As digital health tools continue to evolve, the privacy of patient data has become a major concern. From mobile health apps to wearable fitness trackers, patients are sharing more personal health information than ever before.
However, the rules that govern the protection of this data—primarily the Health Insurance Portability and Accountability Act (HIPAA)—are not fully equipped to handle the rapid advancements in technology, especially regarding apps and devices that don’t always fall under HIPAA’s jurisdiction. This creates a challenging landscape for both patients and healthcare providers who must navigate the complexities of data privacy, security, and compliance.
Key Takeaways
Health apps are collecting sensitive patient data, but HIPAA’s protections do not apply to all apps, creating a growing privacy challenge for patients and providers.
- HIPAA does not cover general health and wellness apps that collect sensitive data like sleep patterns and heart rate.
- Healthcare institutions are prime targets for cybercriminals due to the high value of personal data they store, with over 45 million patients having their data exposed in the first half of 2024.
- The growing reliance on mobile health apps adds to the problem, as these apps often store sensitive data on users’ devices and may not have adequate privacy safeguards.
The limitations of HIPAA in the digital age
HIPAA was designed to protect patient health information shared with healthcare providers, insurance plans, and other related entities. However, it does not apply to health apps unless directly integrated into healthcare systems. For example, even if an app links to a patient’s medical record, its data may not be protected by HIPAA.
Colin J. Zick of Foley Hoag notes that HIPAA was never intended to cover general health and wellness apps. These apps collect sensitive data like sleep patterns and heart rate, but since they operate outside traditional healthcare systems, HIPAA’s protections do not apply.
This gap in privacy protection has significant implications. Health apps can collect a wide range of data, including personal identifiers, location data, and online activity, much of which could be highly sensitive if exposed.
Furthermore, much of this information is not protected by existing laws and may be susceptible to misuse. For instance, location tracking in health apps could reveal personal habits or lifestyle choices that are deeply private. Data from these apps could also be shared with third parties, such as advertisers, without the patient’s knowledge.
Increasing vulnerability to cybersecurity threats
Healthcare institutions are prime targets for cybercriminals due to the high value of personal data they store. In the first half of 2024, over 45 million patients had their data exposed, highlighting the risks. Hackers target health data for fraud or to sell on the black market.
The growing reliance on mobile health apps only adds to the problem. These apps often store sensitive data on users’ devices, potentially creating a more significant risk if these devices are compromised. If an app linked to a healthcare provider’s network is hacked, it could expose patient information that would otherwise be protected under HIPAA. The security flaws in many apps, combined with inadequate privacy safeguards, make them a prime target for cybercriminals seeking to exploit vulnerable data.
Lisa Pierce Reisz, a member of Epstein Becker Green, emphasizes the importance of building robust security protocols into health apps. “Healthcare providers or health plans that create or offer health apps must be aware of how these apps are collecting, using, storing, and guarding PHI,” she said. Reisz advocates for privacy and security protections that meet HIPAA’s stringent standards, especially as healthcare apps become increasingly integrated into patient care.
The growing need for HIPAA reform
Experts argue that HIPAA needs an update to keep pace with modern health tech. Zick emphasizes that the regulations, designed for early 2000s technology, must evolve to address challenges posed by mobile health apps, AI, and cybersecurity risks.
For instance, as the use of AI in healthcare becomes more widespread, the need for updated regulations grows. AI systems are capable of processing vast amounts of health data, which could present new privacy risks if not adequately protected. Without clear regulations, patients may not fully grasp how their data is being utilized or who stands to gain from it.
One area that requires immediate attention is the security of mobile health apps. Many of these apps are designed by third-party developers who may not always adhere to HIPAA standards. This lack of oversight creates a potential risk for patients, as sensitive data could be exposed or misused. Healthcare providers that offer or recommend health apps must ensure these tools comply with privacy and security regulations, which may be challenging given the variety of apps available.
Data monetization and targeted ads impact
Some health apps collect sensitive data, such as mental health history and gender identity, for targeted advertising. This raises concerns about patient control over their personal information and the potential misuse of data by third parties, like employers. Data monetization is particularly concerning with mobile health apps due to the potential for misuse of personal information for profit.
While patients may use health apps to track their well-being, the data they share may be sold to advertisers or shared with other entities without their informed consent. These practices undermine the trust between patients and healthcare providers, as patients may feel their personal information is being exploited for commercial gain.
While health apps offer valuable insights, they present privacy risks. Healthcare organizations must ensure apps comply with HIPAA standards and fully inform patients about data usage.
Ransomware and HIPAA accountability
As data breaches continue to affect the healthcare industry, the Office for Civil Rights (OCR) has received a growing number of HIPAA complaints and initiated numerous compliance reviews. Since the Privacy Rule’s compliance date in 2003, OCR has handled over 369,000 complaints and imposed civil penalties totaling $143 million.
OCR’s enforcement activities have targeted various healthcare entities, from national pharmacy chains to small provider offices. However, there is growing concern about how OCR handles cybersecurity breaches, particularly ransomware attacks.
Zick suggests that the current approach to ransomware is flawed, as OCR has occasionally fined healthcare providers who fall victim to cyberattacks. “It seems to me that we need to have a system that doesn’t punish the victims of crimes,” he said.
Given that many healthcare providers are unable to prevent sophisticated ransomware attacks, Zick advocates for a shift in how these cases are handled. Instead of penalizing victims, OCR should focus on encouraging healthcare providers to improve their cybersecurity defenses and compliance measures.
The role of healthcare providers in digital health
As digital health technologies continue to evolve, healthcare providers must play an active role in ensuring patient data is protected. This includes educating patients about the risks associated with health apps, conducting due diligence on the apps they recommend, and working to integrate these tools into their practice in a way that complies with HIPAA regulations.
Physicians should be aware of the apps their patients are using and ensure that patients understand how to use these apps securely. By reviewing the health apps patients use, doctors can help ensure that sensitive information is not inadvertently exposed. Additionally, healthcare organizations must collaborate with developers to build apps that prioritize patient privacy and security.
Furthermore, as the healthcare industry embraces new technologies like AI and telemedicine, policymakers must update HIPAA and other regulations to reflect these changes. The current regulatory framework is insufficient to address the complexities of modern healthcare technology, and without updated guidelines, patient privacy will remain at risk.
Enhancing privacy in digital health
While health apps offer tremendous potential for improving patient care and well-being, they also present significant challenges in terms of privacy and security. HIPAA, designed to protect patient data in traditional healthcare settings, is not fully equipped to address the unique risks posed by mobile health apps and wearable devices. As technology continues to advance, the need for updated regulations and stronger cybersecurity protections becomes increasingly urgent.
Healthcare providers, app developers, and regulators must work together to ensure that patient data remains secure, transparent, and protected. By fostering collaboration, improving compliance, and updating regulations, the healthcare industry can harness the benefits of digital health technologies while safeguarding patient privacy in an increasingly complex digital world.
