- Federal officials are looking for an online tool that would enable consumers to instantly access the privacy practices of whatever mHealth app or device they’re using.
The challenge, running through April 10, calls on mHealth innovators to use the Model Privacy Notice (MPN) template to lay out an mHealth product’s privacy and security policy, then create a tool that generates a use-friendly snapshot of that document.
The ONC will award $35,000 in prizes through the challenge, and will announce winners sometime during the middle of this year.
While this particular challenge focuses on giving the consumer more tools to safeguard his or her private health data, several recent reports have pointed out that the mHealth industry doesn’t have the policies in place to force or enforce data protection. Just last July, an ONC report identified “large gaps in policies around access, security and privacy” in the mHealth industry, particularly around consumer-facing apps and devices. Of particular concern was the federal Health Insurance Portability and Accountability Act (HIPAA), which hasn’t been updated since it was created 20 years ago.
In a blog on the ONC website, ONC chief Karen DeSalvo, MD, and Jocelyn Samuels, director of the Health and Human Services Department’s Office of Civil Rights (OCR), which joined with the Federal Trade Commission to help the ONC prepare the report, say the mHealth landscape has long since bypassed the government’s ability to regulate it. Information is being transmitted, used and shared in ways never even comprehended when HIPAA was drafted.
“Many of us now use wearables and other types of health information technology to help us manage our health and the health of our loved ones,” they wrote. “These fitness trackers, their related social media sites where individuals share health information, and other technologies are changing the way we interact and control our own health. However, they did not exist when Congress originally enacted (HIPAA) in 1996.”
“HIPAA serves traditional healthcare well and supports national priorities for the safe and secure flow of health information, but its scope is limited,” they added. “It applies only to organizations known as “covered entities” - health plans, healthcare clearinghouses and healthcare providers conducting certain electronic transactions - and their business associates. Yet these days, scores of new businesses use consumer-facing technology to collect, handle, analyze, and share health information about individuals - sometimes without those individuals’ knowledge.”
Last December, researchers at American University and the Center for Digital Democracy doubled down on that concern with a study that found a “weak and fragmented health-privacy regulatory system” does not have adequate federal laws to keep personal health information safe in wearables.
“In contrast to the European Union, where privacy is encoded in law as a fundamental right and where robust data protection laws have been enacted, privacy regulation in the U.S. is sectorial, with separate laws for different types of information, users, and situations, such as financial, student, or medical privacy,” the researchers explained. “Overall, U.S. privacy laws governing health information are limited and fragmented, with significant gaps in coverage.”
In response to those concerns, the ONC did update its MPN template. Recognizing that the original MPN was created in 2011, with help from the Federal Trade Commission, to focus on personal health records, the agency revised the guidelines last December, following a request for public comment that drew more than a dozen suggestions.
While regulators are feeling the heat for their struggles to regulate, several studies are also putting pressure on the mHealth industry, which in the past has been likened to the “Wild Wild West.”
“Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable or other device, their below-average performance is both unexpected and troubling,” the report states.
Other research indicates healthcare providers are moving so fast to adopt mHealth platforms that they, too, are neglecting privacy and security – and that could be hurting their efforts to attract new business and keep the patients they have.
Slightly less than half of the healthcare providers surveyed by device management company Jamf in December 2016 said they don’t have full control over the apps installed on their network, and 27 percent say they’re not fully confident in their mobile device management platform.
Providers are moving so quickly to embrace an mHealth platform that they’re not spending enough time and effort on privacy and security (the Jamf survey found that only 22 percent of the IT budget is spent on security). In fact, previous studies have found that health systems spend far more money on developing apps than they do on securing them, even as they know the risks.
“Mobile apps are often used by organizations to help keep customers ‘sticky,’ yet in the rush to bring new apps to market, organizations tend to overlook critical security measures that are proving crucial to consumer loyalty,” Patrick Kehoe, former CMO of Arxan Technologies, said in March, when that company’s survey found that 90 percent of healthcare executives feel their apps are “adequately secure,” while 86 percent of the most popular mHealth apps used by providers aren’t safe.
“Our research … demonstrates that mobile app security is an important element in customer retention,” he said. “Baking in robust mobile app security is not only a smart technology investment to keep the bad guys out, but also a smart business investment to help organizations differentiate from the competition and to achieve customer loyalty based on trust.”