Consumers are increasingly using personal health records and mobile health applications to store their health information and to track and improve their health. However, federal privacy and security protections for health information stored in certain PHRs and in most mobile apps are spotty.
Recognizing this, California enacted legislation (AB 658) to protect the confidentiality of health information maintained in these increasingly popular tools. This law has important implications for consumers, developers of consumer-facing health tools and the quality of privacy and security protections afforded to health information stored in some PHRs and mobile health apps.
Background on PHRs and Mobile Health Apps
According to the California Privacy Protection and Enforcement Unit of the California Department of Justice, PHRs are defined as “Internet-based applications that allow you to gather, store, manage and, in some cases, share information about your health or the health of someone in your care.” The HITECH Act defines them as electronic records of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.”
There are many ways for consumers to access PHRs and mobile health apps. Health care providers are increasingly offering PHRs as a service to their patients. Commercial vendors also offer PHRs and mobile health apps directly to consumers (often for a fee). One example of the latter is Microsoft’s HealthVault, which maintains a person’s medical information in one place so the individual may access it or have it disclosed to the appropriate health care provider. Similarly, mobile health apps often allow patients to track their information and help them change their behaviors.
Federal Privacy and Security Framework
Health information in PHRs and mobile health apps is not comprehensively regulated under HIPAA. This is because HIPAA only covers PHRs when they are offered by HIPAA-covered entities (such as health care providers or payers) or by contractors (known as “business associates”) acting on their behalf. HIPAA does not apply to freestanding PHRs (e.g., HealthVault) that are not offered by HIPAA-covered entities. While some commercial PHRs may advertise themselves as “HIPAA-compliant,” the only privacy protections they offer are those in their own privacy notices and practices, which they may change at any time.
Another federal statute applicable to PHRs and mobile apps offered by for-profit organizations is the Federal Trade Commission (FTC) Act. This law gives FTC the authority to crack down on “unfair” and “deceptive” trade practices. An example of a “deceptive” trade practice is failure by a PHR or mobile app vendor to protect data to the extent stated in their policies or advertising. FTC also has held companies accountable for failing to adopt reasonable security precautions. However, because FTC does not set detailed requirements for either data privacy or security, protections for patient-generated health information not protected by HIPAA are much more dependent on the discretion of the technology vendor and the current priorities and resources of FTC.
Further, under the HITECH Act, vendors of PHRs (and apps offered through PHRs) not covered by HIPAA must notify individuals in the event of a breach of patient health information. FTC enforces this requirement, which provides some protection but only after a breach has already occurred.
California Privacy and Security Framework
The principal California state law addressing the privacy and security of health information is the Confidentiality of Medical Information Act (CMIA), which lists permitted uses and disclosures of “medical information” for entities covered by the law, similar to HIPAA. Entities covered by CMIA have historically included health care providers, health services plans and individuals and businesses that contract with these entities for work that involves access to medical information. A few years ago, California enacted legislation to extend CMIA to cover “[a]ny business organized for the primary purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care.”
Prior to California’s enactment of AB 658, it was unclear whether non-health care-related vendors of PHRs and mobile health apps met the requirement of being “organized for the primary purpose” described above, casting doubt on whether they were subject to CMIA’s requirements.
Scope of AB 658
AB 658, which went into effect in January, addressed this issue, providing that any business that offers a PHR or other digital tool designed to maintain “medical information” for a broad array of purposes is subject to CMIA. As amended by AB 658, CMIA applies to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information … in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment or management of a medical condition of the individual.”
The law applies to software or hardware that maintains “medical information,” which is limited to individually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment that is either in the possession of or is derived from a health care provider, health plan, pharmaceutical company or contractor thereof. This means that CMIA may not reach all PHRs and mobile health apps.
For example, if a PHR or mobile health app pulls information directly from a health care provider’s electronic health record, it is now covered under CMIA (and this probably applies even if the PHR or mobile app also includes information that an individual self-enters). However, if a PHR or mobile app only contains information an individual enters directly or that comes directly from an individual’s device (e.g., fitness apps that keep track of individuals’ weight or exercise regimens), it is not covered under CMIA.
Whether PHRs and other apps to which individuals upload copies of their physicians’ treatment notes, which would appear to meet the requirement of being “derived from” a health care provider, are covered under CMIA is less clear.
Effect of AB 658
CMIA expressly permits entities to use and disclose medical information for a host of purposes without individual authorization. As under HIPAA, these include disclosures for treatment, payment and various health care operations (which include certain administrative, financial, legal and quality improvement activities of an entity that are necessary to run its business and to support the core functions of treatment and payment). These disclosures are common business activities for health care entities but are an odd fit for the business model of most PHRs and mobile apps.
Businesses newly subject to CMIA also must now comply with a host of restrictions on what they can do with the medical information they store. For example, except for the permitted uses described above or where required by law, they may not disclose information regarding an individual without first obtaining the individual’s authorization, which must be written and satisfy precise requirements (e.g., it must list the specific uses and limitations on the types of medical information to be disclosed).
Given that most mobile apps obtain user consent through general assent to terms and conditions, the effect of extending CMIA’s authorization requirements to mobile app developers could be significant. This specific authorization requirement also extends to marketing and other commercial uses of medical information. Newly covered businesses that have a business model that includes the sale or marketing use of certain customer information that meets the definition of medical information will have to change their business model or obtain their customers’ specific authorization. Failure to comply with the law could result in penalties of nominal damages of $1,000 and the amount of actual damages, if any, sustained by the patient, as well as administrative fines and possible civil and criminal penalties.
For certain mobile health app developers, CMIA will set minimum legal requirements for privacy and security protections, but the private sector is free to establish more stringent policies.
Apple’s new HealthKit application programming interface — which will allow mobile apps to collect and store health data from different sources and enable those apps to share health information between patients and doctors — reportedly has established more stringent protections. These include, but are not limited to, prohibiting use of HealthKit by:
- Apps that store users’ health information in iCloud;
- Apps that share user data acquired via the HealthKit API with third parties without user consent; and
Apple has also stated that apps must not use data gathered from the HealthKit APIs for advertising or other use-based data mining. This goes a step further than CMIA by outright prohibiting uses of data that CMIA would permit with specific user authorization. How Apple plans to enforce these provisions — and their effect on the mobile health app market — is uncertain.
Federal privacy protections under HIPAA are limited to traditional health care entities (such as providers and insurers) and their contractors. California’s new law is progressive in that it holds many different types of organizations (e.g., software vendors and others not connected to the health care system) to confidentiality standards and medical information disclosure rules that have traditionally been reserved for health care entities. As a result, the law’s applicability is broad and its effect uncertain.
At its core, California’s new law is designed to ensure that all business entities that access, use and disclose identifiable health information are held legally accountable for complying with some baseline privacy and security obligations. However, whether these recent expansions to CMIA will suffice to provide comprehensive protections for individuals and whether they will result in unintended consequences for PHR and mobile app developers remains to be seen. What appears clear is that PHR and mobile app developers should be vigilant about determining whether they are subject to CMIA as a result of AB 658 and, if so, what changes they may have to make to their operations to ensure they do not run afoul of the law.