The brief, Risky Business? Sharing Data with Entities Not Covered by HIPAA, outlines the extent of health data is generated from consumer devices and apps that are left ungoverned by the HIPAA rule. As HIPAA was drafted long before the creation of consumer-driven apps and other advanced technologies, there’s a gray area in determining how that data should be handled by app developers.
“Privacy and security in healthcare are at a critical juncture, with rapidly changing technology and laws that are struggling to keep pace,” Jennifer Covich Bordenick, eHealth Initiative CEO said in a statement.
“Even as new laws like CCPA and GDPR emerge, many gray areas for the use and protection of consumer data need to be resolved,” she added. “We hope the insights from papers like this help industry and lawmakers to better understand and address the world’s changing privacy challenges.”
HIPAA does include digital technology amendments, included in its HITECH update from 2009. The report authors explained that although HITECH addresses EHR concerns, the regulation does not outline commonly used digital technology – such as consumer app developers.
IS A BUSINESS ASSOCIATE AGREEMENT NEEDED?
READ MORE: HIPAA Needs Clarity Around Patient Data Sharing, AMIA, AHIMA say
All health provider organizations that handle protected health information, like medical records, claims information, and lab results fall under HIPAA. Vendors that interact with this data must sign a business associate agreement with the covered entity. And covered entities must evaluate whether their vendor falls under HIPAA before contracting.
And when there’s an app breach impacting health data, the report authors explained that these must also be reported to the Department of Health and Human Services.
“When covered entities decide to partner with app developers, determining if the app developer is a business associate is extremely important as it sets the stage for whether or not the data shared by the covered entity with the app developer is regulated under HIPAA,” the report authors wrote.
“At the heart of the business associate determination is whether the app is being offered on behalf of the covered entity,” they added.
First, an organization must determine how the app is branded and whether consumers access the app through the covered entity or a separate channel, or if the app is available only through the covered entity, or also to their patients or members.
READ MORE: Could HIPAA be Repealed, Replaced with a Unified Federal Privacy Law?
Next, organizations should also evaluate how the data flows between the covered entity and app developer and whether the developer provides any related services to the covered entity.
“For example, if a provider contracts with an app developer for patient management services—including remote patient health counseling; monitoring of patients’ food and exercise; patient messaging; EHR integration; and application interfaces that involve creating, receiving, maintaining, and transmitting PHI—and the app is a means for providing those services, the app developer is likely a business associate and a business associate agreement is required.”
Another issue to consider, the report authors explained, is how to respond to developers not covered by HIPAA that want access to the covered entities data.
“In the absence of authorization by the subject of the PHI, PHI collected by app developers that are business associates of covered entities may only be used or disclosed for HIPAA-permitted purposes and as authorized in the business associate agreement,” the report authors wrote. “Such PHI must be returned to the covered entity or destroyed upon termination of relationship.”
Also notable: direct-to-consumer app versions not provided by the covered entity aren’t subject to HIPAA. Adding to the issue is that consumers continue to broadly voluntarily share their own PHI on the internet, such as genomic data, without any restrictions to the DNA market
READ MORE: HHS, OCR Seek Industry Feedback on HIPAA Update for Data Sharing
“The average consumer is not contemplating the ramifications of providing his or her DNA to a genealogy company, nor reading the FTC’s guidance on Direct-to-Consumer Genetic Tests,” the report authors noted.
OVERCOMING THE GRAY AREA
The shortcomings of HIPAA are not a new revelation: Industry stakeholders have been pressing HHS for a HIPAA update for several years. In response, HHS released a request for information in December, asking healthcare stakeholders for insight into how HIPAA could be modernized for the digital age.
Meanwhile, the American Medical Informatics Association and American Health Information Management Association called on Congress to modernize the rule to improve patient access to health data and to bolster the app ecosystem security.
In January, the Information Technology and Innovation Fund made one of the most drastic suggestions for HIPAA: repeal the patchwork of US privacy regulations, including HIPAA, and replace them with a unified federal law.
To eHealth Initiative Foundation, a national solution is ideal to clear up these privacy discrepancies – including the patchwork of state privacy legislation.
“A national standard would alleviate the confusion… [and] would also make the flow of information easier,” the report authors wrote. “New technologies have pushed society to reconsider current models for privacy and ethics and are raising important questions about individual liberty, dignity, and autonomy.”
“The Center for Democracy & Technology and many other groups are beginning to explore a values framework for new technology. Recommendations focus on individual dignity, corporate stewardship, and social good,” they added. “Before developing strict privacy policies, policymakers and industry leaders may want to first focus on developing a values framework to guide the future use of personal health information.”
