Trump Drops a Flurry of Nominees to Head FDA, OMB, CDC, and HUD
We Might Have a Problem With Trump's Labor Secretary Nominee
Trump Makes His Pick for Treasury Secretary
The Press Delivers a Fake News Trump Health Crisis, and the Bad Week...
Wisdom From the Founders: Madison and 'Gradual and Silent Encroachments'
CFPB Director Exemplifies the Worst of Washington Hypocrisy
Trump Victory: From Neocons to Americons
It’s Time to Make Healthcare Great Again
Deportation Is Necessary to Undo Harm Done at the Border
Do You Know Where the Migrant Children Are? Why States Can't Wait for...
Biden’s Union-Based Concerns Undercut U.S. Security and Jeopardize Steel Production
Joy Reid Spews Hate Toward Trump Supporters Once Again
America's National Debt Just Hit a New Record
The View Forced to Read Three Legal Notes Within Minutes of One Another...
Watch This ABC Reporter Goes on Massive Tangent Blaming Trump for Laken Riley's...
OPINION

Mobile Health Apps Need a Security Check-Up

The opinions expressed by columnists are their own and do not necessarily represent the views of Townhall.com.
Advertisement
Advertisement
Advertisement
AP Photo/Richard Drew

The age of mask and vaccine mandates has sparked important conversations about what employers, businesses and our government can ask about our personal health decisions. These discussions often reveal widespread misconceptions about who is responsible for keeping that information confidential and secure. Clarity on this issue is of utmost importance for consumers, especially with the rise of smartphone apps hungry for health data.

Advertisement

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards for protecting individuals’ health information. Many people assume the law applies to any entity that might request or handle health information. In fact, the law only requires “covered entities” to protect patient privacy and security while they share information to provide high-quality care. Covered entities include health care providers, insurers, healthcare clearinghouses and “business associates” such as electronic health record developers and other organizations that serve covered entities. 

Health data that would be HIPAA-protected in the hands of healthcare companies can be used for any purpose, without federal privacy and security protections, when it is collected by big tech companies. Understanding this distinction is critical for privacy-conscious consumers amid the growing trend of health-related apps. 

The risk to consumers is real. On two separate occasions this year alone, the cybersecurity company Approov has reported on major security vulnerabilities affecting dozens of apps with millions of users. In February, Approov tested 30 mobile health apps covering 23 million users and found all of them to be vulnerable to hacking. In October, Approov was able to access more than 4 million patient and clinician records through the vulnerabilities. 

Personal health data is extremely attractive to hackers because of the value of a real, full medical record to bad actors. Health records can fetch prices 1,000 times higher than a Social Security number and 200 times higher than a credit card number, according to Experian. A hacked medical record can be worth as much as a stolen passport on the dark web. 

Advertisement

Even if it’s not stolen by hackers, health data that is not protected by HIPAA can be used and sold in ways patients never intended. We may be comfortable giving fitness trackers and other apps access to our personal data to alert us to health risks, remind us to take our medication, or even share important information with loved ones. But do we want Big Tech companies using that data to sell us advertising based on our private medical conditions or decisions or profile us for potential future employers, life insurers, or lenders?

It’s past time to close the “covered entity” loophole, especially since new regulations issued by the U.S. Department of Health and Human Services mandates health care organizations to share health data with app companies and big tech if they say they’re acting on a patient’s behalf. When health information moves from their electronic health record to a Big Tech firm, patients should be informed that their data is transferring from an entity that is required to protect their data and use it for certain purposes to a company that is not. Burying a disclaimer and broad data use rights in dense terms and conditions shouldn’t count. 

Better yet, the legislative and regulatory landscape needs to catch up with the technological advances in the 25 years since HIPAA became law. The Federal Trade Commission already views apps that handle health data as healthcare companies. In November the FTC told app makers to comply with the Health Breach Notifications Rules governing how and when healthcare companies must alert consumers to a data breach. 

Advertisement

The rest of the regulatory landscape should follow the FTC’s lead and Congress should update HIPAA for the mobile app age. Health apps that access and function as digital health records should be treated as such, and they should be required to protect users' privacy and secure their data to the same standard as providers, insurers, and other healthcare companies.

Ken Blackwell is an adviser to the Family Research Council and a member of the board of the Club For Growth.

Join the conversation as a VIP Member

Recommended

Trending on Townhall Videos