This is the era of multiple devices and millions of apps. Phones, tablets, and smartwatches are filled with apps intended to make our lives easier. And it seems almost daily we read about how some – or all – of those apps are spying on our lives.
Many people don’t care. To some extent, I am one of those. “I don’t do anything so special in life that anyone will want to hack me” is how I feel about most of my internet presence. I happily share photos of my family, my dogs, and my travels.
But, I do worry about money and health issues; the things that I feel need to be secure. So when my iPhone asked for access to my health information I was hesitant to share.
The iPhone comes standard with the “Health” app (Fitbit and other devices also take, store, and share health information). In the app, you can enter your health record data and share it with other health related apps on your device. It can also pull such data from your other apps too.
You can enter vitals, lab test results, and even track your reproductive health – where it asks for everything from your menstruation history, to sexual activity.
Wow. To say I was surprised to see this information on an app is an understatement.
Maybe I am old fashioned, but I cannot imagine grabbing my iPhone after sex and entering the event in; it’s akin to grabbing a cigarette in the old movies. And if you did enter it, if you ask Siri about the last time you had sex… would she answer? I will leave that alone for now.
Is your phone secure?
Naturally, I thought that if my phone wanted to hold my very private health information, it must be secure. So to play off the old movie reference, it’s For Your Eyes Only. But the app is not secured by any authentication. Well, once your phone is unlocked that is.
So, if anyone gains access to your phone, guess what…they would quickly be able to learn your sexual activity, recent blood alcohol content, and anything else you happened to trust your handy-dandy iPhone with.
Of course, if that information is on your phone…. guess who else has it? Apple, Google, Amazon, or whomever you have your back-up account with.
As I look at my phone, I realize that I have access to all my information but so does Apple. Certainly the type of information Apple Health is seeking from me is my private health information; HIPAA calls it Protected Health Information (PHI).
Thus, it could be subject to HIPAA regulations. If so it’s safe and secure under federal law. But, is Apple is an entity that would be subject to the privacy and security rules of HIPAA? Are they a Covered Entity (CE)? The answer is no.
HIPAA applies to doctors, hospitals, medical insurers, and other health care providers. They are what’s classified as CEs under HIPAA. So the people that normally treat you and deal with your medical records and billings have to comply with HIPAA. But, just having medical records does not create a HIPAA obligation.
Further, other companies which support CE’s can be subject to HIPAA as well – they are the Business Associates (BAs). An example might be a medical device manufacturer; a hospital’s cleaning service or vendor that supports medical care in some way.
Tech companies aren’t restricted by HIPAA
Apple is none of these things. So Apple has no requirement of privacy or security over my medical data. Likewise Fitbit, Sprint, or whoever is similarly NOT restricted by HIPAA. But they will have all my PHI… which is a scary thought.
As I read more and more about the medical profession and IT, it occurs to me that doctors and patients are using their smartphones to communicate. And we should ALL encourage more communication. But what if I use an app to share with my physician?
In that case the data gathered by the physician would likely come under the purview of HIPAA. But what if the app we are using, itself, is not secure (e.g. the Health App, or simply iMessage)?
Does the doctor need to comply with HIPAA privacy and security standards, even though we all know the data is already compromised by the patient’s method of delivery? I don’t know the answer to this one.
It would appear similar to a waiver of the attorney-client privilege when the information is shared in the presence of a third party. But, HIPAA has express provisions for when HIPAA can be waived; not a single word exists about an unintentional waiver.
Thus it would seem that a doctor would have to abide by HIPAA, even knowing that the patient has exposed the very records to others. Certainly you don’t want your doctor to send your records to anyone willy-nilly and have the defense be that you texted them to him/her. Once the doctor has the PHI, it’s protected.
But I have not seen anyone litigate this question.
HIPAA and the emerging tech world
Do we have HIPAA issues with our new-fangled “wearables”? The answer is… maybe. HIPAA does not apply to everyone. You can give your health records to whomever you want; after all HIPAA was created to protect “you” from unauthorized acts of “others”.
But HIPAA also has clear limiting applications to what they call Covered Entities and Business Associates of those entities.
So you may want to think twice about entering any personal heath data into your new device; it’s not secure as it sits on your device and your cloud provider has no obligations to make it secure.
But if you provide any of that information to your health care provider, they will have an obligation to meet HIPAA’s requirements for privacy and security for the data they receive.