Privacy concerns regarding mobile devices in health care are raising eyebrows and making headlines. The Telegraph reports that “health and fitness apps have been harvesting sensitive personal data and passing it on to insurance and pharmaceutical companies” although “apps companies . . . have denied that the information is personally identifiable or that it is being sold.”
As we have noted, the regulatory landscape for mobile devices in health care, or so-called “mhealth,” is uncertain, and two years have passed since the FDA’s issuance of draft guidance on mobile medical applications, without final regulations. However, it is clear that data privacy and security are among the issues facing mhealth apps.
In the U.S. the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as modified by the recently-issued so-called Omnibus Rule, prohibits covered entities from selling Protected Health Information (PHI) (i.e., directly or indirectly receiving remuneration from or on behalf of the recipient of the PHI in exchange for the PHI) without obtaining a valid authorization for the sale of PHI, which authorization must state that disclosure will result in remuneration to the covered entity. Cooley’s Client Alert on the Omnibus Rule discusses this and other provisions.
Because HIPAA and other data privacy and security laws may apply to the developers of health and fitness apps, as well as their business partners, these companies must ensure that their business practices comply with applicable laws.