Digital Health Cos. Should Expect More Scrutiny Amid Growth
In this article for Law360, partner Chad Ehrenkranz and associates Robert Kantrowitz and Allison Beattie discuss the rise of digital healthcare apps, and the current and future state of the privacy and security issues that face them.
The U.S. digital health market is predicted to reach $240.65 billion in 2026, with a compound annual growth rate of 28.40% from 2022-2026.[1] Trends contributing to this growth include an upsurge in the number of health care apps, surging occurrence of chronic diseases, increasing use of electronic health record systems and growing importance of wearable devices.
Within the broader digital health market, the use of mobile health apps has increased as individuals rely on their mobile devices to do anything from tracking their sleep and eating habits to managing cardiovascular disease and diabetes. Over 350,000 health-related mobile apps are available in app stores worldwide, with more than 90,000 mobile health apps launched in 2020 alone.[2]
As the digital health market has grown, the privacy and security of patient data has become a focus of legislative, regulatory and interest group action.
Digital Health Apps Face Privacy and Security Issues
In recent years, however, adoption of these apps has been challenged by consumer concern over the privacy and security of their health data. These concerns are not unwarranted; recent years have seen an increased prevalence of high-profile data breaches and cases of health data misuse.
The COVID-19 pandemic only seemed to increase the unfortunate trend of cybersecurity breaches in the health care space.[3] Cyber criminals took advantage of the pandemic, targeting numerous health care entities with critical and sensitive patient data.
Breaches of protected health information, specifically, have continuously increased year over year. Digital health apps also face these challenges and have been found to be vulnerable to application program interface attacks, which could expose sensitive health information.
These technologies present unique health information privacy and security challenges for firms offering these services. One of these challenges is navigating the segmented regulatory framework.
Digital Health Apps Are Regulated in a Piecemeal Manner
Some states have implemented their own data privacy laws, but at the federal level, no single law governs the privacy and security of all health apps.
Instead, three main pillars regulate these issues: the Health Insurance Portability and Accountability Act, the Federal Food, Drug and Cosmetic Act, and the Federal Trade Commission Act.
FDA Oversight
The U.S. Food and Drug Administration enforces the FD&C Act, which regulates the safety and effectiveness of medical devices, including certain mobile medical apps.[4]
The FDA, however, focuses its regulatory oversight on a small subset of health apps that may affect the performance or functionality of regulated medical devices, or may pose a higher risk to patients if they do not work as intended.
The FDA provides guidance regarding its regulation of mobile apps and medical devices, and on April 8 it released its latest draft guidance regarding the cybersecurity of medical devices.[5]
A recently introduced bipartisan bill, the Strengthening Cybersecurity for Medical Devices Act, would require the FDA, in consultation with the Cybersecurity and Infrastructure Security Agency, to review cybersecurity industry guidance and make updates at least every two years, as appropriate.
The bill would also require the FDA to share information with health care professionals, device manufacturers and health systems to help identify and address cyber vulnerabilities.[6]
HIPAA Rules
The Health Insurance Portability and Accountability Act rules governing the privacy, security and breach of protected health information only applies to covered entities, their business associates and subcontractors of business associates.[7]
Health plans, health care clearinghouses and health care providers that submit health information in electronic form in connection with transactions are generally considered covered entities under HIPAA.[8]
Business associates and subcontractors are third parties that perform certain functions or services that involve access to protected health information on behalf of covered entities or other business associates.[9]
The HIPAA rules apply to digital health applications if the source of the information is a health care provider, health plan, employer or health care clearinghouse, and if either (1) the information received relates to the physical or mental health of an individual, the provision of health care to an individual, or payment for the provision of health care to an individual, or (2) there is a reasonable basis to believe the information either identifies the individual or reasonably could be used to identify the individual.[10]
Mobile application developers may be considered HIPAA business associates subject to the HIPAA security rule and specific provisions of the HIPAA privacy and breach notification rules if they are working on behalf of HIPAA-covered entities. However, unless they are working on behalf of a covered entity, developers of digital health applications are generally not subject to HIPAA.
FTC Oversight
Many third-party mobile health apps are not subject to HIPAA or the FD&C Act regulations. The Federal Trade Commission appears determined to fill in this regulatory void.
On the privacy side, third-party mobile health apps may face accountability from the FTC through Section 5(a) of the FTC Act, which forbids unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.[11]
The FTC's recent enforcement action against Flo Health Inc. demonstrates its willingness to enforce the FTC Act against digital health app developers.
In June 2021, the FTC settled allegations that Flo, the developer, operator and seller of the Flo Period and Ovulation Tracker app, violated Section 5(a) of the FTC Act by sharing sensitive health data from millions of users of its app with marketing and analytics firms, including Meta Platforms Inc. and Google LLC.
