Privacy concerns regarding mobile devices in health care are raising eyebrows and making headlines. The Telegraph reports that “health and fitness apps have been harvesting sensitive personal data and passing it on to insurance and pharmaceutical companies” although “apps companies . . . have denied that the information is personally identifiable or that it is being sold.”

As we have noted, the regulatory landscape for mobile devices in health care, or so-called “mhealth,” is uncertain, and two years have passed since the FDA’s issuance of draft guidance on mobile medical applications, without final regulations. However, it is clear that data privacy and security are among the issues facing mhealth apps.

In the U.S. the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as modified by the recently-issued so-called Omnibus Rule, prohibits covered entities from selling Protected Health Information (PHI) (i.e., directly or indirectly receiving remuneration from or on behalf of the recipient of the PHI in exchange for the PHI) without obtaining a valid authorization for the sale of PHI, which authorization must state that disclosure will result in remuneration to the covered entity. Cooley’s Client Alert on the Omnibus Rule discusses this and other provisions.

Because HIPAA and other data privacy and security laws may apply to the developers of health and fitness apps, as well as their business partners, these companies must ensure that their business practices comply with applicable laws.

Posted by David Sclar

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s