OCR Provides Guidance on the Privacy of Data Stored on Health Apps and Mobile Devices | BakerHostetler

/in


In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers.[1] As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance on multiple issues concerning the collection and sharing of personal health data. Recently, they issued guidance clarifying the extent to which information collected by cycle trackers and other health apps is protected. The OCR also provided tips for individuals wishing to protect the data stored on their personal devices or potentially shared with third parties.

Key Takeaway: Most importantly, the OCR made clear that the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) generally do not protect the privacy or security of your health information when it is stored on your personal mobile device. Those rules protect the privacy and security of your medical and other health information only when it is created, received, maintained or transmitted by covered entities, including health plans and most healthcare providers, and their business associate vendors.

This means that internet search history, information voluntarily shared online and geographic location information is not protected by the HIPAA rules and could potentially be collected or viewed by others. In most cases, the HIPAA rules also do not protect the privacy of data you download or input to apps for personal use, regardless of where the information came from. There is a limited exception for apps (such as Epic’s electronic medical record patient portal app, MyChart) that were contracted by or on behalf of a covered entity to assist with patient or member services; however, information stored on most widely used apps would not be protected.

The guidance further warns that simply downloading or using a health app may be enough to give the developer permission not only to collect and retain your information but also to sell or share it with data brokers, marketing and analytics firms, law enforcement personnel…

Source…