Privacy Lawls with Donata

Ep. 10 | Can you trust healthcare apps with your data? (Guest: Helen Oscislawski)

The healthcare industry collects some of our most private data. Are current laws like HIPPA good enough to keep that data safe from others?

What about the growing popularity of health apps? Should you use them?

We talk with Helen Oscislawski who has been advising healthcare clients for over two decades on privacy law.

Show Transcript

[00:00:00] Hello, and welcome to the 10th episode of Privacy Lawls, where I, Donata Stroink-Skillrud, talk with amazing privacy professionals and have some laughs along the way. This podcast is brought to you by Termageddon, an auto updating privacy policy generator that has generated tens of thousands of privacy policies and successfully kept them up to date with changing legislation.

Today, we’ll be talking about health data and the pitfalls of using health related apps. My guest today is Helen Oscislawski who has over two decades of experience in the healthcare privacy law space. Helen has worked with Health Information Exchanges and Networks, hospitals, healthcare systems, mobile app vendors, and many other types of businesses connected to the healthcare sector.

She advises them on complex legal issues related to the implementation and use of health information technology in compliance with applicable laws. Helen is the founder and managing partner of Attorneys at Oscislawski LLC and the [00:01:00] co owner of Legal HIE Solutions. Helen, welcome. So can you tell us a bit more about your career and what made you decide to work in in health information privacy?

Sure. Well, to be completely honest I’d say I was sort of lucky because I backed into privacy law when I started crossing things off my list that I didn’t want to practice in. I came out of college. My original plans were to really actually, Go into clinical psychology. I had volunteered hundreds of hours in mental health facilities and working with individuals with special needs and I was all set.

I was going to start applying to Ph. D. programs, but my husband, who was at that time, finished medical school matched for a residency in Detroit. And so my doctoral plans were put on hold and I worked as a social worker and a discharge planner in a skilled nursing facility. So [00:02:00] I was always sort of around healthcare in the, or in the healthcare space.

And so when I decided to pivot and go to law school, I didn’t actually have a clear idea of really what I wanted to do with my law degree. I dabbled a lot in different areas my first few years as being associate in law, you know, in law firms, and then I was hired my third law firm. I was asked if I wanted to work on this new law called HIPAA, and that really actually is how it all started.

I was assigned to numerous projects and required not only just looking at how HIPAA worked, but also. Completing preemption analyses, which required me to compare every single requirement in HIPAA against an equivalent state law and decide like which one had to be followed. So, and I did that for almost two years straight and added other laws like 42 CFR part two and FERPA and other sorts of laws, but I, I absolutely loved it.

And I finally found something that actually really fascinated me and I didn’t want to cross off my list because. Which is probably a good thing because I was sort of running out of things to cross off and to commit [00:03:00] to so it’s kind of fortunate that I finally found something I really enjoyed doing.

That’s awesome. I actually have a bachelor of science in psychology. That’s what my bachelors is in. And I remember I used to do experiments on students and we’d give them like 20 bucks and then you’d be maybe stare at a screen for like an hour and That’s right. I remember those too. Yup. For sure.

Those are fun. And like some teachers would give them extra credit, you know, sometimes you give them a little bit of cash and you never ran out of students. For sure. So legal HIE solutions. What resources do you provide for attorneys, compliance officers and others who are responsible for their organizations, compliance programs, right?

So on that website, I called it legal HIE. It actually has two parts to it. It has a blog part, which is free and it that’s actually been around for over 10 years. So when I started off my own. Law [00:04:00] practice. I started that blog out of the gate. So that’s been around for a while. And then the compliance library piece, which is also on the same website is something that came out of COVID actually, because I had over the years of representing and working with so many compliance officers and and individuals on compliance issues.

I had. I had collected so many different resources and, you know, I had forms and templates and created so many tools and checklists. I’ve always wanted to sort of put them somewhere where I could, you know, give access to other people, not just, you know, my, my circle of clients and that. During COVID, when things, you know, shut down, I’m like, this is my chance, make lemonade out of lemons.

So I took all those resources and made what is the second part of that legal HIE library now, which is a compliance, a subscription based, it has. all kinds of tools, checklists, white papers [00:05:00] templates for documents for compliance policies and they are within the areas of HIPAA, both from the provider perspective or the business associate perspective.

