OCR provides privacy guidance for data stored on health apps and mobile devices | BakerHotelier

Following the decision of the Supreme Court of the United States in Dobbs v. Jackson Women’s Health OrganizationMany people and organizations have expressed uncertainty about the protection given to data stored on health apps, including cycle trackers.[1] As a result, the US Department of Health and Human Services’ Office for Civil Rights (OCR) has issued guidance on multiple issues regarding the collection and sharing of personal health data. Recently, they released guidelines clarifying the extent to which information collected by cycle trackers and other health apps is protected. OCR also provided guidance for people wanting to protect data stored on their personal devices or potentially shared with third parties.

Takeaway key: Most importantly, OCR has made it clear that the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules not protect the privacy or security of your health information when stored on your personal mobile device. These rules protect the privacy and security of your medical information and other health information only when it is created, received, maintained or transmitted by covered entities, including health plans and most health care providers, and their associated suppliers.

This means that Internet search history, information voluntarily shared online, and geographic location information are not protected by HIPAA rules and could potentially be collected or accessed by others. In most cases, HIPAA rules also don’t protect the privacy of data you download or enter into apps for personal use, regardless of where the information comes from. There is a limited exception for apps (such as Epic’s electronic medical record patient portal app, MyChart) that have been contracted by or on behalf of a covered entity to assist with patient or member services ; however, information stored on the most widely used applications would not be protected.

The guidance further warns that simply downloading or using a health app may be enough to give the developer permission to not only collect and store your information, but also sell it or share it with health brokers. data, marketing and analytics companies, law enforcement or others. It is important to note that the agreements governing the relationship between application developers and third parties often do not limit how the third party may use or further disclose the information.

Proactive steps: For those who wish to protect information on their personal devices, OCR has outlined steps individuals can take, namely changing their phone settings, to prevent certain data from being collected. These steps include:

  • Avoid giving an app permission to access your device’s location data unless absolutely necessary.
  • Disable location services and tracking tools, such as cookies, on your devices.
  • Find apps that use strong encryption when transmitting data.
  • Delete your account and/or specific information (location, activity, history) from apps you no longer use.

If an employer receives questions about the privacy of health information, they can explain that health information stored on mobile devices is likely not protected by HIPAA. Additionally, it is important to note that while individuals can reduce the amount of information collected – and potentially shared – on their mobile devices, it is not possible to completely eliminate their digital footprint.

[1] Period and cycle tracker apps allow users to record specific details about their menstrual cycle to get predictions on when they are ovulating and most fertile. Some people use these apps to help them get pregnant, and others use them to avoid pregnancy.

[View source.]

Lance B. Holton