When HIPAA Does Not Apply: Privacy Considerations for Health Care Products and Services
New technologies may pose a problem for patient’s privacy.
The following is part 1 of a 2-part series addressing privacy considerations for products and services affecting patients with diabetes where HIPAA does not apply.
Patients and health care providers currently have many tools to manage diabetes, including mobile Health (mHealth); consumer-facing products, such as smart health trackers and wearables, applications (apps) that use an attachment to mobile platforms to measure blood glucose levels; and websites, apps, and social media sites that allow patients to enter their health information to monitor blood sugar and/or eating habits. Patient engagement is key for success in managing diabetes, as demonstrated by a clinical trial showing an average blood sugar level reduction of 2 points for patients who used continuous glucose monitors.1 These products and services can engage patients in their own care and allow health care providers to deliver care in more patient-friendly ways.
A study conducted in 2015 that contacted 500 health care professionals in the United States revealed that 76% of health professionals believe that health apps will help patients with chronic diseases, such as diabetes or heart disease.2 While there is a relatively small percentage of health care providers utilizing health apps with patients, this is set to increase. The 2015 study also showed that while 16% of health care providers used health apps in their work with patients, 46% believe that they will introduce mHealth apps to their practice in the next 5 years.2
There are privacy issues since, as part of their functionalities and business models, these products and services handle, store, and share patients' health data. In a report issued in July 2016, the Department of Health and Human Services (HHS) recognized the need for data privacy protection, and identified regulatory gaps for Congress to fill.3 Even where HHS does not have enforcement authority, the Federal Trade Commission (FTC) and State enforcement agencies might have regulatory authority over certain entities handling patients' health information. This article explores the current privacy regulatory landscape for products and services affecting patients with diabetes.
Uninformed and Unintentional: Sharing of Health Information That Should Be Protected
Diabetes affects a wide range of patient populations including those young and old, and with various ranges of sophistication and capacity to understand the concomitant privacy risks of sharing health information and having that information disclosed. Patients are unable to fully comprehend the privacy risks since, even in the best-case scenario, they have imperfect information about how companies collect, use, and share their health data unless the company voluntarily provides meaningful notice.
For patients with diabetes and their health care providers, it may be difficult to understand what precautions to take. What the patient expects of how their health information is safeguarded, what duties are theirs to perform, and what privacy risks exist may be a second or nonexistent thought and may be inconsistent with reality. Patients and health care providers may incorrectly assume that surely, regulatory protections exist. In the world of mHealth, the patient morphs into a consumer that is utilizing a product, albeit one intended by the patient and provider to help improve health outcomes.