There’s 42 CFR Part 2 compliance materials in there, as well as information blocking. Managing data security breaches and other things we’re always adding. So that is subscription based. So the idea is that if you subscribe, you get 12 months access, not only to the things that are back there, but also as things change, you would get, the subscribers get access to the updates to the documents.

Like for example, last week, 42 CFR Part 2, finally issued a final rule for those laws that govern substance abuse facilities and programs. So we’ll be updating all those documents and everybody who’s an active subscriber would get all that. So that’s in a nutshell what the legal HIE is. And that’s sort of like my side thing, of course, you know, we don’t provide legal services through that.

That’s really just a resource document. Our [00:06:00] law firm is separate from that has a separate website. So, but that’s about legal HIE. That’s really awesome because it’s so much easier to like get everything from one trusted source because you know you look at Google and you look at templates and you look at all these different resources and half of them are written by God knows who and the other half are really out of date and you know not compliant and going into a place that you know it’s written by somebody who has expertise in this area is so much better than spending 20 hours online looking for stuff and not Yeah.

Really finding what you need or thinking that you find what you need and then you find something that’s like totally completely wrong, you know, yeah, that’s the idea. I mean, you know, are the documents that are in there are they’ve really come out of years of actually working through. Problems and issues.

And so, you know, I actually I’ve used the tools myself. Like security breach certification. I have a tool in there [00:07:00] that allows me to analyze whether it’s a reportable breach and I’ve gone as far as creating like a checklist with numbers assigned to it. So the stuff that’s in there is is really needy.

And like I said, is is really has come and developed over time from really trying to solve it. Real problems in real organizations and providing the tools. And so luckily make that available to anybody who subscribes. That’s awesome. That’s really cool. So since you have a lot of experience in this field, there’s a lot of law students out there that want to go into healthcare privacy because it’s such a hot field.

There’s so much demand in there. Do you have any advice for lawyers or law students who are interested in, in the healthcare information privacy space? Yeah do it. I mean, it is such a dynamic, exciting area right now, and I think there honestly isn’t a better area to be practicing right now. It’s just my personal, humble opinion.

So I mean, I love it. I welcome anybody who’s [00:08:00] listening. If you’re a student, I am always open to talking to. people who are interested in getting into the space exploring. So I encourage you to reach out to me on LinkedIn or whatever. Talk to me, you know, about my experience, what areas I just, I think it’s a great space.

I think, I, I hope more students you know, get into the area. I know that a number of schools are starting to build programs around privacy law, so that’s good. So yeah, do it. It’s, you know, it’s not going to go away. It’s just going to continue snowballing in terms of its complexity and its needs for attorneys who want to practice in the space.

Absolutely. I think when I was in law school, the only thing about privacy that I learned in school was about, you know, warrants and criminal law and that kind of stuff. And now you see more and more law schools bringing in like privacy curriculums, which I think is really cool. And I hope that more schools do that in the future, you know.

Agreed. So let’s get into our main portion of the interview here. Health care privacy. So [00:09:00] to start us off, can you give us some examples of health related information? Yes. So when I saw this question, I. I had to think about it because it seems like it should have a very simple answer. Health related information is anything that has health and, you know, health information in it.

But I think it’s important for the listeners to understand the distinction here between what every person would understand is health related information and then what is health information that’s actually protected by privacy laws because In layperson’s terms, you know that, you know, anything that is about the health of the person can be health information, but it can also include information that you’re talking with your neighbor about, or your co worker about, or your family member, or maybe you’re sending an email to somebody about your health information, and many people don’t understand that just because it’s health information does not automatically mean that it’s protected by a federal or state law.

Thank you. Bye bye. And sometimes I’ll come across, for example, an article about [00:10:00] something that happened. Somebody’s health information disclosed. You can see all the comments. Is that a HIPAA violation? Is that a HIPAA violation? And I’m like, well, no, not necessarily. You know, if, if I tell you about my you know, my, my being sick the last two weeks and you go tell somebody else I can’t sue you, it’s not a HIPAA violation for you to repeat that information.

I chose to share that with you. So, you know, to understand or more accurately, like the protected health information is one, like how it’s defined under HIPAA, for example, is protected health information. And it depends on who collects that information. So under HIPAA, that health information would have to get collected by a health care provider or a health plan that is collecting, and I’ll call it, refer to those as regulated entities.

