On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.
What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.
But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store.
As health data has migrated from conventional health care providers these gaps in our health privacy laws have become quite evident yet Congress has failed to react (Senator Schumer’s FitBit “privacy nightmare” aside). Apple now looks like it is going to fill the privacy vacuum with some serious private ordering. According to various reports from the Financial Times and the Guardian Apple has amended its developer contracts to include strong mHealth privacy protections.
Outright provisions such as “must not sell an end-user’s health information collected through the HealthKit APIs to advertising platforms, data brokers or information resellers” are coupled with proportionality rules (long missing from U.S. privacy) such as “You and your application may not use the HealthKit APIs, or any information obtained through the HealthKit APIs, for any purpose other than providing health and/or fitness services in connection with your application (e.g. not for serving advertising).” There is even a medical research exception that is dependent on user consent (hopefully, a context specific opt-in).
‘Wish We Could Say More’ probably doesn’t refer to ‘Health,” but it may allude to the new privacy world surrounding Apple’s apps—developers are going to be severely constrained as to what more they can say and distribute with regard to patient health data. Lets hope the other platform developers (Samsung, Google, etc.) take notice or, if not, that smartphone buyers will express their desire for health privacy with their wallets.