24

We normally think about health recordsin the context of a doctor’s visit, surgery, or hos-pital stay. Today, however, our smart phones andwearables (e.g. FitBits, Apple Watches) runninghealth application software log every step, click, ortap. These health apps measure the same vitalsigns, help manage the same health conditions,and are increasingly performing the same exami-nations and functions as health-care profession-als. In doing so, they create and store a newgeneration of health records.

As consumers, we create electronic healthrecords around the clock. The “Dr. Mole” appscans user-taken photographs of moles and pro-vides feedback based on asymmetry, border, color,diameter, and evolution. The “Instant Heart Rate”app detects the user’s pulse through a mobilephone’s camera. The “Activity” app on the AppleWatch tracks calories burned. “EyeNetra” pos-sesses an app that provides eye examinations withthe use of a $2 plastic smart phone attachment.The “Sleep Cycle” app learns and monitors usersleep patterns. The “WebMd” app allows the userto input symptoms and then suggests possiblediagnoses. Yet, despite increasingly sophisticatedfunctionality, the electronic health records createdfrom health apps operate largely outside of thetraditional legal framework designed to regulaterecords maintained by health-care providers andinsurance companies.

When Congress enacted the HealthInsurance Portability and Accountability Act(HIPAA) in 1996, it was a world of landlines andregular watches. The thought of health care beingprovided to consumers outside the physician-patient relationship was a novel idea. At its core,HIPAA, enforced by Health and Human Services(HHS), regulates health records created, main-tained, and transmitted by “covered entities” (e.g.health-care providers/health plans) and “businessassociates” (i.e. contractors performing activitieson behalf of “covered entities”) who transmitelectronically protected health information (PHI)in connection with certain regulatedtransactions.1 HIPAA requires that they use anddisclose PHI only for permitted purposes (e.g.treatment, payment, health-care operations,research, public health, etc.).2 Every use or disclo-sure must possess only the minimum necessaryamount of PHI while being provided to thefewest people to achieve the permitted purpose.3

Additionally, PHI storage must meet rigoroustechnological security standards and patientsmust have notice of uses and disclosures.4 Usesand disclosures of PHI that do not meet thesestringent criteria violate HIPAA, subjecting viola-tors to possible fines from HHS, audits, and therequirement to investigate and notify aboutbreaches/violations.5

www.vsb.orgVIRGINIA LAWYER | June 2015 | Vol. 64 | HEALTH LAW SECTION

The New Generation of Electronic Health Records:

What Health Apps Know About Youby Hank Creasy and David Knoespel

HEALTH LAW SECTION | Vol. 64 | June 2015 | VIRGINIA LAWYER 25

Unless a health app involves a covered entity or businessassociate, HIPAA does not apply. Nonetheless, the healthrecords created and stored by health apps can be virtually iden-tical to those regulated by HIPAA. Consequently, Apple,Android, FitBit, and app developers will not be asking you tosign a HIPAA authorization or acknowledge receipt of a Noticeof Privacy Practices any time soon. The overwhelming majorityof health apps will not face scrutiny under HIPAA.

Further, while the Food and Drug Administration (FDA)has authority to regulate some apps based on functionality, pri-vacy considerations are noticeably absent. In February 2015, theFDA issued its latest guidance on what constitutes a “mobilemedical device.” This classification forms the basis of allowingthe FDA to regulate a health app. According to the FDA, the“majority” of health apps will face no immediate regulationfrom the FDA.6 The FDA has commented that its concern lieswith health apps that pose a serious safety risk to the user if itmalfunctions.7 According to its guidance, some examples ofapps likely subject to FDA regulation include those that: mea-sure physiological parameters during CPR, use an attachmentto remove hair, control X-Ray and CT machines, change set-tings of a cochlear implant, connect to cardiac monitors totransfer data for active monitoring, or affix to a perinatal moni-toring system to transfer data to monitor labor progress.8 Whilethe FDA’s regulation will help prevent health apps from physi-cally harming users,9 it is not intended to directly safeguard auser’s electronic health records collected by an app.