So when regulated entities collect health information, Now it’s health related information that is protected by privacy laws. And so you know, the definition is, is really like [00:11:00] what is health information and what is the impact of that definition is really important because as hospitals recently discovered a very hard lesson when the federal agency that interprets HIPAA which is referred to as HHS, Health and Human Services, they decided that protected health information It includes, well, when it’s collected by a regulated entity like a hospital, it’s going to include a little eye opening expansion of that definition to include IP addresses and geolocation when somebody visits that website.

So historically, a hospital has never thought about it that way because it’s, you know, when the patient comes, I generate a health record on you and anything that’s related to that and you coming and seeking services and getting services from us. Yes, we understood that, but somebody simply visiting a website and some of the pixels and things that are picking up there.

A lot of times we’re not on the radar. Well, that, you know, that had resulted in a avalanche [00:12:00] of class action lawsuits that are being litigated up across the nation to this day. So, so, you know, it’s a, it’s a loaded question when you say, you know, give me an example of health related information. It’s the most attested answer that lawyers give, which is it depends, it depends on, you know, who’s collecting it, how it’s being used, who, you know, who’s communicating it and then how the agencies are interpreting that term.

Right. So I think that kind of makes sense though, because if you think about it, let’s say I go onto a clinic for a specific disease, right. I go onto their website and they track me. Just the fact that I went on to that website may reveal something about me, right? That’s that’s health related and I think nowadays a lot of people are very cautious and very unhappy with their information being shared with Tracking pixels and Facebook and Google and all these other large entities for ads, and we [00:13:00] just see that health information kind of being a lot more sensitive and we don’t necessarily want advertisers to know what kind of health problems we have which I think, I guess, quick tangent.

I read something a while ago where women who didn’t even know that they were pregnant, they were getting ads for women’s products related to pregnancy and they decide to take a pregnancy test and find out that they’re pregnant. So somehow these advertisers knew that they were pregnant before they even knew that.

I wonder if they were like Google searching symptoms or something like that, but man, that can get pretty dangerous. I think. And creepy. Yeah, really creepy. First of all, yeah, but but also scary, right? So I guess why is it important that we take extra precautions for this type of information? Well, I think you sort of, [00:14:00] you know, alluded to it.

I mean, pregnancy, one thing, but You know, I think one of the biggest talked about topics in that same along those same lines of tracking and visitation where historically we’ve thought about maybe these things as being more innocuous in the current like post Roe v. Wade era, you know, there are possible real repercussions and health information is very sensitive and there can be a All sorts of repercussions for that, that range from embarrassment to jail time as I said from Roe v.

Wade and so something as what seems like as benign as visiting a website, looking for termination is, you know, pregnancy can really lead to a whole host of real terrible consequences for that individual. So that’s, you know, it is sensitive information. You know, laws like 42 CFR Part 2 have been around [00:15:00] since 1972 because people who have substance abuse issues have notoriously and historically been discriminated against.

And there are many state laws that cover similar topics like HIV, AIDS, and now more recently, genetic information and things like that. There, you know, these are some of the most private and important types of information about an individual. And it is very important to have protections for that.

So you know, that was recognized finally across the board with HIPAA in 1996. Obviously, when we didn’t have a, we didn’t have a sweeping federal privacy law until 1996, which is kind of mind blowing if you think about it. So, but yeah, that’s where we are. And it’s even more now as we’re going to talk later in the segment, I think as things become more digitized.

It becomes even more important to, to reel that in and ensure that we don’t lose control over those very important protections. Absolutely. Yeah, I see more and more bills being proposed about genetic testing. And I actually [00:16:00] just randomly finished reading a book from an investigator who is part of the group that found the golden state killer through these genetic testing companies.

And I thought that was really interesting that, you know, they were able to gain access to these records. And And how, you know, if you go to ancestry. com, you upload your stuff and they kind of give more protections to it. But then I guess if you check a box, your information gets uploaded to some kind of like worldwide database that’s accessible to anyone.

And that was used to find the, the golden state killer. So I guess if you’re, you know, thinking about serial killing, maybe don’t submit your data. I don’t know.

