Period-tracking apps have been the focus of health data privacy concerns recently, but a Washington state bill is turning the spotlight on other areas in technology where patients’ health information is at risk.
The bill, proposed earlier this year and called the My Health, My Data Act, reveals where HIPAA protections end and how digital health companies can use, share and sell patient health information.
“This act works to close the gap between consumer knowledge and industry practice by providing stronger protections for the privacy of all Washington consumers’ health data,” it states.
Proposed protections include banning the sale of health data, requiring disclosure of data collection and sharing, allowing users to delete their health data, and banning geofences around facilities that provide personal health services.
Personal health information collected by HIPAA-covered entities, such as most health care professionals, maintains federal protections and is referred to as protected health information, or PHI. However, data collected from apps and websites that are not covered entities or business partners is not protected by HIPAA — leaving information about patients’ diagnoses, tests, prescriptions and location vulnerable, according to Andrew Mahler, vice president of privacy and compliance at the consultancy. a Clearwater cybersecurity and compliance firm.
Mahler said more people have questions about what constitutes PHI and how their health data is at risk in light of last year’s Supreme Court decision that eliminated federal abortion rights.
“Any health data that is acquired, maintained, received or used by a covered entity — if it’s individual health information, it’s protected by HIPAA,” Mahler said MedPage today. “Even though you may be sending it from your personal device, which is not secured, once it is received by the covered entity, it will at least broadly be considered PHI and will be protected by HIPAA.”
On the other hand, Mahler said, HIPAA protections don’t always apply. Telehealth visits, for example, are not always or fully covered by HIPAA.
“If it’s a telehealth provider that doesn’t meet the definition of a covered entity or business associate, then HIPAA won’t apply to them. State laws could, but HIPAA doesn’t,” Mahler said.
For example, consultants who don’t charge insurance but provide telehealth may not be covered individuals, he said.
Period and fertility tracking apps collect information about a user’s menstrual cycle, age, sex life, and contraceptive use. Different applications are not equally secure in protecting user data. For example, User reports analyzed period tracking apps that touted privacy and found that few apps met their security standards. Their criteria include localized data storage, which keeps the data on your personal device rather than in the cloud, and no third-party trackers.
However, these security measures are not bulletproof. Especially in states that have strict abortion laws, the risk of data breaches — and inadvertent data sharing — is real.
In addition, law enforcement and the government can access a person’s search history, location, and messages to obtain information about them, which is risky for patients in states with abortion restrictions.
“I think it’s important for doctors to feel empowered that they’re not actually allowed to present certain types of information to law enforcement,” Mahler said. “It’s also important that people think about how they protect the patients they care for. And part of that care includes information about the care of that patient.”
Tech companies including Google and Meta have been criticized for handing over user data to law enforcement, such as in the case of Celeste Burgess, a Nebraska teenager who was charged with five felonies after her Facebook direct messages about an illegal abortion were given of law enforcement.
Ron Li, MD, director of medical informatics for digital health at Stanford Health Care, said part of the risk to the individual comes from the vast amount of personal data that patients intentionally and unintentionally share.
“In our society, so much of our lives are captured by digital data — and that data can actually end up in spaces you’d never expect,” Li told MedPage today. “Any health app that collects information about your health that isn’t covered by HIPAA is likely to be at risk.”