GOING ROGUE: MOBILE RESEARCH APPLICATIONS AND THE RIGHT TO PRIVACY.

• Author: Tovino, Stacey A.

INTRODUCTION

Consider a hypothetical involving a woman with a progressive neurological condition. (1) The woman, who wishes to advance the scientific understanding of her condition, volunteers to participate in a disease-progression research study led by an independent scientist. (2) The research study requires each participant to download and use a mobile application ("mobile app") that was designed by the independent scientist and that collects a number of data elements, including first and last name, date of birth, race, ethnicity, diagnosis, medications, family history, and real-time information regarding balance, gait, vision, cognition, and other measures of disease progression. (3)

Assume that, during the research study, the independent scientist decides to share the participants' identifiable data with other researchers worldwide without the participants' prior notification or authorization. (4) Further assume the scientist sells the participants' names, addresses, and diagnoses to a healthcare marketing company, also without the participants' prior notification or authorization. (5) Moreover, assume a hacker accesses the participants' data as the data travels from the participants' smartphones to the scientist's contracted, backend data collector, (6) resulting in additional, unauthorized disclosures of the participants' identifiable data. (7) Finally, assume the scientist neither notifies the participants of these unauthorized disclosures nor provides instructions to the participants regarding how they can minimize potential economic, dignitary, and psychological harms associated with the unauthorized disclosures. (8)

Although hypothetical, this fact pattern is based on several recent enforcement actions (9) involving healthcare providers that failed to maintain the privacy and security of individually identifiable health information collected during clinical encounters, thereby violating applicable federal privacy, security, and breach notification rules ("Rules") that implement the administrative simplification provisions within the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). (10) As background, the HIPAA Rules were designed to protect the privacy and security of individually identifiable health information created or maintained in the healthcare and health insurance contexts and to assist patients and insureds in protecting themselves in the event of a privacy or security breach. (11) Although HIPAA authorizes the federal government to impose civil and criminal penalties for violations of the HIPAA Rules, (12) the HIPAA Rules are limited in application to (1) health plans, healthcare clearinghouses, and those healthcare providers that transmit health information in electronic form in connection with standard transactions, including health insurance claims ("covered entities"); (13) and (2) persons or entities that access or use protected health information (PHI) to provide certain services to, or to perform certain functions on behalf of, covered entities ("business associates"). (14)

The HIPAA Rules do not regulate a number of individuals and institutions that collect, use, or disclose individually identifiable health information, including many independent scientists, (15) citizen scientists, (16) and patient researchers, (17) as well as some mobile-app developers and data storage companies that support them. (18) As a result, the voluminous and diverse data collected by some independent scientists who use mobile apps to conduct health research may be at risk for unregulated privacy and security breaches, (19) leading to dignitary, psychological, and economic harms for which the participants have few legally enforceable lights or remedies. (20)

Many academic and practitioner discussions regarding health-related big data have suggested new federal laws or amendments to existing federal laws in an attempt to create comprehensive privacy and security protections for otherwise unprotected data. (21) It is not clear, however, that the federal government has the desire or capacity to enforce expanded or new laws in this area. In a recent study, for example, the author found that a timely filed consumer complaint involving an actual violation of the HIPAA Rules over which the Office for Civil Rights within the Federal Department of Health and Human Services (HHS) has jurisdiction has a one-tenth of one percent (0.1%) chance of triggering a settlement or civil money penalty. (22) The author also showed that in those few cases that go to settlement or penalty, the federal government takes a significant amount of time--more than seven years in some cases--to execute the settlement agreement or to impose the civil money penalty. (23) The author concluded that the federal desire and capacity to enforce the HIPAA Rules appear to be low, resulting in a lack of timely attention to the privacy and security rights of individuals. (24)

This Article furthers this line of research by investigating whether non-sectoral state laws may serve as a viable source of privacy and security standards for mobile health research participants and other health data subjects until new federal laws are created or enforced. In particular, this Article (1) catalogues and analyzes the nonsectoral data privacy, security, and breach notification statutes of all fifty states and the District of Columbia; (2) applies these statutes to mobile-app-mediatcd health research conducted by independent scientists, citizen scientists, and patient researchers; and (3) proposes substantive amendments to state law that could help protect the privacy and security of all health data subjects, including mobile-app-mediated health research participants. (25)

This Article proceeds as follows: Part I provides background information regarding mobile apps and their use by independent scientists, citizen scientists, and patient researchers as well as conventional researchers who fall outside traditional sources of privacy and security regulation. After reviewing federal and international data privacy, security, and breach notification standards, Part II shows why some citizen scientists, independent researchers, and patient researchers, as well as the mobile-app developers and data storage and processing companies that support them, are not subject to such regulation.

Part III of this Article reports the results of a comprehensive survey of state privacy, security, and breach notification laws. In particular. Part III investigates the presence or absence in the statutes of each state and the District of Columbia of nonsectoral data privacy and security standards, including prior notification of and authorizations for the use and disclosure of individually identifiable data; administrative, technical, and physical data safeguards; and breach notification to individuals, government agencies, and consumer reporting agencies. Part III applies these rights and protections, when they exist, to individuals who conduct and support mobile-app-medi-ated health research. Part III finds that all jurisdictions have at least one potentially applicable breach notification statute, more than two-thirds of jurisdictions have at least one potentially applicable data security statute, and more than one quarter of jurisdictions have at least one potentially applicable data privacy statute. These findings suggest that states have the current or potential infrastructure to protect the privacy and security of mobile health research data and other health-related data that is not protected by traditional, federal health laws such as the HIPAA Rules.

Taking a nonsectoral approach to data privacy and security, this Article concludes by proposing amendments to breach notification statutes as well as content for states that lack generally applicable data privacy and security statutes. If adopted, these proposals could create cross-industry privacy and security protections that will benefit all health data subjects, including participants in mobile-app-mediated health research. This Article also considers the challenges and opportunities associated with both intra- and interindustry data privacy and security regulation. Although sectoral approaches to privacy and security made sense even a quarter of a century ago, the time has come for generally applicable forms of data protection.

1. HEALTH RESEARCH AND MOBILE APPLICATIONS

   Mobile apps are a fast-growing category of software typically installed on personal smartphones and wearable devices. (26) Used for a wide range of health-related activities, including fitness, health education, health prediction, diagnosis, healthcare delivery, treatment support, chronic disease management, health research, disease surveillance, and epidemic-outbreak tracking, among other activities, mobile apps have tremendous versatility and promise. (27) Mobile apps are currently used in almost every area of medicine and health, including dermatology, (28) maternal, newborn, and child health, (29) and communicable and contagious diseases, (30) just to name a few.

   This Article focuses on the use of mobile apps for health-related research, concentrating in particular on mobile-app-mediated research conducted or participated in by independent scientists, citizen scientists, and patient researchers. As background, an independent scientist, also known as a rogue or lone scientist, is an individual who engages in scientific research without affiliation to a university, hospital, pharmaceutical company, research institute, government agency, or other third party. (31) A citizen scientist, also known as a community scientist, crowd scientist, or amateur scientist, is a member of the general public who engages in scientific work, sometimes in collaboration with or under the direction of a professional, affiliated scientist, and the...