But anyway, so I remember when I was a kid and Probably dating myself a little bit, you know, and go to the doctor’s office and they had this file, right? And this physical folder had all my test results, all my symptoms, all my illnesses, all my vaccination records, like [00:17:00] literally everything. And it was just kept in the office.

I don’t think they even like lock the cabinet. I think they just locked the door, but that was it. So how have things changed as to how your doctor’s office or your hospital keeps your information? Yeah. So I was actually, I kind of chuckled when I read this. Because I I’m sure I have at least 25 years on you.

So the fact that you remember this to just goes to show how, you know, healthcare has really lagged behind technology. I mean, it’s really only recently that it’s become really more digitized. And sadly, to be honest, for many smaller and rural health care providers, as well as often like state run clinics, Medicaid, in many cases, paper files are still their reality, but health care does have, has come a long way.

They have A large swath of health care has finally moved to electronic health and from electronic [00:18:00] health records in a huge way. Most hospitals and larger provider groups are on electronic health records. This is in part because of a federal program and push around 2009 referred to as meaningful use.

Started an incentive payment program and then then later on a penalty program. for providers who didn’t transition to electronic health records. And so that really went because most providers are on either Medicare or Medicaid or both. And that’s where the program was run through with the incentive payments and penalties.

And so it did, it was pivotal to move a lot of healthcare onto digital records. So, That’s kind of where we are now, but for the most part, so, but there are still swaths like behavioral health right now, still a largely on because those incentive programs didn’t capture everyone. So those paper records are still the reality in certain pockets.

Yeah, I grew up in Eastern Europe, so that might be why it [00:19:00] was behind what we, what we see in the U. S. But I know my grandma has like five different folders that she has of all of her records that she’s kept because she doesn’t trust the computer to, to keep it right. But it is convenient, right? Like I go to the Northwestern hospital system, so I log into MyChart and I can talk to my doctor and I can see my test results.

And all this other stuff, but how do third parties factor into these applications that we use to look at our health information and the information that’s maintained by the health care provider, diagnostic providers and others. Yeah. So third parties, right? So as, as the whole industry moved to electronic health records and that adoption, there was sort of a shakeout and a consolidation.

And so we have, you know, a number of large vendors that are everywhere. The big, the big vendors, the big EHR vendors that every hospital is [00:20:00] on. They name it on like on one hand. And as they started that consolidation of the market, Okay. They also started to charge very exorbitant interface fees in order to allow a connection with another EHR vendor that is not their own brand.

And this was a huge problem because The government’s ultimate goal was with digitizing or one of their ultimate goals with digitizing health information was to support interoperability, which is basically a fancy word, which means that information can be essentially moved from point A to point B very easily.

But that wasn’t happening because these big vendors were holding the health data hostage, if you will with these interfaces that they refused on were gouging the hospitals to pay. So the interoperability stagnated. So that changed and with now additional laws [00:21:00] and that sort of delayed things, I think, but now there’s new laws in the book.

The most, one of the most important ones is referred to as the information blocking rule. And there are new what are referred to as health IT certification criteria. So these EHR vendors. have to go through a certification process otherwise the providers can’t bill Medicare or Medicaid for the services they provide.

And those, those two laws and the criteria together have forced the vendors to now open up their endpoints and their APIs. So they’re open and interoperability. So basically what this meant that we’re now looking at an ecosystem in the future where anyone with the ability to connect to an EHR via an API will be able to connect.

Right? And in fact, the entire industry is moving to something called fire F H I R, which will make connecting to an EHR as simple as like calling up a fax machine to send or retrieve data. So with that is, you know, [00:22:00] This huge influx an explosion of mobile app vendors on, as you referred to these third parties who are looking to support patients requesting and controlling their home health data, which is, you know, which is vital and wonderful and great.

And we want that. But it’s also, of course, introducing new risks. Yeah. So I guess what are those risks? What are we giving up in exchange for this convenience? Yeah. I mean, the key question is, you know, who’s behind the app? You know, they make it out like some of the apps or make it appear as if the consumer is the one who is making the request for the information.

Whereas in reality, you’re in the business of simply collecting consumer consents with varying levels of awareness by the consumer of what they’re actually consenting to. So, you know, What’s happening is not really an organic patient driven request for information, but rather an mobile [00:23:00] app vendor driven, you know, use of a person to make it the request.

