The security of PHI is controlled by strict guidelines under the Health Insurance Portability and Privacy Act (HIPAA) of 1996 and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009—yet not all apps follow these rules or are required to do so.
Current mHealth Privacy Practices
A 2013 report from Privacy Rights Clearinghouse examining 43 popular health and fitness apps found disturbingly lax privacy practices. Only 43% of these apps offered links to their privacy policies, and roughly half of the publicly available policies were inaccurate with regard to the technical processes used to secure users’ information.
On many apps, particularly free apps, private information was transmitted without encryption or was provided to third parties without the users’ knowledge. As free apps are usually supported through advertising, their developers have a clear conflict of interest between users’ privacy and the increased ad revenue from specific audience data and targeting.
What HIPAA Covers
These apps would clearly not be in compliance with HIPAA standards, but HIPAA doesn’t apply to most mHealth apps. Rather, security is the developers’ prerogative. HIPAA covers devices and software only if they are used by healthcare providers, health insurance companies, and healthcare clearinghouses—a group collectively referred to as “covered entities”—and their “business associates.”
As a result, HIPAA does not apply to PHI on an app used privately by a patient. Even an app that can be used by a patient to transmit PHI to a doctor or other covered entity is not required to be HIPAA compliant, according to Mobi Health News. Once the information reaches the doctor it is then covered, and the doctor cannot reply through a non-compliant app.
Though privacy is among the most serious challenges for mHealth, many professionally developed apps meet or exceed HIPAA regulations. Ideally, future regulations would offer more clear guidance as to which apps are HIPAA compliant. For now, patients need to protect themselves by researching any app that uses information they wish to keep private.