There is a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) applies to health apps; however, the majority of health apps are not covered by HIPAA nor is the health information collected, stored, or transmitted by the apps.

HIPAA applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and vendors used by those entities, which are classed as business associates. While health apps may collect some of the exact same health data that is maintained by HIPAA-covered entities, the information collected by health apps is not subject to the same privacy and security standards. As such, health information collected by health apps may be transmitted to third parties, sold, or used for purposes that are not permitted under HIPAA.

According to a recent ClearDATA Harris Poll survey of 2,000 U.S. adults, 68% of respondents said they were very or somewhat familiar with HIPAA, yet 81% of respondents believed that the health data collected by digital health apps is covered by HIPAA and subject to its Privacy and Security Rules. As such, many users of health apps are likely to be unaware that any health data entered into the apps could be legally sold to third parties.

The survey also revealed health information privacy is not a key factor for Americans when choosing personal health apps. 58% of respondents that have used digital health apps said they had not considered how the information entered into those apps would be used. Health information privacy is also not a major concern when seeking healthcare services, with only 27% of respondents considering whether their data is secure when choosing a provider.

The main considerations are whether the provider accepts their insurance (68%), whether they can see a doctor face to face (49%), and if they can be treated quickly (41%). This was especially true with younger Americans, with 54% of respondents in that age range saying health data privacy is less important to them than convenience, compared to 69% of those over 65 who place greater value on privacy and security than convenience.

While HIPAA does not apply to most digital health apps, digital health companies are required to comply with Federal Trade Commission (FTC) Act and must issue notifications to consumers in the event of a breach of health data under the Health Breach Notification Rule. The FTC has only recently started enforcing the Health Breach Notification Rule, despite the rule being in effect for a decade, and its recent enforcement actions indicate digital health companies have been disclosing sensitive health data to third parties and have not been informing consumers.

The FTC recently published a notice of proposed rulemaking that seeks to clarify that the Health Breach Notification Rule applies to health apps and other similar direct-to-consumer technologies such as fitness trackers. “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

Representative Adam Schiff (D-CA), Seth Magaziner (D-RI), André Carson (D-IN), Sara Jacobs (D-CA), Greg Casar (D-TX), Kim Schrier, M.D. (D-WA) recently expressed their support for the proposed changes to strengthen the Health Breach Notification Rule given that the FTC’s recent enforcement actions uncovered disclosures of sensitive health information and deceptive business practices. “We agree with the assertion by FTC that apps that provide health services to users and have personal health records (PHR) qualify as vendors of personal health records and must be regulated as such,” wrote the congress members. “There is a need for much greater transparency when this data is mishandled, and the FTC rule will require these apps to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information.,” They also expressed their support for the FTC’s requirement for health app providers to clearly explain the potential harm that could stem from data breaches and name the third parties that may have acquired unsecured personal health information.

The post Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA appeared first on HIPAA Journal.