Flo Health allegedly transmitted unencrypted, identifying health information to these firms despite its repeated representations that it would keep users' data private.
The FTC's health breach notification rule requires vendors of personal health records[12] that contain individually identifiable health information created or received by health care providers, and personal health record-related entities to notify U.S. consumers, the FTC and, in some cases, the media, if there is a breach of unsecured identifiable health information.[13]
Violations of the rule incur civil penalties of $43,792 per violation per day.[14] In September 2021, the FTC issued a policy statement interpreting the rule, in which the FTC signaled its intention to enforce it against certain digital health app developers that disclose consumer data in violation of the rule.[15]
The FTC has not stopped there. In May, the FTC published a blog post in which it asserted that Section 5 of the FTC Act "creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm."[16]
According to the FTC, a company that experiences a breach and fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act regardless of whether a specific state or federal breach notification law applies.[17]
This guidance has potentially broad and significant implications on companies, depending on how the FTC interprets a lack of proper breach disclosure as an unfair or deceptive trade practice.
However, the FTC could still choose to limit enforcement to instances where companies make misleading breach disclosures or fail to provide readily available information to mitigate specific harms.
Latest Outlook for Digital Health App Privacy
In an interview early this year, FTC Chair Lina Khan signaled that consumer data protections are a priority for the FTC going forward.[18]
The confirmation of Alvaro Bedoya to the commission on May 11 breaks a previous partisan deadlock and has already begun to fast-track the FTC's rulemaking process to implement data privacy and security measures.
On Aug. 11, the commission voted 3-2 to publish an advanced notice of proposed rulemaking that will explore rules to crack down on harmful commercial surveillance and lax data security and seeks comments on the harms stemming from such surveillance and what new rules are necessary to protect people's privacy and information.[19]
Even with regulatory movement, the FTC lacks legal authority to enforce data privacy in the same way a federal privacy law could.
New legislation could address some of the data privacy issues affecting digital health apps.
On June 21, members of the U.S. House of Representatives introduced the American Data Privacy and Protection Act, which was subsequently amended.[20]
As drafted, the ADPPA would likely apply to certain digital health apps because the legislation defines "covered entity" to include entities that determine the purposes and means of collecting, processing or transferring data and are subject to the FTC Act.
The act also defines "covered data" as information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers.[21]
In its current form, the ADPPA would apply to HIPAA-regulated entities, but covered entities in compliance with HIPAA would also be considered in compliance with the data security and protection requirements of the ADPPA.[22]
The bill would restrict the collection, processing or transferring of sensitive covered data, with certain exceptions.[23]
Sensitive covered data includes, inter alia, any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or health care condition or treatment of an individual, biometric information and genetic information.[24]
The bill also creates consumer data rights related to transparency and data ownership and control, requires corporate accountability for maintaining and protecting consumer data privacy, and empowers the FTC to enforce the ADPPA.[25]
Industry groups are also focused on privacy and security issues related to digital health apps.
On May 2, the American College of Physicians, the American Telemedicine Association and the Organization for the Review of Care and Health Applications announced their involvement with a new U.S. framework for assessing digital health technologies, including mobile apps and web-based tools used by health care providers and consumers.[26]
The goal of this framework is to be open and accessible for anyone to use, and to encourage the use and development of high quality, safe and effective digital health apps.[27]
In March, the Confidentiality Coalition and the Workgroup for Electronic Data Interchange penned a joint letter to the secretary of the U.S. Department of Commerce and the secretary of the U.S. Department of Health and Human Services, urging better protections for patient health data on third-party applications.[28]
The letter discussed challenges with apps not covered under HIPAA, and outlined a series of recommendations for improving the current environment.
Going Forward
Going forward, the privacy and security of patient data on digital health apps is likely to remain a focal point of legislative, regulatory and interest group action.
Moreover, we can expect to see an increased awareness from consumers and patients of how entities use their data through these health apps, and concern regarding the vulnerability of such data to breaches.
With both the potential for increased oversight and enforcement, as well as decreased use or avoidance of health apps, developers and other companies in this space should be incentivized to reassure regulators and consumers that health data collected via these apps is appropriately used, shared and protected.
To start, developers should review their current privacy and security practices to assess their compliance with applicable regulatory requirements and guidance, as well as the latest industry standards.
This process should involve regularly reviewing and updating internal policies and procedures and personnel training related to the handling of health data. Additionally, developers should include privacy notices in the app designs that accurately reflect the company's data protection, use and disclosure practices.
As breaches can lead to both regulatory enforcement and reputational harm and distrust with consumers, it behooves health apps to proactively prevent breaches and implement procedures and safeguards to quickly identify, end, mitigate and recover from potential breaches.
