With so much attention in the news lately about data privacy online, we thought it important to give you as much information as possible as it relates to your medical data.
According to this article we found on healthdatamanagement.com, many of the apps that collect data are not subject to the Health Insurance Portability and Accountability Act (HIPAA).
“Apps that collect information from consumers—and not on behalf a provider, health plan or healthcare clearinghouse—are not subject to the Health Insurance Portability and Accountability Act (HIPAA) as either a covered entity or business associate. As a result, developers are not required under HIPAA to protect the privacy and security of consumers’ health data, which is not considered protected health information (PHI). It’s a loophole that has gotten the attention of lawmakers in the Zuckerberg hearings.”
Below are some other takeaways from Zuckerberg’s congressional testimony regarding health data privacy:
- Tougher privacy legislation may be coming soon
Some lawmakers would like to give consumers opt-in or opt-out rights for sharing certain sensitive data with third parties including health information. The bill proposed designates the Federal Trade Commission (FTC) as the nation’s sole online privacy enforcer and treats ISPs and edge providers equally.
- No HIPAA oversight for consumer data
Some lawmakers do not believe that Facebook’s self-policing is enough to ensure that consumer data—such as their health data & information—is sufficiently protected. There are compliance documents for privacy like HIPAA for healthcare, and Gramm-Leach-Bliley and the Fair Credit Reporting Act in other sectors. There are no privacy documents that apply to Facebook.
- Facebook’s use of consumer data is unclear
Rep. Kathy Castor (D-Fla.) charged that Facebook was tracking everyone’s online activities, their searches, what people buy, and medical health data. However, Zuckerberg disagreed with that characterization.
- Facebook has taken steps to protect consumers but needs to do more
Zuckerberg said, “We’re removing developers’ access to your data if you haven’t used their app in three months. We’re reducing the data you give an app when you approve it to only your name, profile photo, and email address—that’s a lot less than apps can get on any other major app platform. We’re requiring developers to not only get approval but also to sign a contract that imposes strict requirements in order to ask anyone for access to their posts or other private data.”
Which Apps Protect Your Privacy and Which Do Not?
According to the WSGR Data Advisor, The Department of Health and Human Services (HHS) describes four examples of health app developers that are likely not regulated by HIPAA:
- A health app used by consumers to input and monitor health information without the involvement of a healthcare provider.
- A health app that permits consumers to submit their own information and upload for personal use health information separately obtained from a healthcare provider.
- A health app recommended by a healthcare provider to a patient when the app developer does not have a business relationship with the provider and the app collects health information and sends summary reports to the provider. The HHS guide states, “The consumer’s use of an app to transmit data to a covered entity does not by itself make the app developer a [business associate] of the covered entity.”
- A health app that permits users to submit information and transmit it to a healthcare provider and to access test results from the provider and a consumer requests that the app developer and healthcare provider enter into an interoperability agreement to facilitate secure information exchanges. The HHS guide states, “The interoperability arrangement alone does not create a [business associate] relationship because the arrangement exists to facilitate access initiated by the consumer.”
The HHS guidance also describes two examples where health app developers are likely regulated by HIPAA:
- A healthcare provider contracts with an application developer to create an app for patient management services, including remote patient health counseling, monitoring of patients’ food and exercise, patient messaging, and EHR integration. Information from the mobile application is automatically incorporated into the healthcare provider’s EHR.
- A health plan offers a PHR app to manage health plan records, including claims and coverage decisions, provide wellness activity tracking, and analyze health information. The app developer also offers a direct-to-consumer version to manage health records, improve health habits, and send information to healthcare providers. According to the HHS guide, only the health plan app—and not the direct-to-consumer app—makes the app developer a business associate under HIPAA. As long as the app developer separates the two apps, the app developer has HIPAA obligations only with respect to the health plan app.
If any of this leaves you wondering about your private health data with Urgent Care at Peachtree and Urgent Care at Druid Hills, here’s what you need to know:
- Your personal and health data is protected by HIPAA laws, and will not be used for any purpose other than your medical record. If you are in need of a specialist, your information will only be shared with your written consent.
- Your email may be used for occasional health-related information and updates from Urgent Care at Peachtree and Urgent Care at Druid Hills. You can opt out of this at any time It will never be shared or sold.
- While other urgent care centers that are affiliated with a hospital or physicians group may share your information to the group (i.e. you may receive an unsolicited referral letter to a specialist based solely upon knowing your diagnosis), We have no such affiliations and do not share your health data in that way.