The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).
With news of Grindr’s sharing of user’s HIV status and location data, many wonder how such sensitive information could be so easily disclosed and the answer is quite simply a lack of strong privacy and security standards for apps. The question then becomes whether apps that store personal health information should be subject to HIPAA? Should apps like Grindr have to comply with the Privacy and Security Rules as doctors, insurance companies, and other covered entities already do?
A lot of people already think this information is protected by HIPAA as they do not realize that HIPAA only applies to “covered entities” (health care providers, health plans, and health care clearininghouses) and “business associates” (companies that contract with covered entities). Grindr is neither of these. Nor are most apps that address health issues – everything from apps with mental health tools to diet and exercise trackers. These apps can store all manner of information ranging simply from a name and birthdate to sensitive information including diagnoses and treatments.
Grindr is particularly striking because under HIPAA, there are extra protections for information including AIDS/HIV status, mental health diagnoses, genetics, and substance abuse history. Normally, this information is highly protected and rightly so given the potential for discrimination. The privacy laws surrounding this information were hard fought by patients and advocates who often experienced discrimination themselves.
However, there is another reason this is particularly important in Grindr’s case and that’s the issue of public health. Just a few days before it was revealed that the HIV status of users had been exposed, Grindr announced that it would push notifications through the app to remind users to get tested. This was lauded as a positive move and added to the culture created on this app of openness. Already users disclose their HIV status, which is a benefit for public health and reducing the spread of the disease. However, if users think that this information will be shared without explicit consent, they may be less likely to disclose their status. Thus, not having privacy and security standards for apps with sensitive personal health information, means these companies can easily share this information and break the users’ trust, at the expense of public health.
Trust is one of the same reasons HIPAA itself exists. When implemented correctly, the Privacy and Security Rules lend themselves to creating an environment of safety where individuals can disclose information that they may not want others to know. This then allows for discussion of mental health issues, sexually transmitted diseases, substance use issues, and other difficult topics. The consequences of which both impact the treatment plan for the individual and greater population health.
It would be sensible to apply a framework like HIPAA to apps to ensure the privacy and security of user data, but certainly some would challenge the idea. Some may make the excuse that is often already used in healthcare, that HIPAA stifles innovation undue burden on their industry and technology in general. While untrue, this rhetoric holds sway with government entities who may oversee these companies.
To that end, there is a question of who would regulate such a framework? Would it fall to the Office for Civil Rights (OCR) where HIPAA regulation is already overseen? The OCR itself is overburdened, taking months to assess even the smallest of HIPAA complaints. Would the FDA regulate compliance as they look to regulate more mobile apps that are tied to medical devices? Would the FCC have a roll? The question of who would regulate apps would be a fight in itself.
And finally, would this really increase privacy and security? HIPAA has been in effect for over two decades and yet still many covered entities fail to implement proper privacy and security protocols. This does not necessarily mean there shouldn’t be attempts to address these serious issues, but some might question whether the HIPAA framework would be the best model. Perhaps a new model, with new standards and consequences for noncompliance should be considered.
Regardless, it is time to start really addressing privacy and security of personal health information in apps. Last year, both Aetna and CVS Caremark violated patient privacy sending mail to patients where their HIV status could be seen through the envelope window. At present it seems these cases are under review with the OCR. But the OCR has been tough on these disclosures. In fact, in May 2017, St. Luke’s Roosevelt Hospital Center Inc. paid the OCR $387,200 in a settlement for a breach of privacy information including the HIV status of a patient. So the question is, if as a society, we recognize the serious nature of such disclosures, should we not look to prevent them in all settings – whether the information comes from a healthcare entity or an app?
With intense scrutiny of privacy and security in the media for all aspects of technology, increased regulation may be around the corner and the framework HIPAA creates may be worth applying to apps that contain personal health information.
About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.