And then they’re just, you know, they’re looking to aggregate data and not to say that the patient doesn’t have access to it too, but, you know, We need to understand what the motives are. And we’re just sort of like in the beginning of this right now. So nobody knows what’s up, what’s down, who, you know, which mobile app vendors are trust trusted sources, which are not.

And so it’s definitely the privacy risks with that. As this ramps up and shakes out. You know, patients are going to, and individuals have to really pay attention to things like the terms and the privacy terms and exactly what they’re consenting to. That’s hard because, you know, if you go to a doctor and they use only one system, you have to sign up for that system.

If you want to get your, your records or you want to talk to your doctor, right? Like. I know Northwestern uses my chart, and if I want to use any other kind of charting software, well, too bad. [00:24:00] I’m not going to get all my information from there, you know, so it’s hard between a patient portal and a mobile app.

So my chart is an, is an epic tool. That’s a build out from the EMR, right? So while it’s, it’s sitting and resting and appears as if it’s an app you know, that would be an example of really a trusted source. It’s, it’s something that is. An outgrowth of the actual EMR system. What I’m talking about is going on to, you know, your, your apple you know, your apple mobile app downloads and picking a mobile app that you wanna use because it is gonna let you aggregate everything from my fitness app and my Fitbit or my Apple Watch.

And then you also want your electronic health records, and that all sounds, sounds fine and dandy. And what I’m saying is that that third party app will now have an opportunity in the very near future to connect directly to that [00:25:00] EHR EHR source. So then you can pull that out of you. You won’t be confined to just the MyChart portal or any other portal for that matter.

You’ll be in complete control of that information in a, in a third party application. And that sounds that sounds pretty dangerous. I’m not gonna well, but convenient to write. I mean, if you know, it has to, you know, hopefully, like I said, we’re in the shakeout period and that’s why we’re having this discussion.

I mean, we’ll need to understand the risks, but the end game, if it works out well, and there’s enough enforcement, we’re going to get into the FTC and the oversight that’s trying to help regulate and ensure that privacy and security aren’t completely. But ideally, I mean, I, I love my Apple watch and my Apple, you know, I have a whole bunch of little apps that I’m inputting data in there very important as well because it’s, you know and we’ll get into all that, right?

But that’s slightly different. Still, still want to know what the privacy terms and the terms of use and say, cause of the, you know, but [00:26:00] I’m voluntarily putting that information in there. So guess what? HIPAA doesn’t apply. Yeah. But it’s slightly different or at least the risk increases of a threefold when you’re connecting that app to, you know, the Mayo Clinic system and downloading all the diagnostics and everything that you’ve ever had done somewhere.

Right. Yeah. Because I can’t you know, on a daily basis, input my cholesterol levels in there, right? Because I don’t know them, but my doctor does. So I’m putting that is significantly more information. So speaking of these types of apps and kind of walking down memory lane again you know, people didn’t really track that much stuff back in the day.

I mean, like, maybe you had, like, a little notebook where you logged your miles if you’re a runner. Or maybe you put your period dates on, on the calendar or something like that. And That was kind of about it and I feel like now we’re really, really obsessed about these like second to second metrics and your [00:27:00] VO2 max and your heart rate and your recovery rates and like all this stuff, half of which I don’t even know what that means, but it is what it is.

So how has that changed? I mean, you know, your question sort of described how it’s changed. I mean, you, you know, these apps and I, and I use some of them, right. And there is like, to the point where you can actually take your EC, your EKG on your Apple watch right now. It tells you if you’re like an AFib or you’ve got a heart abnormality and you know, do you know where that information is going?

Do our health plans getting that information? Can that information be used in any way, shape or fashion since you’re voluntarily putting that into a third party that’s not regulated by HIPAA can be used to discriminate against you for getting insured or for in other ways. Just it’s you know, these are important questions to know the answers to because it.

Seems great. And we love the [00:28:00] convenience of it. And I love charts and pipe charts and metrics and so fun to see how much I’ve exercised in the last month as compared to, but you know, there’s A whole other layer to that, that we have been talking about for, you know, the first 30 minutes or so. And we’ll continue talking about is, you know, where is this information going?

And especially if you’re not paying for the app you know, what your mom and grandmom said, nothing’s for free is so true. You can bet your dollar that if you’re not paying for something and you think it’s free, they’re commoditizing your data and it’s unclear where it’s going and for what it’s being used.

