How consumer health, fitness devices reveal HIPAA's blurry lines

By Jonah Comstock

Last week at HIMSS, ONC Chief Privacy Officer Lucia Savage talked about what HIPAA doesn't say. On Thursday, her predecessor, former ONC privacy chief Joy Pritts, talked about what HIPAA doesn't cover. Pritts, now a consultant, was joined by Morgan Reed, the executive director of ACT The App Association, in a talk about pitfalls providers can fall into when it comes to patient data privacy.

"If I go online and I fill out a health risk assessment just on my own -- I think, this is a cool thing to do, I’m gonna check it out -- that’s not covered by HIPAA, and what that company does with that data is not subject to HIPAA privacy rules," Pritts said. "So you go to almost the same website but they have another page and that page is being offered on behalf of a covered entity, that’s covered by HIPAA. And it can be difficult for companies to know when they’re crossing that line."

This uncertainy only increases when it comes to consumer activity trackers, she added.

"If you go to the doctor and they say ‘you really should be using a fitness monitor’ and they name a particular brand, does that mean that it’s covered by HIPAA?" she said. "No. They’re just making a suggestion to you. If, on the other hand, a healthcare provider like a big hospital system decided they wanted to get all their patients on one device so they could monitor them carefully, and then they brand it with their name and it says 'ABC Hospital', that brings it within HIPAA."

Consumer fitness devices that aren't covered by HIPAA can do anything with patients' data, as long as patients sign off in the app's terms of service, including, in many cases, sell it to third-party advertisers. And even if that isn't the provider's problem according to ONC, it's still their problem in a reputational sense.

"They’re not legally responsible for that, but they’re very concerned about how that might impact them," Pritts said. "They care about their reputation. So if a provider recommends an app, and it’s selling data as its business model, that may come back to haunt the provider. Not that they’ve done anything wrong, but they kind of recommended something to a patient that may be good for the patient’s physical health, but not for their confidentiality or their privacy."

"In short, liability is often not your primary concern but reputational liability is going to be a big one," Reed added. "And the reality is that you may not want to spend the time to dig through privacy policies or pay a lawyer, but if you’re going to recommend something to a patient, it is absolutely essential that someone in your office go through that privacy policy."

Another area where providers can accidentally run afoul of HIPAA is when working with software developers. Even if those developers are business associates under HIPAA, the nature of software is that every SDK the developer uses also needs to be scrutinized.

"Software is like Lego [bricks]," Reed said. "[A developer says] I have an idea, I’ll build a central core product. But then, I need graphics, I’ll use a third-party toolkit to add some graphic elements. Oh, I need analytics, I’ll go to Flurry and I’ll add a third-party analytics tool. ... Well each one of those third-party toolkits has to have it’s own monetization model. A shocking number of them are ad revenue-based. So for example Flurry, which is one of the largest analytic providers for mobile, is actually an ad network. It’s a great analytics tool, but it takes all that data and drives it into targeted behavioral advertising."

The best way to guard against this is to have real conversations with developers and ask probing questions. In a similar vein, Pritts and Reed noted, the medical world and the larger tech world can have different definitions of "deidentified data" so it pays to explicitly define terms like that when working with vendors and drafting business agreements.

"[When it comes to patient-generated health data] most physicians we’ve talked to are definitely pushing for 'I don’t want that comingled with the data I’ve created myself'," Reed said. "That is something we will see move over time, but a lot of it will come down to how do we reduce the liability and the risks and the uncertainty from a physician who might be absorbing that data."