In many respects, the Federal Trade Commission (FTC)has attempted to fill the health app privacy regulatory void. Itprimarily uses two methods to regulate health app privacy.First, the FTC is responsible for deterring and punishing unfairand deceptive trade practices.10 Through this avenue, a limitednumber of health apps have faced FTC sanctions for egre-giously lying to consumers11 or misleading/failing to informconsumers of material facts related to how they use healthrecords.12 Nevertheless, as long as health apps are reasonablytransparent in the privacy policies (that no one reads anyway),health app providers face little burden. Second, the AmericanRecovery and Reinvestment Act of 2009 (i.e. stimulus package),through a “temporary” directive, created the FTC Health BreachNotification Rule.13 Overall, the FTC rule is much narrower inscope than HIPAA. The FTC rule forces many entities operatinghealth apps and certain contractors to notify consumers, theFTC, and sometimes the media when an “unauthorized acquisi-tion” of unencrypted, identifiable, personal health dataoccurs.14 As the name suggests, however, the FTC Health BreachNotification Rule regulates breaches, not purposes for whichhealth data may be used as does HIPPA. The FTC rule also doesnot prevent the sale of user health data. Similarly, the FTC ruledoes not require health apps to seek clear and unambiguousconsent for uses or disclosures that consumers would not typi-cally expect. When compared to HIPAA regulation, Congress’smandate to the FTC to protect electronic health records leavesmany privacy and security concerns unaddressed.

Privacy regulation for this new generation of electronichealth records is fragmented. HHS, FDA, and FTC each govern

limited aspects of health app records. Other aspects exist whollyoutside of the current privacy framework. As users lookincreasingly to their devices to augment their health care, thevalue and utility of user-generated health records for data ana-lytics, research, and marketing likewise increase.

With every click, tap, or entry, the user learns more abouthis or her health. Under the current approach to privacy regula-tion for mobile health apps, others will undoubtedly learn moreabout the user too.

Endnotes:1 See HEALTH & HUMAN SERVS., Health Information Privacy,

http://www.hhs.gov/ocr/privacy/ (providing an overview of theHIPAA Privacy, Security, and Breach Notification Rules) (last vis-ited May 3, 2015).

2 See HIPAA Privacy Rule, 45 C.F.R. § 164.502 (2009).3 See id. § 164.502(b).4 See HIPAA Security Rule, 45 C.F.R. § 164.306(c) (2009).5 See HIPAA Breach Notification Rule, 45 C.F.R. § 164.400 (2009).6 See FOOD & DRUG ADMIN., Mobile Medical Applications: Guidance

for Industry and Food and Drug Administration Staff (February 9,2015), at 4.

7 See id. 8 See id. at 27-29. 9 See FOOD & DRUG ADMIN., Mobile Medical Applications,

http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/MobileMedicalApplications/ucm255978.htm(last visited May 3, 2015).

10 See 15 U.S.C. § 45 (2006).11 See FED. TRADE COMM’N, FTC Cracks Down on Marketers of

“Melanoma Detection” Apps (February 23, 2015), available athttps://www.ftc.gov/news-events/press-releases/2015/02/ftc-cracks-down-marketers-melanoma-detection-apps.

12 See FED. TRADE COMM’N, 2014 Privacy and Data Security Update,https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2014/privacydatasecurityupdate_2014.pdf (lastvisited May 7, 2015).

13 See FED. TRADE COMM’N, Complying with the FTC’s Health BreachNotification Rule, https://www.ftc.gov/tips-advice/business-cen-ter/guidance/complying-ftcs-health-breach-notification-rule (lastvisited May 8, 2015).

14 See id.

THE NEW GENERATION OF ELECTRONIC HEALTH RECORDS

www.vsb.org

Hank Creasy is a shareholder and David Knoespel is an associate withEdmunds & Williams PC in Lynchburg. They routinely advise clients in thehealth-care industry, such as health systems, hospitals, CINs, health plans,and wellness companies. They have experience in a diverse range of generalcorporate and health law transactional and regulatory matters, including onmatters at the intersection of health care and technology, such as health ITacquisition, Meaningful Use, HIPAA privacy and security, telemedicine,data-driven population health, IT subsidization, and IT-related fraud andabuse concerns.