Urgent Federal Privacy Concerns Are Likely to Trigger a Digital Health Winter
As the CEO of Medigram, the Mobile Medicine company and editor of the best-selling book, Mobile Medicine:Overcoming People, Culture, and Governance (Taylor & Francis 2021); we follow laws, regulations, and enforcement around digital and mobile health very closely. That’s why we were stunned with Wednesday’s statement from the Office of Civil Rights under HHS[1]. It’s the most bold published guidance that a number of us have seen in our careers; though potentially not bold enough. Most cybersecurity experts we know are going beyond the HHS statement to advise the deletion of health apps in use cases where patients contribute their own health information.
Wednesday’s Juner 29, 2022 federal guidance suggests to stop using a lot of apps for health purposes and to turn off any health app location services function. Whether or not the app is covered under HIPAA may be less important than one thinks as noted leading privacy health lawyer, Peter McLaughlin in a comment on Linked in.[2] One key question for any lay person (or physician advising patients) to know is whether or not the specific app maker has a contract with a health system or insurance plan. Is the app maker contracted with or is it a covered entity with a legal business associate’s agreement in place? If it is, then the patient might have some nominal privacy protections; though patients should be counseled to know what those privacy protections are under HIPAA. If the app maker isn’t a business associate and therefore not covered by HIPAA; the federal guidance can be interpreted to suggest that patients may be advised to not use that application. The guidance also instructs how to turn off location services for health and other apps.
Further, most privacy experts don’t believe that HIPAA protects patient privacy in legal matters of states [3].
There are life threatening women’s health cases that the medical community is very concerned about from a medical ethics perspective relative to a woman’s survival. These conditions include ectopic pregnancy, septic uterus, and natural miscarriage that if a body won’t release it and is left untreated; any of these events can and do result in a woman’s death. In the latter of involuntary miscarriage; one concern is the use of non private data, and even designated “private” data under HIPAA towards the potential criminalization of both patients and physicians in a health event, even if the scenartio is unrelated to an acually performed or induced abortion.
We predict a near to midterm digital health winter specifically for consumer apps due in large part to these recent events which have laid bare privacy and other concerns insiders have long held about digital health. Health system and medical technology ecosystem executives need to have crystal clarity right now on both HIPAA covered and non HIPAA covered applications. They must understand how the existing privacy protections (or lack thereof) for applications impact the safety and wellbeing of both patients and clinical staff immediately.
From a market perspective, this does not impact all patients obviously; though one of the reasons why we predict a digital health winter is because the largest segment of repeat users of teleahealth are younger female patients [4]
[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html
By Sherri Douville, CEO at Medigram, the Mobile Medicine company. Recognized in 8 categories of top CEOs by Board Room Media (Across SMS, mHealth, iOS, IT, Database, Big Data, Android, Healthcare). Top ranked medical market executive worldwide and #1 ranked in mobile technologycategories (mhealth, iOS, Android), #1–2 (on any given day) for the cybersecurity market in the U.S. on Crunchbase. Best selling editor/author, Mobile Medicine: Overcoming People, Culture, and Governance & Advanced Health Technology: Managing Risk While Tackling Barriers to Rapid Acceleration, Taylor & Francis; Series Editor for Trustworthy Technology & Innovation + Trustworthy Technology & Innovation in Healthcare. (contracted to advise top academic and professional education publisher Routledge, Taylor & Francis).
Sherri is the co-chair of the IEEE/UL JV for the technical trust standard SG project for Clinical IoT in medicine, P2933. She is passionate about redefining technology, software and data for medicine and advanced health technologies in a way that’s worth the trust of clinicians, our family, and friends. Ms. Douville leverages her books to inform her work on the CHIMECDH security specialization certification. She also advises and co-founded the Cybersecurity curriculum for the Black Corporate Board Readiness and Women’s Corporate Board Readiness programs at Santa Clara University.