The developers of Flo, the fertility- and period-tracking app, settled allegations in January from the Federal Trade Commission about misleading its users about their data privacy policies by sharing their health information with tech giants Facebook and Google. According to the complaint filed, federal regulators stated that the app promised it would keep their users’ health data private, but was found to have disclosed health data about millions of app users to Facebook, Google, and third parties such as marketing and analytics apps AppsFlyer and Flurry for years.
HIPAA mHealth Apps
While the issue of data privacy on non-medicine-related apps has already drawn attention and legislation in recent years, the growing presence of mobile health (mHealth) apps is the newest subcategory一and one that currently goes unregulated. With arguably the most sensitive data of a user, commercial businesses in the mHealth app industry that are not contracted by healthcare providers or medical organizations are not required to protect their consumer’s personal health information. This absence of required privacy can lead to the selling of that information to third-party companies for non-consented advertising and other purposes.
Normally when an individual is seeking any kind of health management or medical-related advice, the applications and professionals they turn to are governed by the Health Information Portability and Accountability Act of 1996, or HIPAA. HIPAA established national privacy standards to protect an individual’s medical records, personal health information, and rights to obtain and correct information. HIPAA also stipulates limits on uses and disclosures of information made without patient consent. This applies to designated covered entities that conduct certain healthcare transactions electronically under its privacy rule. However, because these commercial technologies did not exist at the time of HIPAA’s adoption (and neither did the electronic health record legislation adopted after) they are untouched by the explicit rules that dictate covered entities and the usage, processing, and storage of individually identifiable health information (IIHI).
In September 2020, the Office of Civil Rights under the Health and Human Services Department moved to clarify the ambiguity of privacy protections facing mHealth app companies by releasing an updated guidance document that effectively excluded commercial mHealth apps from HIPAA liability if they were not contracted by a covered entity. Similarly, government contact tracing efforts to contain the COVID-19 pandemic have promoted contact tracing apps which also fell outside of HIPAA liability. This prompted pushback regarding privacy concerns from Congressional members and nationwide organizations.
Democratic Senators Mark R. Warner and Richard Blumenthal (D-CT), as well as Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong, enforceable privacy and data security rights for health information collected pertaining to the pandemic. Senate Republicans also expressed concerns by releasing the COVID-19 Consumer Data Protection Act of 2020 to provide individuals more control over their personal health, device, geolocation, and proximity data. Notable nationwide organizations such as the American Civil Liberties Union and Electronic Frontier Foundation have released reports on privacy principles that should be considered and integrated into the execution of contact tracing.
As it stands, the COVID-19 pandemic has seen an increase in downloads of mHealth applications from most major countries, as many are engaging with their regular physicians from home. Some may be trying out mHealth apps to manage parts of their health not previously available to them. Regardless of the leading cause, many popular mHealth apps on the market are still excluded from HIPAA privacy compliance regulations and their consumers are still vulnerable to the selling of their personal health information to third-party companies without their consent. If the Flo settlement has indicated anything, it is that a promise to protect private information is subjective in the absence of objective policy.