Health Application Security
Compliance and Regulatory

Health Application Security and Privacy Concerns Drive Legislative Efforts

Marty Tatro
by July 14, 2022

In the United States, the protection of personal health information (PHI) is covered by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology and Clinical Health (HITECH) act of 2009. However, the laws and regulations presently in place are not all-inclusive and do not cover some potential loopholes. 

What Happened

On June 15th, 2022, Senate Bill 4408 was introduced on the floor of the Senate.  This bill is intended to reduce the number of ways the law can be skirted and offer greater protection to the consumer. The bill titled the “Health and Location Data Protection Act of 2022” will address the unlawful distribution by any means of health and location data except as allowed under the HIPAA rules, newsworthy information, and authorized disclosure.

In other words, legally, if you authorize certain information to be disclosed to another party, then that information may be disclosed to that party and that party only. Your information may not be sold, given, traded, licensed, or shared otherwise. 

While the bill does not explicitly mention them, this will also affect health and wellness applications, such as communications systems designed to allow you to stay in direct contact with your physician via SMS or other electronic messaging, access your health data, and work to quit smoking. Not all of these types of applications currently provide any protection for your data, and others have been shown to communicate that information to other parties not directly connected to you without your knowledge or consent.

How will this Affect You?

As a person who receives or has received health care, you will be protected from actions that will put your data or health at risk of misuse or illegal dissemination. You will still have the right to divulge your health information as you see fit or to restrict its uses outside of your legal doctor/patient confidentiality agreements. At this time, HIPAA rules have some limitations and can be side-stepped without your consent or knowledge. Basic, non-identifiable patient information that cannot be attributed to a single patient after removing personally identifiable information. Birth and death dates, certain diseases, and other medical data are sometimes required to be passed on to the government no matter the patient’s desires. These are covered under the law and the HIPAA Act.

With the new bill, your right to privacy will be greatly enhanced, and your ability to determine who has access to your data, how it is used, and how long it is retained should be much more transparent.

Your ability to seek redress for any violations of your privacy will also be heightened through more robust enforcement and the ability to directly file suit against transgressors. The wording of the Bill seeks to ensure that not only federal agencies but state agencies will be required to investigate complaints and seek out remedies that will further protect you.

It should be noted that the language of the bill also speaks directly to the protection of data related to groups and individuals, so if you are a pregnant woman, you will have greater protections available to you. Your data was protected before, but this Bill specifically requires protection of location data from past, present, and future movements. This data would no longer be freely available or up for sale to just anyone.

All portions of this bill will be implemented and enforced through the Federal Trade Commission (FTC) and further by the states to give them the ability to ensure that data is not misused or mishandled. If the FTC or a state finds a violation, they may seek civil or criminal remedies.

What should you do

Protecting your health and location data should be a concern at all times. This information can be used to harm you financially, medically, or even legally in some ways. So, here are some thoughts on how to protect yourself:

  1. If you must give out information, protect it at all costs.
    • Ask questions about the way the information is used, stored, and protected
    • Ask who else will have access to the data you are giving out
    • Find out if you can limit access to only those you wish to know the information and no others, including third-party vendors or providers
  2. If you are speaking on the phone with someone, make sure they are who they say they are
    • No health care provider should ever ask you for your full social security number or other identifiers. This should be done in a secure environment, such as in a closed-door office space at the medical site or hospital
    • If you are unsure, tell the person you will call them back shortly and reach out to your medical provider for confirmation. They should have no problem allowing this. Do not assume a number given by the person on the phone number provided is actually the one to call; it may be a scammer.
  3. If you use health apps on a mobile device or computer, ensure you understand exactly what is being given to those who own the application, the creators, and third-party providers.
    • Do not use the application if there is no privacy-related information or user agreement.
    • If you feel that your data is not being protected, do not use the application.
    • Should you find that your data has been misused or given out to unauthorized persons/organizations, file a complaint with the FTC as soon as possible and cease using the application

In all cases, it is your responsibility to ensure that you properly protect your data, even with laws on the books to help you do so. If you don’t take care to check that your information is in the right hands and being properly handled, then your data will be at risk. These laws and regulations help you do that, but you must ensure that you are well informed for them to work correctly.

Related topics:

HIPAA Compliance and Your Practice

Beyond HIPAA: Other Cybersecurity Considerations

HIPAA Home Worker Compliance Checklist

Northstarr Recommendations 

Caring for your IT and cybersecurity needs is an important part of your individual and organizational planning. It requires you to make informed decisions based on your data and its use. Northstarr System Solutions, Ltd. is uniquely qualified to help you with that planning and decision-making process and find the solutions that work best for you.

To find out more about what we do, visit our website or give us a call at (888) 767-2210 to set up an appointment.

We look forward to meeting with you!