By Paul H. Luehr and Doriann H. Cain
Electronic medical devices have long been a part of healthcare. From x-ray machines to infusion pumps, these devices have helped push major advancements in clinical care. But increasingly, we see healthcare technology moving out of controlled clinical settings. From Bluetooth-enabled blood pressure cuffs to fitness bands and mobile apps, healthcare technology now fills our phones and adorns our clothing, necklines, arms, legs, and wrists. In short, we often hold “mobile health tech” in our hands or simply wear it.
New mobile technology helps monitor food intake, physical exercise, blood chemistry, and even drug efficacy; it also helps us connect to providers and our own health records. Mobile heath tech, however, is vulnerable precisely because its data is so valuable. This information can include names, addresses, unique digital IDs, location data, and traditional information sought by criminals for financial or medical fraud: Social Security numbers, date of birth, financial data, medical diagnoses, and treatment information.
Additional vulnerabilities stem from the very nature of mobile technology itself. It usually moves to market quickly, relies on limited storage space or computing power, and runs in “always on” mode. This affords criminals the chance to launch “man-in-the-middle” (MITM) or other attacks on our apps and devices as they connect to larger institutions and data repositories in order to fix bugs or transfer data.
Considering these risks and vulnerabilities, manufacturers of mobile health tech bear a heavy duty to protect the privacy and security of patients and consumers. In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) should act as one of their first checkpoints. HIPAA may be applicable to entities that develop connected devices either because these entities are acting as business associates when performing services on behalf of providers (e.g., a mobile app developer working for a health system) or, in the rarer case, are themselves covered entities (e.g., health care providers). HIPAA requires that companies acting as business associates or covered entities establish various privacy and security standards to protect the data that connected healthcare devices handle. Of importance, the security requirements under HIPAA are technology neutral to ensure that as technologies evolve, business associates and covered entities continue to assess and upgrade their policies, infrastructure, hardware, and software.
But HIPAA is not the only security checkpoint to consider as the US Food and Drug Administration (FDA) also plays a key role in regulating medical devices. The FDA has stated that it generally will not take action against mobile consumer apps that operate as intended and pose “minimal risk” to patients. However, if a company’s new technology operates in tandem with a regulated medical device or poses a higher risk, the FDA will likely assess evidence of that connected device’s safety throughout its development from conception to disposition. The FDA has published a list of mobile medical applications that it has cleared, as well as pre-market and post-market guidance to assist medical device companies in protecting the cybersecurity of their devices. Notably, the FDA has stated that it generally does not consider the risks associated with patient privacy, such as ensuring the data collected by medical devices remains confidential. Accordingly, privacy concerns will be governed by HIPAA, or Federal Trade Commission (FTC) and state law described below.
The FTC and state Attorneys General oversee mobile health tech much as they would any other consumer technology, taking action against “unfair and deceptive acts and practices” by companies that fail to live up to their promises or fail to secure sensitive personal information. All 50 states have laws that require companies to notify consumers if specific types of personal information are breached. In about half the states, this includes medical or healthcare information. For its part, the FTC enforces the Health Breach Notification Rule and requires notice to consumers for the compromise of “personal health records” not covered by HIPAA. If you find this array of potential regulations confusing, you are not alone. The FTC has tried to help by providing an inter-agency tool to walk app developers through different legal requirements. However, the tool does not cover state law. More importantly, as mobile health tech continues to evolve, we expect to see statutes and guidance change rapidly across the board. Stay tuned! If you have any questions in the meantime, please contact Paul Luehr or Dori Cain.