Chad Ehrenkranz is a partner, and Robert Kantrowitz and Allison Beattie are associates, at Kirkland & Ellis LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] United States $240+ Billion Digital Health Markets to 2026 - Upsurge in the Number of Healthcare Apps & Escalating Penetration of Electronic Health Record (EHR) Systems, GlobeNewswire (Apr. 21, 2022, 06:58 AM), https://www.globenewswire.com/en/news-release/2022/04/21/2426263/28124/en/United-States-240-Billion-Digital-Health-Markets-to-2026-Upsurge-in-the-Number-of-Healthcare-Apps-Escalating-Penetration-of-Electronic-Health-Record-EHR-Systems.html.
[2] Digital Health Trends 2021, Iqvia Institute for Human Data Science (July 2021), https://www.iqvia.com/-/media/iqvia/pdfs/institute-reports/digital-health-trends-2021/iqvia-institute-digital-health-trends-2021.pdf?&_=1654539356288.
[3] See, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR"), https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
[4] Federal Food, Drug, and Cosmetic Act, 21 U.S.C. § 9.
[5] Policy for Device Software Functions and Mobile Medical Applications — Guidance for Industry and Food and Drug Administration Staff, U.S. Food and Drug Administration (Sep. 27, 2019), https://www.fda.gov/media/80958/download; Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff — Draft Guidance, U.S. Food and Drug Administration (Apr. 8, 2022), DRAFT -Cybersecurity Guidance (April 8, 2022) (fda.gov), (This draft guidance replaces the 2018 draft version and is intended to further emphasize the importance of ensuring that devices are designed securely, enabling emerging cybersecurity risks to be mitigated throughout the Total Product Life Cycle, and to outline the FDA's recommendations more clearly for premarket submission content to address cybersecurity concerns).
[6] S. 4336 — 117th Cong. (2021 — 2022); Press Release: Young, Rosen Introduce Bipartisan Legislation to Strengthen Cybersecurity for Medical Devices (June 6, 2022), Young, Rosen Introduce Bipartisan Legislation to Strengthen Cybersecurity for Medical Devices | U.S. Senator Todd Young of Indiana (senate.gov).
[7] See, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, § 100 Stat. 2548 (1996), Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. No. 111-5, § 123 Stat. 226 (2009), and their implementing regulations.
[8] 45 CFR § 160.103.
[9] Id.
[10] See, 16 CFR § 318.2; 42 U.S.C. § 1320d(6).
[11] See, 15 U.S.C. § 45(a)(1).
[12] "Personal health record means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual," and "PHR identifiable health information means 'individually identifiable health information,' as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) That is provided by or on behalf of the individual; and (2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual." 16 CFR 318.2.
[13] See, 16 CFR Part 318 (implementing section 13407 of the American Recovery and Reinvestment Act of 2009).
[14] Statement of the Commission: On Breaches by Health Apps and Other Connected Devices, FTC (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.
[15] Id.
[16] Security Beyond Prevention: The Importance of Effective Breach Disclosures, FTC (May 20, 2022), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures.
[17] Id.
[18] See, CNBC Transcript: Federal Trade Commission Chair Lina Khan Speaks Exclusively with Andrew Ross Sorkin and Kara Swisher Live from Washington, D.C. Today, CNBC.com (Jan. 19, 2022), https://www.cnbc.com/2022/01/19/cnbc-transcript-federal-trade-commission-chair-lina-khan-speaks-exclusively-with-andrew-ross-sorkin-and-kara-swisher-live-from-washington-dc-today.html.
[19] FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices, FTC (Aug. 11, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices.
[20] H.R. 8152 — 117th Cong. (2021 — 2022); Congress.gov, https://www.congress.gov/bill/117th-congress/house-bill/8152/all-actions.
[21] H.R. 8152 — 117th Cong. (2021 — 2022) at Sec. 2(8)-(9).
[22] Id. at Sec. 404(a)(2)-(3).
[23] Id. at Sec. 102(a).
[24] Id. at Sec. 2(24).
[25] Id. at Title II-IV, (note that there are many other sections of the bill that are not mentioned here).
[26] American College of Physicians and the American Telemedicine Association Collaborate on New Digital Health Assessment Framework, American Telemedicine Association (May 2, 2022), https://www.americantelemed.org/press-releases/american-college-of-physicians-and-the-american-telemedicine-association-collaborate-on-new-digital-health-assessment-framework/.
[27] About the Framework, dhealthframework.org, https://dhealthframework.org/about-the-framework/.
[28] WEDI Joint Letter on 3rd Party Apps and Patient Data, wedi.org (Mar. 25, 2022), https://www.wedi.org/2022/03/25/wedi-joint-letter-on-3rd-party-apps-and-patient-data/.