Digital Health Privacy: Old Laws Meet New Technologies

• Jurisdiction: United States,Federal
• Citation: Vol. 27 No. 1
• Publication year: 2018
• Author: By Reece Hirsch and Jenny Harrison
• topic: Federal,Health Law,Technology,Consumer Law

DIGITAL HEALTH PRIVACY: OLD LAWS MEET NEW TECHNOLOGIES

By Reece Hirsch and Jenny Harrison¹

I. INTRODUCTION

When the Health Insurance Portability and Accountability Act ("HIPAA") was enacted in 1996, the smart phone was not even a gleam in Steve Jobs' eye, and mobile health apps and cloud computing did not exist. Even though the primary regulations implementing and amending HIPAA became effective in 2003, 2005, and 2013, regulators and lawmakers continue to play catch-up, striving to apply HIPAA's regulatory framework to an ever-evolving technology landscape.

Recent years have seen the proliferation of devices and applications that permit consumers to create, store and share health information like never before, from activity trackers to personal health records ("PHRs"). This type of information, which exists outside the traditional medical record maintained by healthcare providers, is often referred to as "consumer-generated health information" ("CHI"), and it has caught the attention of the regulators.²

The main regulators of the digital health field are the Department of Health and Human Services Office for Civil Rights ("OCR") and the Federal Trade Commission ("FTC"), along with state attorneys general. OCR has jurisdiction under HIPAA to regulate HIPAA-covered entities (i.e., healthcare providers that engage in standard electronic transactions, health plans, or healthcare clearinghouses) and business associates of those entities. The FTC derives its jurisdiction from Section 5 of the Federal Trade Commission Act (the "FTC Act"), which empowers the agency to regulate "unfair or deceptive acts or practices." A business may fall under the FTC's authority if it makes an inaccurate or misleading statement in its website privacy policy (a potentially deceptive practice) or has inadequate security that is inherently unfair or harmful to consumers (a potentially unfair practice).

State attorneys general have the authority to regulate unfair and deceptive practices that are parallel to the FTC's, under the so-called "baby FTC Acts." State AGs also have the authority to enforce HIPAA since enactment in 2009 of the Health Information Technology for Economic and Clinical Health ("HITECH") Act, which amended HIPAA. This article will review (i) how HIPAA privacy and security standards are being applied to new technologies like mobile health apps, activity trackers, personal health records and cloud computing vendors, and (ii) how to determine which agencies have the authority to regulate these new domains, and under what circumstances.

[Page 21]

II. OCR'S JURISDICTION AND APPLICATION OF HIPAA

HIPAA's privacy and security requirements apply only to a limited group of covered entities: healthcare providers that engage in standard electronic transactions, health plans, healthcare clearinghouses, and business associates of those entities. A mobile app developer that collects health information may be subject to HIPAA's requirements, but only if it is considered a business associate of a covered entity.

A. Who Qualifies as a Business Associate?

Under HIPAA, a business associate is a person or entity acting on behalf of a covered entity that creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA (i.e., a covered entity function).³ If an entity is found to be a business associate, then it must comply with certain security and privacy requirements. The key language for many companies is whether it is "acting on behalf of a covered entity." If a company provides a service directly to the consumer, then it is not a business associate because an individual patient or consumer is not a covered entity. However, a company may be a business associate if it provides the same service to individual patients or health plan members on behalf of a covered entity.

One practical litmus test for the "acting on behalf of" question is who pays for the service. If the consumer is the customer and pays directly for the service, then the company is most likely not a business associate. However, if a covered entity is the customer, then the company is most likely a business associate and would be subject to HIPAA regulation. There is a gray area when a provider only partially pays for the service, for example if the provider only pays for 75% of a fee or provides a partial rebate. OCR has yet to issue sufficient guidance to resolve some of these questions, so it is up to the developer to assess its connection to covered entities and to determine whether it qualifies as a business associate or not.

B. Consequences of Business Associate Status

If a company is a business associate, it is governed by the HIPAA privacy rules and may only use and disclose PHI as provided in the company's business associate agreements with covered-entity customers. If a company is not a business associate, then its privacy policies are governed by FTC privacy principles and the terms of the company's own posted privacy policy. Thus, business associate status has an enormous impact on the business's information collection and disclosure practices. As a business associate, a developer can, with limited exceptions, only use and disclose PHI to provide the contracted services to the covered entity. If the company is not a business associate, it will have greater latitude to use and disclose collected personal information, so long as there is disclosure and appropriate consent obtained through the privacy policy.

Because different privacy and security standards apply depending on the developer's business associate status, it may be necessary to segregate personal information if the developer has both business associate and direct-to-consumer operations.

[Page 22]

III. APPLYING EXISTING LAWS TO NEW TECHNOLOGIES

Each year brings the introduction of new devices and applications that collect, use, and disclose CHI and PHI. Existing privacy regulatory regimes typically do not contemplate, and may be a poor fit for, these new technologies. In the face of this onslaught, federal and state regulators have tried different enforcement strategies to keep pace with new technological advances and societal trends.

A. Mobile Apps

There are thousands of health-related mobile apps that collect and track health information, connect patients with their healthcare providers, or provide...