You know, look, some of these companies obviously. Have a lot to lose by doing something that’s too shady or something that’s going to alienate or get really bad press headlines. So I’m selling all your data to China and getting a front page in the New York Times about that is probably going to bankrupt the company or at least damage them reputation wise.

So. You know, but but there are other things. I think the health [00:29:00] plan example is is a good one. You know, I suppose some of it can go in aggregated fashion and still be of value in terms of trends and, you know, age groups and, you know, age groups with two or three more comorbidities and there’s different ways you can sell the data.

I just think that the consumer needs to really understand how, how these things are all being used and you know, and how it can turn around. to affect them at the end, potentially. Yeah, it’s crazy how many things are being tracked now that were never tracked before. So like you have your, your running statistics, right?

You have your sleep tracking, you have your heart tracking, your oxygen tracking, you have your period tracking, you have your swimming tracking, you have your biking tracking, you even there’s people who put on those glucose monitors and have an app for that, even if they don’t have diabetes. I think now there’s like a keto [00:30:00] tracking that tracks your ketones, what, whatever those are.

I don’t know what those are, but you, you blow into this little tube and it tracks that too. And it’s just, it seems like everything is being tracked right now, but, you know, what are the risks that come with using these apps, using these apps? I mean, like, even just listening to you rattle off, I didn’t hear, I’ve never heard about the ketones one, but yeah.

You know, it starts to like, I mean, is that information really useful to us? Like, you know, is there such I I’m all for people controlling their health information. It is definitely a direct direction we need to go in. I am not by any means knocking this whatsoever. The train has left the station, if you will.

And it’s, and it’s good that we’re going in this direction, but you got to sit back and ask, like you just said, it can track anything and everything. And I think, you know, part of the education process and the consumer awareness [00:31:00] process, in addition to understanding really what your products that you’re using, what it’s doing from it, you got to sort of sit back and ask, do I really need to know the ketones in my bread?

Like, what am I getting out of that? And what is the vendor getting out of that? I mean, some of these things that you see that they’re tracking, it almost feels, it almost feels like they’re running a research study, you know, they’re, they’re just collecting all these different data and putting it together in ways that maybe is very meaningful and beneficial to them.

But maybe less so to you. You know, and I haven’t read all of these, you know, obviously an individual generally cannot without informed consent participate in a research study involving human subjects. So technically speaking from a legal perspective, an app shouldn’t be permitted to do that unless they’ve somehow embedded that in their terms and consents and you’re actually consenting.

Do your data being used for research? Which I would not be [00:32:00] surprised that that is embedded in certain terms. You know, and I think the moral of the story or the, I guess the, the point, one of the points is just make sure you’re okay with that. You know, I mean, if you’re okay with that, then great, certainly good things can come out of research.

I’m not knocking research by any means, but you just need to know, you know, the scope of your information and be comfortable with the ways in which it’s. It’s being used by, you know, by those products and by those app, by those vendors. Yeah. And I think so much of it now is stuff that we see is kind of, you know, I’m just tracking this for myself.

I like to know how healthy I am, but you know, what if someday that information is being shared with your insurance company where, you know, maybe you slept in today and didn’t feel like working out and you’re watched and track a workout and that’s sent to your insurance company, boom, your premiums.

going on, you know, things like that, they can really devolve into a black mirror episode very, very quickly with all this data [00:33:00] that we’re, we’re collecting and sharing. Yeah, that’s, I think that’s one of the biggest scary scenarios, you know, I’ve had in my circle of family and friends have had personal experiences of having coverage denied based on pre existing conditions, which is not supposed to happen, right?

But it still does, depending on the commercial carrier. And so when you get faced with situations like that, you know, that reality of them getting access to that information becomes real real and real concerning. Yeah, that’s wild. Can you talk to us a little bit about recent Federal Trade Commission settlements with some of these companies?

Yeah, so let’s go bigger picture again for our listeners because I think there still is some, if not confusion, just lack of awareness. Again, as I mentioned earlier, many people are just think health information is protected by HIPAA and it’s not the case. HIPAA only protects health information when it’s in custody [00:34:00] of a healthcare provider or a health plan.

