that fail to adequately inform users how their health data will be used.
"But that is really a stop-gap measure," Linda Malek, partner at Moses & Singer and chair of the firm's Healthcare Privacy & Cybersecurity practice group, suggested in an interview with HealthITSecurity.
"There isn't comprehensive regulation or legislation that imposes consistent guidance across various players within the industry that may have access to health data, and that's really what is needed."
INDUSTRY GROUPS EXPRESS CONCERN
To combat this issue, the Confidentiality Coalition and the Workgroup for Electronic Data Interchange (WEDI) penned a letter to the HHS and Department of Commerce secretaries to raise concerns and provide recommendations regarding health apps and patient privacy.
"We continue to be concerned that patients will not have adequate information to be educated consumers regarding third-party apps and may not fully comprehend that they are assuming the risk of the security practices implemented by their chosen app," the letter stated.
"Specifically, patients may not understand when their information is and is not protected by HIPAA."
The groups expressed their support for the FTC's September 2021 policy statement, which affirmed that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule.
The policy statement raised new considerations about what the FTC considers a data breach, how it defines healthcare providers under the rule, and how federal lawmakers can keep pace with the fast-moving tech industry, which has disrupted how consumers manage their health.
In addition, the Confidentiality Coalition and WEDI expressed their support for HHS's clarification that healthcare providers are not responsible for ensuring the security of a patient's chosen third-party application.
"However, we note that this 'safe harbor' does not address the potential vulnerability of patient information when sent to the app," the letter noted.
In the absence of these security and privacy issues, health apps and application programming interfaces (APIs) can empower patients to take control of their health and access their data easily.
"Some [covered entities], including health plans, physician practices and inpatient facilities have already built or have contracted with business associates to develop patient access APIs and apps and are actively promoting their use," the letter explained.
"Specifically, these apps deployed by providers and health plans are typically covered under HIPAA and therefore the individual's accessing data have assurances that their information is being kept private and secure."
However, this situation is the exception rather than the rule. Most third-party health app developers are not associated with covered entities and do not have to follow federal accreditation standards.
The lack of trust and standards surrounding health apps and APIs is stifling interoperability and potentially jeopardizing patient privacy, the letter suggested. With these issues in mind, the Confidentiality Coalition and WEDI offered numerous recommendations to the secretaries.
WEDI, CONFIDENTIALITY COALITION PROVIDE RECOMMENDATIONS
First, the groups recommended that regulators "release additional guidance on the types of third-party app security and privacy verification that will be permitted and allow [covered entities] themselves to undertake an appropriate level of review of a third-party app before permitting it to connect to their APIs."
In addition, the letter suggested that stakeholders collaborate to create a privacy and security accreditation or certification framework.
"Once established, [covered entities] should be permitted to limit the use of their APIs to third-party apps that have agreed to abide by the framework. Such a program would not only foster innovation, but also establish improved assurance to patients of the security of their information," the letter reasoned.
The industry groups also recommended that the secretaries use the CMS Blue Button 2.0 and Data at the Point of Care (DPC) initiatives to inform future private sector security requirements, which require health apps to complete a CMS-approved security certification.
Lastly, the letter emphasized the need for collaboration among professional associations like WEDI and the Confidentiality Coalition, and government agencies. The groups stressed the need for improved consumer and covered entity education as stakeholders work to enhance regulations.
"We believe our recommendations will serve to increase the assurance that health information is being securely exchanged and provide patients the confidence to become more engaged in their health decisions," the letter concluded.
POTENTIAL IMPLICATIONS FOR FUTURE REGULATIONS
Although it is essential for all relevant parties to stay informed about data privacy and security, many questions remain about whose responsibility it is to educate consumers.
"The onus should not be on the individual," Malek asserted. "This is not a 'buyer beware' kind of a situation—individuals need their health information, and they need it quickly and easily. Individuals should not be put in a position where the onus is on them to shop around for the most secure health app."
However, placing an additional burden on covered entities to vet health apps for their patients rather than focus on patient care is also not ideal.
Third-party health app privacy concerns also highlight HIPAA's shortcomings. When the law was enacted more than 25 years ago, third-party health apps were not part of the conversation. An expansion of HIPAA or new legislation is needed to fill glaring security and privacy gaps.
At the moment, there is no comprehensive guidance for navigating this space from the perspective of app developers, healthcare providers, or patients. WEDI and the Confidentiality Coalition's letter shows that stakeholders are searching for that guidance, and their recommendations are a good place to start.
Ensuring transparency, security, and privacy will likely require collaboration between industry groups, regulators, app developers, and even providers.
"I think the most important thing to keep in mind is that there is increasing attention on it," Malek continued.
"Even in the absence of specific legislation, it really behooves health app developers to look closely and thoughtfully at their privacy policies and transparency in terms of how they explain to the individual what is going to be done with their information."