What information does the term “medical record” comprise and what are the privacy and security safeguards of devices that create, store and send it? How is that information safeguarded? These are question to which regulators in the U.S. and Europe are paying greater attention. Health IT organizations would be well advised to consider the privacy implications of that information, before they receive a cyber-knock at their virtual doors by the Federal Trade Commission (“FTC”), U. S. Department of Health and Human Service or state attorneys general.
HIPAA, the U.S. federal law on health information privacy, mandates controls over identifiable health information created or received by healthcare providers and health insurance plans. Laws and regulations of many states, including California, New York and Massachusetts, comprise controls over personal information that often surpass HIPAA., and the FTC has recently increased investigations and proceedings regarding health IT companies. The tension between technical innovation and government privacy regulation hums like electricity as the quantum of personal data increases and the devices to create, store and transmit it proliferate.
Examples of the privacy quandary abound. The New York Times reported on April 8, 2015 that John Hancock has begun offering a FitBit® monitor to its insureds in certain states. . The device “can be set to automatically upload activity levels to the insurer,” for which the insured may receive a discount on his or her premium. Privacy experts have asked what activities will be monitored, who determines the levels and whether the data will be protected from sale to third-parties or cyber attacks. While regulators in twenty states have approved the plan, the FTC, may take a different point of view as it enforces jurisdiction over unfair trade practices regarding the insurer’s statements about safeguards for this information.
Similarly, the Wall Street Journal reported on April 13 2015 that one company, drchrono, Inc., offers an application for physicians to view a patient’s medical record on the new Apple Watch. Activity information from the patient’s HealthKit iPhone app sent to the physician for review on the drchrono platform on the Apple Watch or iPhone may also be sent to Apple via iCloud, as a default. Yet, Apple cautions app developers for its HealthKit platform that “apps that store users’ health data in iCloud will be rejected”. It may take a breach or cyber attack before a governmental agency step sin to resolve this apparent inconsistency.
For further information on health IT device and application privacy and security compliance please contact Kenneth N. Rashbaum.