Health IT companies are aiming to go where the patients spend their time and get their information and increasingly, that’s the mobile device. But while the plethora of health care mobile apps gives patients countless choices, the stark reality is that there’s no requirement that commercially available apps comply with federal law intended to protect patient information and patient privacy.
HIPAA only covers mobile apps when they are offered by health care providers or insurance companies. Patients might mistakenly believe that health information stored on an app or a personal health record (PHR), such as Microsoft’s HealthVault, are covered by HIPAA protections. They’re not.
“While some commercial PHRs may advertise themselves as ‘HIPAA-compliant,’ the only privacy protections they offer are those in their own privacy notices and practices, which they may change at any time,” Devan McGraw and Susan Ingargiola write in a post on California HealthOnline.
Patients find some protection under the HITECH Act. That law requires that vendors who offer PHRs and apps notify patients if there is a breach of patient health information. But McGraw and Ingargiola point out that this notification happens only after a breach.
If you’re a health care app developer or vendor, you might want to get acquainted with the new California law. It could point the way to changes in other states, or even at the federal level. U.S. Representatives Tom Marino of Pennsylvania and Peter DeFazio of Oregon recently sent a letter to Health and Human Services Secretary Sylvia Burwell asking for clarification on how HIPAA applies to mobile apps. That means HIPAA may yet might catch up to California’s expanded patient protections. To learn more, contact us.