Once it leaves that custodian, for example, once you consent to importing it into an app, it is no longer protected by HIPAA. Okay, mobile app vendors are not regulated entities under HIPAA. Now the FTC and in conjunction with HHS, which is the federal agency that interprets HIPAA, they have recognized this and some of the risks that we’ve been talking about today.

The FTC has held a number of conferences on this topic of mobile apps and health information specifically, and they recognize that they need to regulate this space. Are currently using two laws on the books to do that that weren’t, I guess, promulgated or enacted specifically for what’s going on with mobile apps and health [00:35:00] information, but they’ve made it work.

One is the breach notification rule that’s under the FTC of the of the improper unauthorized use of. Information collected by a personal health record vendor. And the other is Section 5 of the FTC Act, which deals with unfair consumer, unfair and misleading consumer practices. So essentially fraudulent or consumer practices that deceive people or lead them to believe things that are untrue and unreliance.

And so In 2023, for the first time, we saw a just a a number of enforcement action taken by the FTC against a number of app vendors and Mobile app vendors, particularly dealing with health information. We had one, we had talked about the ovulation. There was a ovulation tracking app. There was a there was a settlement agreement with an organization that dealt with mental health [00:36:00] services.

There was another company or two, I think, actually, that were collecting genetic information. I’m not going to go into the details of it, but they had a number of common themes. One of the common themes was that their privacy policy and their terms of use said one thing, in terms of how they told the consumer their personal information was going to be used.

And not disclosed, but then they turned around and actually were not abiding by their own terms. And in cases that led in two of the cases, if not more one of the ways that they violated their own terms is that they were selling portions of that data to Google Meta for research or, you know, for revenue.

And that was considered also a violation in at least [00:37:00] one of the cases of the breach notification rule because it was an unauthorized use of the information that was being done. So, so they’re not abiding by their own terms. In another case they held out that they were, they’re all sort of somewhat related.

They held out that they were HIPAA compliant even though they didn’t have to. They said that presumably to entice consumers to think that the information was being handled in a certain manner. Yet, they didn’t conduct themselves as if they were actually HIPAA compliant. And so they found that also to be a violation of Section FTC unfair or misleading unfair consumer practices.

In another case the company was had been collecting information under one set of terms of use, then modified their terms of use. But [00:38:00] instead of simply allowing the new terms of use to apply going forward or attempting to obtain new consent to the expanded way in which they were telling consumers going forward to how their information, they went ahead and retroactively.

Applied it to prior data collected. You can’t do that either. And so, you know, you see some of these themes and it really comes down to, you know, what term again does and that what I, you know, help you know, clients. Is laying out, you know, yes, you know, you got to lay out your terms of use, but not in your privacy policy.

But, you know, when you’re now on the on the on the app vendor side, you really got to understand what you’re saying, and then you really got to understand operationally what you’re doing. And these two things need to match up. And if they don’t, then you need to make your terms match what you’re actually doing.

You know, and provided that this all stays within the law. So [00:39:00] that’s sort of the FTC. That’s in a nutshell, I think what’s coming out of the FTC. Another settlement just came out last week about another case. You know, it’s just a lot of, it’s, it’s tying back almost always to the privacy policy terms of use and how they’re collecting consent.

Oh, I remember in that case there was. FTC was going after the consent where you know, the consent was not made in a durable fashion. And so, you know, you know, you have to understand if your consent is expiring, then you have to renew the consent unless you’ve made it durable and, you know, Or if the consent is revoked, you have to make sure you’re pulling that stuff too.

So that particular case was focused around the consenting process. So all these elements the FTC, I think are making examples out of, I think it’s a message to the vendor community, you got to pay attention to this stuff, we are coming after you and they are coming after us. So it’s really important to, to abide by the [00:40:00] state laws, make sure you’re, you know, dealing with your terms and your privacy.

And then. And then, you know, step three, really getting after your operations and making sure that, you know, your operations are matching what your terms and your privacy policy are saying. Absolutely. I think the FTC said, you know, say what you do and do what you say. And they’ve been saying that for, for years now.

So it should really come as no surprise to anyone. There’s a new trend that I noticed in the last like week or so. Where there’s been a few lawsuits filed against these types of companies for violations of the California Invasion of Privacy Act which prevents you from tracking users from California through tools like Facebook Pixel, analytics, that kind of stuff, without prior consent.

