By Ben Kochman
Law360 (September 18, 2020, 9:13 PM EDT) -- In
a surging market thanks to the coronavirus pandemic, developers of mobile
health apps are facing challenges on how to comply with a patchwork of state
data security laws, industry attorneys say.
Much of the traditional health care space is covered by the rigorous data
security requirements outlined by federal regulators in the Health Insurance
Portability and Accountability Act, or HIPAA. But other companies, like private
businesses building apps to screen employees for symptoms of COVID-19, may not
be subject to HIPAA's requirements despite handling sensitive health data.
Those companies are instead struggling to navigate a slew of differing state
laws addressing how health data should be protected and how to handle a
potential data breach, attorneys say.
"If a company doesn't have a law like HIPAA to comply with, their
regulatory compliance regime is not going to be nearly as
straightforward," said Liisa Thomas, head of the privacy and cybersecurity
practice group at Sheppard Mullin Richter & Hampton LLP.
"It can be confusing, and they might miss something because of this quilt
of legal obligations."
All 50 U.S. states have enacted their own data breach notification laws, many
of which include different requirements for how companies need to protect
sensitive information. The state widely considered to have the most stringent
set of data privacy laws affecting health data is California, where businesses
are subject to both the state's Confidentiality of Medical Information Act —
which allows consumers to bring suits if companies "negligently"
release confidential data — and its general data privacy law, the California
Consumer Privacy Act.
Questions over how the burgeoning mobile health industry should comply with
different state data security laws come as the Senate Committee on Commerce,
Science and Transportation is set to hear testimony Wednesday about the need
for a national privacy law. Witnesses at the hearing will include three former
heads of the Federal Trade Commission: Maureen Ohlhausen,
William Kovacic and Jon Leibowitz.
Separately, the current FTC in May solicited
input about whether it should change a decade-old,
little-used rule requiring companies that are not covered by HIPAA but still
handle health information to publicly report data breaches. The commission
asked for advice on whether it should change its Health Breach Notification
Rule in light of "legal, economic, and technological changes,"
including "developments in health care products or services related to
COVID-19."
The FTC noted at the time that more companies may soon be covered by its rule
as patients increasingly turn to technologies such as virtual assistants and
mobile health apps that might not be subject to HIPAA.
"We think health care and HIPAA go together in this country, and that's
true most of the time, but not always," said Jennifer Hennessy, senior
counsel in the privacy and cybersecurity practice at Foley
& Lardner LLP.
Many of the public comments on how the FTC should enforce its breach
notification rule have come from stakeholders in health care, who have claimed
that adding another data breach law for companies to consider could lead to
confusion for both businesses and consumers.
The American Dental Association, for
example, urged the commission to define in
more detail cases when vendors of personal health records and third-party
service providers that handle that data are subject to the its rule, versus
HIPAA's breach notification requirements, which are enforced by the U.S. Department of Health and Human Services.
HIPAA covers a broad swath of the health care industry, including medical
providers that bill insurance companies and entities that have entered into
"business associate" agreements with them.
"If they had their way, many health entities and businesses would prefer
the HIPAA breach notification process, which is well established and has worked
well for a long period of time," said Ryan Logan, counsel in the privacy
and information management practice at Hunton Andrews Kurth LLP. "Companies
don't want to deal with overlapping jurisdictions that might take away from the
process they already are familiar with."
Debate about whether regulators should be more active in health care privacy
comes as authorities in the U.S., Canada and Europe have warned in recent
months that cybercriminals have taken specific interest in targeting the health
care industry. The international crime-fighting agency Interpol, for example,
said in April that it had seen a spike
in online attacks targeting overburdened hospitals
during the pandemic by trying to lock them out of critical systems and extort
them into paying ransoms in digital currency.
And the telehealth industry has not proven immune from data security incidents
during the pandemic. In June, U.K.-based telehealth company Babylon Health
announced that a "small" number of patients were able to view
recordings of other patients' appointments in what the company called the
result of a "software error" rather than a malicious attack.
Consumers may also be more likely to demand that companies handing their health
data be upfront with them about privacy and data security matters — regardless
of whether they are subject to a particular state or federal law telling them
to do so — following a slew of high-profile data breaches and security
incidents in recent years, including at Equifax
Inc. and Facebook Inc.
In cases where they have such a choice, consumers may also take cybersecurity
into account in deciding which health care apps they want to use, attorneys
said.
"Telehealth app developers have a tremendous opportunity here, but they
need to understand their obligations to present the public with a complete
picture of their information collection and use, so that your average user
knows what data is being collected about them, how that data is being used and
how it is being shared," Logan told Law360.
Users of coronavirus screening apps, for example, may understand why an app
developer would share their information with health authorities but only feel
comfortable with that data being disclosed in aggregate or on a de-identified
level, Logan said.
"Any app developer in this space should evaluate which laws that they are
subject to and develop technical solutions to control access to sensitive
information," Logan said. "People don't want information about their
COVID testing results being made public."
--Editing by Alanna Weissman.
No comments:
Post a Comment