The Era of Wearable Medical Devices and mHealth: Protecting Patients and Providers

The law protects patients if heath care providers breach their legal duties. Torts are civil wrongs recognized by common law as grounds for lawsuits. Where a health care provider has a duty not to disclose any medical information received in connection with treatment, if any such information is disclosed under circumstances where this duty of confidentiality has not been waived, the patient may have a cause of action.6

Courts recognize torts for breach of the duty of confidentiality. The breach of confidentiality tort applies whenever a person 1) is under a duty of confidentiality, and 2) breaches that duty. The court, as a matter of law, determines whether a duty of confidentiality exists. The court can look to laws, rules, regulations, promises, and principles to find that a duty exists. The duty is not limited to physicians alone but may extend to a wide variety of providers. Once a duty is found, determining whether the duty was breached is a question of fact.

In the area of mHealth, it may be unclear when legal and ethical duties are triggered. The American Medical Association advised that a valid patient–physician relationship must exist before the physician uses telemedicine.7 With many different health care professionals using mHealth, even if there is no established relationship between provider and patient, ethical and legal duties may still apply.

The duty of confidentiality can be found in a fiduciary relationship, which is one founded on trust or confidence.8 Courts look to the following factors in defining a fiduciary relationship: “the degree of kinship of the parties; the disparity in age, health, and mental condition; education and business experience between the parties; and the extent to which the allegedly subservient party entrusted the handling of . . . business affairs to the other and reposed faith and confidence in [that person or entity].”9 It is easy to see that health care providers may owe fiduciary duties to their patients. Included is the duty to keep personal health information confidential.

The duty of confidentiality can be found in state licensing statutes, principles of trust, the Hippocratic Oath, and principles of medical ethics.10 The Health Insurance Portability and Accountability Act (HIPAA) generally requires covered entities, including providers, to protect patient information by implementing privacy and security safeguards.11 While HIPAA does not provide patients with a private right of action, it can be the basis for a court to find that the provider owed a duty to keep health information confidential under the breach of confidentiality tort. State medical privacy laws can also be the basis for a court to find that the provider owed a duty to keep health information confidential under the breach of confidentiality tort. These laws vary by the type of entity, the type of patient, and the type of medical information covered. It is important for the prudent provider to be aware of the breadth of the privacy laws of the state where they practice because the law’s requirements may be the basis for a duty to keep health information confidential.

Providers can satisfy their duty to keep patient health information confidential by taking reasonable steps to prevent data breaches such as implementing technical, administrative, and physical safeguards. The first step providers should take is to make a risk assessment of the cybersecurity risks so they can take reasonable steps to prevent a data breach.