And it seems like they’re starting to target these healthcare adjacent apps as well which I think is interesting. I mean, it’s, Seems like it’s a deserved industry. You know what I mean? Don’t [00:41:00] love like encouraging lawsuits or kind of broad lawsuits of everyone, but this seems to be very sensitive information that, that needs to be protected.

And I think we talked about this before where you have these new state privacy laws that are going to give consumers new rights, like the right to delete or correct or access the data. And I think that will affect these rights as well. Yeah, New Jersey just passed and Murphy just signed into law. So now New Jersey’s joined.

You had a blog post about that as did we, so and, you know, I know you’re keeping track of all the other ones. There’s numerous other laws that in states that are pending, so it’s definitely not going away. The CCPA and the lawsuits, that’s really interesting. You can probably expect to see.

possibly other states follow that sort of thing. I know the AGs are getting into this space too. So, you know, there’s a lot riding on the line to get it right. So, yeah, well, let’s talk about a new segment that I think will be very relevant for us [00:42:00] today. So there’s a proposal to revise HIPAA to protect patient privacy.

So there was this Whole article that came out finding that major pharmacy chains like Walgreens and CBS that they share patient data with law enforcement agencies. Can you tell us a little bit about why that’s so problematic? So I think that the, the origins of the concern here again, if, if we’re thinking about the same development the proposed change that’s pending right now purports to define reproductive health information.

And specifically so right now in the HIPAA privacy law, protected health information generally is not teased out into any sort of hierarchies. There is a sub definition of genetic information but it only pertains to disclosures to health plans. So this would be a whole new [00:43:00] way to deal with reproductive health information.

And I think, again, this is flowing from concerns with Roe v. Wade. And the disclosure of information for law enforcement purposes. And so a number of those proposed restrictions are looking to prevent that sort of information from getting into the hands. Of enforcement agencies, whether it be law enforcement or even public health agencies or other enforcement bodies that can turn around and use that information to either prosecute the providers who are providing, who are delivering or furnishing or making available reproductive health services and or the individuals who are seeking those services.

So I know that was a major concern in the proposed rule that HHS raised, you know, their concerns with that and their attempt to try to use that privacy framework to, there is already a restriction, you know, you generally cannot. Release information to law enforcement protected health information to law enforcement.

However, there is a very, very narrow [00:44:00] carve out when when law enforcement is seeking in the course of an investigation. There’s very specific things that need to be met. It’s very narrow information that can be can be disclosed. But even with that, you know, given that that exception is so narrow, I think that there was still concern that that, you know, with regard particularly to reproductive health information, that there could be concerns and that this was an opportunity to, to try and add some additional safeguards to preventing that sort of misuse of information.

So that is still in the proposed form it’s not in final rule form yet. I do suspect there’s going to be a lot of commentary and discussion around that. It is going to be very challenging to segment that data in an EHR. It is something that, you know, me working in the health information network space has you know, We’ve struggled with data segmentation for a decade now you know, trying to tease out and deal with [00:45:00] different kinds of HIV AIDS information, behavioral health information in different ways where you would, you would treat a cholesterol test, right?

So so it’s going to be challenging and how to implement that. And particularly in the proposed rule, their definition of reproductive health information was so broad. That it could it could include anything from a pregnancy test to, you know, termination of a pregnancy. So it’s, it’ll be interesting to see what comes out.

I think that the privacy rule just hit the O and B department like two weeks ago. So there might be a final rule coming out. In the next 60 to 90 days. So we’ll see if they tackle that particular issue in there. Yeah, that would be, that would be very interesting because, you know, I mean, if I go out and, and purchase a pregnancy test, it’s really nobody’s business except my own.

Right. And, and that should be protected. And, and I think that, you know, if there’s a lawful warrant in place and, and all of that, okay. But. If there [00:46:00] isn’t, you know, and these pharmacies sharing this information without warrants, I think it’s very concerning. Yeah, yeah, but anyway, so Helen, thank you so much for taking the time to talk to me today about health care, privacy issues and and what all these things mean to us as consumers as well as privacy professionals for anyone listening, please make sure to subscribe to privacy laws.

So you do not miss the next episode. Thank you, Helen. Thanks, Donata.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates