Why Health Apps Need to Protect Your Data

Apple iOS 8 Health app

Source: Apple.com

It goes without saying that when consumers choose to share sensitive personal information with a website, they want that data secured, protected, and used only for the purpose for which they chose to share it. The same holds true for mobile apps, and especially apps that will handle health-related data as Apple’s Health and HealthKit take off. But in contrast to the fast pace at which technology moves, regulations on the privacy and security of consumers’ health data have yet to catch up.

Christina Farr reported for Reuters that a consortium of startups, including CareSync, AirStrip, and AngelMD, sent a letter to Pennsylvania representative Tom Marino, expressing frustration at the lack of developer-oriented resources on how a law called the Health Insurance Portability and Accountability Act, or HIPAA, affects the development of mobile apps that handle health-related data.

The startups, some of which provide data to doctors, are concerned about security and privacy, and say that it is struggling to compete with larger vendors that can afford to hire lawyers and consultants. Instead, it relies on government websites, which have not been recently updated, in just one demonstration of the fact that regulatory bodies “have not kept pace with the rapid growth of technology that gives users greater access to healthcare providers and more control over their health information.” Morgan Reed, executive director of the App Association, which purports to represent 5,000 mobile app companies, told Reuters that everything from startups to large tech companies like Apple and Samsung are seeking clarity on how health data can be stored and shared.

The App Association signed the letter to Marino, and Reed says that some developers are relying on information last updated in 2006, before the release of the original iPhone. (On the Department of Health and Human Services’ website, a PDF providing a “Summary of the HIPAA Privacy Rule,” as an example, is dated as last revised in May of 2003.)

Developers have requested that the government provide better guidance about how health data can be stored in the cloud, and requested that regulators also provide developer-friendly documentation. It also asked that the Department of Health and Human Services, or HHS, increase its participation in mobile health events. Congressmember Marino, in turn, has asked developers to provide a list of specific grievances with the HHS department. He said:

“A company should not be forced to staff up with a dozen lawyers simply to ensure they are in compliance with the law. Rather, the burden should be on a transparent and responsive government to provide clarity and guidance, so companies can focus on growing their businesses and providing better and more innovative products and services to the public.”

HIPAA was put in place in 1996 to ensure that protected health information, or PHI, would be correctly handled by covered entities, like doctors and hospitals, and their business associates. While not all health-related apps will be subject to regulation by HIPAA, those that collect and share personally identifiable data — anything from medical records to images to appointment dates — with covered entities will come under HIPAA’s privacy and security rules.

On the other hand, apps that offer general medical reference information, enable users to track their diets, or track users’ workouts aren’t likely to need to be compliant. TrueVault, which provides apps with a secure and HIPAA-compliant API to store health data, created a developers’ guide to HIPAA compliance, which explains the basics of the type of information with which the regulations deal.

“PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service, such as a diagnosis or treatment. In other words, PHI is information in your medical records, including conversations between your doctors and nurses about your treatment. PHI also includes your billing information and any medical information in your health insurance company’s computer system.”

Emails to a doctor’s office about a prescription, appointment scheduling notes, MRI scans, blood test results, and phone records are all protected health information. Data that isn’t protected health information includes the number of calories burned in a day, blood sugar readings without personally identifiable information (PII), or heart rate readings without personally identifiable information. In 2013, the Final Omnibus Rule Update amended HIPAA to expand the requirements for who needed to be compliant. TrueVault notes that those subject to regulation include doctor’s offices, dental offices, clinics, psychologists, nursing homes, pharmacies, hospitals, home healthcare agencies, health plans, insurance companies, HMOs, any government programs that pay for healthcare, and health clearing houses.

Business associates are vendors and subcontractors with access to protected health information, including app developers, hosting providers that handle protected health information, and other service providers. Anyone that handles, stores, or transmits protected health information needs to be HIPAA-compliant.

Concerns with handling protected health information on smartphones and other mobile devices are many. Some that are frequently cited, as listed by Information Week, include the fact that phones, tablets, and wearable devices are easily stolen; that the accessibility of social media and email make it easy to post or share information in violation of HIPAA regulations; that push notifications can violate laws if they contain protected health information; that users can intentionally or unintentionally share personal information; that not all users password-protect their devices; and that devices don’t include physical keyboards, making it more unlikely that consumers will use complex passwords to secure their information.

So what, exactly, does HIPAA require? The problem is that HIPAA was written nearly 20 years ago, preceding the first smartphones and mobile apps, and is less straightforward to deal with than other regulations that many developers are more familiar with, like PCI compliance for credit card data and the DMCA for using copyrighted material on the Internet. Unlike PCI compliance, HIPAA compliance doesn’t have a third-party certification body, and where compliance is required, HIPAA states that application developers are responsible for compliance. Some companies will certify apps or businesses as compliant, but that certification isn’t legal proof of compliance. Unlike some other laws, HIPAA has no Safe Harbor clause, so that even apps that don’t intend to store or transmit protected health information can still violate HIPAA.

Information Week notes that, basically, apps will need to provide secure access to personal health information via unique user authentication, encrypt data that will be stored, provide regular security updates, implement a system to audit data and ensure it hasn’t been accessed or modified, enable users to wipe their information if they lose the device, and enable users to back up their information in case the device is lost or fails. TrueVault provides a detailed assessment in its guide for developers, where it notes that administrative safeguards, physical safeguards, and technical safeguards are all necessary.

Developers are also warned against using third-party file storage and hosting platforms unless they are explicitly stated to be HIPAA-compliant. A number of HIPAA-compliant services, hosting, platforms, and APIs are available to developers, including HIPAA-compliant hosting providers, like Amazon and Firehost. Google Apps can also support HIPAA compliance, and other companies, from TrueVault to Medable help developers — including startups — build compliant apps.

So what does this mean for any health or fitness-related apps currently on your iPhone, or those that will integrate with the new Health app coming with iOS 8? How can you be sure that an app is going to protect your data? That will come down to how Apple handles compliance, and there hasn’t been much official word on that yet. But as Christina Farr reported for Reuters in an article on two medical trials using Apple’s HealthKit, Apple is considering creating a “HealthKit certification” for third-party developers, with stipulations as to how data needs to be securely stored on devices, and a prohibition against the sale of consumer data to advertisers.

That kind of certification program could theoretically lead to some kind of indication system in the App Store to let users know which health apps have been reviewed and certified by Apple, or perhaps even which are HIPAA-compliant, though many have noted that Apple is unlikely to want to enforce or verify compliance. Information on the measures that apps take to protect data will be increasingly important to make accessible to consumers who need to know which apps they can trust with sensitive, personal information.

If Apple wants to make its HealthKit framework and accompanying Health app succeed as a hub for health-focused apps and the data it collects, it will need to help both developers and consumers gain some clarity on the privacy and security standards to which apps will need to adhere. The company has only just begun that process.

In a recent addition to its guidelines for developers, Apple noted that developers should not build apps that store health and fitness data in iCloud, which is not HIPAA-compliant. Information collected by health apps is to be stored and encrypted on the device itself, apps need to include a privacy policy, and apps can’t sell data to advertisers. But developers want to know what HIPAA will require of apps that store data in the cloud — a feature that will be a necessity as consumers want to share their health information with their doctors — since those types of uses will place them squarely under the law’s privacy and security regulations.

Health, which Apple describes on its iOS 8 website as “an entirely new way to use your health and fitness information,” should play an important role in pushing regulators toward a more open conversation with developers, simply because the potential of Health and HealthKit are vast, and are likely to spur a huge uptick in the number of health-related apps that are available in the iOS App Store, and even the app stores for other mobile operating systems.

“The Health app lets you keep all your health and fitness information in one place on your device and under your control. The information you generate about yourself is yours to use and share. You decide what information is placed in Health and which apps can access your data through the Health app. When your phone is locked with a passcode or Touch ID, all of your health and fitness data in the Health app is encrypted. You can back up data stored in the Health app to iCloud, where it is encrypted while in transit and at rest. Apps that access HealthKit are required to have a privacy policy, so be sure to review these policies before providing apps with access to your health and fitness data.”

It’s clear that the new platform — and the plethora of health apps that its launch is expected to catalyze — will require renewed discussion on what HIPAA’s regulations mean for those who provide mobile devices and the apps, platforms, and services that consumers access with them. Even if you aren’t an iOS user and don’t plan to buy an iPhone anytime soon, it’s in your best interest to stay informed on how your favorite health apps safeguard your personal information. Apple, Google, and Samsung are just a few companies that will need to address important security and privacy issues, and think just as seriously as app developers about the importance of HIPAA compliance to it platforms and the consumers who trust them. The privacy and security obligations of apps and platforms alike will play an important role in the development of an entire industry of heath apps and tracking-enabled devices.

More From Tech Cheat Sheet: