HHS Should Regulate Consumer Health Apps and Wearables, ONC Says

The growing consumer health app and wearable device market poses a significant threat to the privacy and security of protected health information (PHI) and Congress must act to close policy gaps, the Office of the National Coordinator of Health IT (ONC) said in a recent report.

The July report, Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA, outlines how consumer health apps and wearables are taking a larger role in collecting health data and how these services and devices fit into the existing patchwork of federal and state regulations.

The majority of consumer-facing health apps and wearable devices are produced or managed by non-covered entities (NCE)—organizations not subject to HIPAA—although this data may be shared with covered entities (CE) or business associates (BA). NCE-developed devices and services have the potential to boost patient engagement and give providers access to real time data. A study published in the Journal of Medical Toxicology suggests that wearable devices could help opioid users stick to rehabilitation programs and allow providers to better manage medication and recovery. The diabetes management app market has grown rapidly, giving providers and patients a wide range of products to choose from.

However, NCE apps and wearables are not subject to national security and privacy standards for PHI and consumer rights to PHI shared with NCEs is unclear, the ONC’s report said. Consumer apps and devices generally collect and store user health information but NCEs may also share this information with third parties without informing users, according to a July 19 ONC blog post. Most NCEs are also not covered by the Federal Trade Commission’s (FTC) consumer protection prohibitions or state privacy laws that require stricter privacy protections than offered by HIPAA for certain sensitive clinical information. Many consumers agree to an app’s or wearable’s terms of use without understanding that the organization is not covered by HIPAA and that, therefore, any information they share with an NCE is not subject to Security Rule or Breach Notification Rule requirements.

In addition, HIPAA provides individuals with a measure of control and right of access to their own health information. Although NCEs may grant individuals access to their own information, they are not legally required to do so. Agencies in the private and public sector have created voluntary privacy and security guidance and codes of conduct for NCEs in the health app and wearable market but these are not adequate, the report said.

The ONC also raises concerns that confusion about HIPAA and state privacy and security laws among consumers and entrepreneurs in the health app and wearable market may slow development and use of beneficial products.

The report suggests the FTC and HHS are best equipped to develop and administer national requirements for NCEs. Uniform national standards will create clarity for consumers and developers, reduce security vulnerabilities, and support the move to patient-centered healthcare, the report concludes.