- mHealth app security tops the agenda at this week’s American Medical Association meeting, with delegates expected to vote on an 11-point policy that would strengthen privacy and transparency efforts.
A report prepared by the AMA’s Council on Medical Service says the fast-growing mHealth app industry isn’t generally covered by the Health Insurance Portability and Accountability Act (HIPAA), which was developed long before apps became popular.
“As such, mHealth apps are not required to protect the privacy and security of an individual’s health information in the same way that a physician must because mHealth apps are not directly subject to HIPAA regulations,” the report says, adding that “[p]atient privacy and data security need to be a priority in the digital health space, as mobile apps and devices can be subject to privacy and data breaches,”
To deal with that concern, the report issues four recommendations on governing mHealth data:
- The AMA should “support requiring mHealth apps and associated devices, trackers and sensors to abide by applicable laws addressing the privacy and security of patients’ information;”
- It should “encourage the mobile app industry and other relevant stake holders to conduct industrywide outreach and provide necessary educational materials to patients to promote increased awareness of the varying levels of privacy and security of their information and data afforded by mHealth apps, and how their information and data can potentially be collected and used;”
- It should “encourage the mHealth app community to work with the AMA, national medical specialty societies and other interested physician groups to develop app transparency principles, including the provision of a standard privacy notice to patients if apps collect, store or transmit protected health information;” and
- It should “encourage physicians to alert patients to the potential privacy and security risks of any mHealth apps that he or she prescribes or recommends, and document the patients’ understanding of such risks.”
Other recommendations included in the report focus on creating a clinical evidence base to support mHealth apps; making sure these apps “abide by licensure and medical practice laws in the state where the patient receives services facilitated by such technology;” and that the delivery of services through apps is consistent with state laws.
The AMA is expected to vote on these recommendations at some point during the interim meeting, which takes place Nov. 11-15 in Orlando.
Healthcare providers have long used HIPAA as “an important framework that we can leverage” in discussing the privacy and security of data on mHealth apps, says Michelle Longmire, MD, chief executive officer of Medable, an app management company.
“Certainly a framework that’s 20 years old poses challenges for an industry that is much younger,” she says. “The challenge is in finding appropriate and achievable security.”
Some states, like California and Massachusetts, have taken it upon themselves to clarify healthcare uses that fall under HIPAA guidelines. And this past February, the Office for Civil Rights (OCR) unveiled a number of scenarios in which mHealth apps would be covered by HIPAA as well. The idea was to broaden the scope of HIPAA to cover areas that weren’t in play when HIPAA was created.
“States are stepping out and saying this is how it needs to be done,” says Perry Robinson, Medable’s chief compliance officer. “But what’s already a complex system is becoming even more complex. You need synchronization.”
Longmire says healthcare has undergone a fundamental change since HIPAA was launched: The patient is now at the center of the health network, and is becoming the core user of the technology. That opens up mHealth data privacy and security to a whole new set of sources – consumer-facing apps and devices, even wearables – and users.
“You have people who are traditionally not accustomed to dealing with that regulatory environment now in the middle of it,” Robinson adds. “It might seem as a small issue to some, but if you’re an app developer it can be huge.”
Both Longmire and Robinson say the industry should set those standards, rather than the government. So while the OCR guidance is welcome at a time when HIPAA’s reach is uncertain, it’s more important for organizations like the AMA to step up and take the reins.