Posted on 12/09/2021 7:26:12 AM PST by Kaslin
The age of mask and vaccine mandates has sparked important conversations about what employers, businesses and our government can ask about our personal health decisions. These discussions often reveal widespread misconceptions about who is responsible for keeping that information confidential and secure. Clarity on this issue is of utmost importance for consumers, especially with the rise of smartphone apps hungry for health data.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards for protecting individuals’ health information. Many people assume the law applies to any entity that might request or handle health information. In fact, the law only requires “covered entities” to protect patient privacy and security while they share information to provide high-quality care. Covered entities include health care providers, insurers, healthcare clearinghouses and “business associates” such as electronic health record developers and other organizations that serve covered entities.
Health data that would be HIPAA-protected in the hands of healthcare companies can be used for any purpose, without federal privacy and security protections, when it is collected by big tech companies. Understanding this distinction is critical for privacy-conscious consumers amid the growing trend of health-related apps.
The risk to consumers is real. On two separate occasions this year alone, the cybersecurity company Approov has reported on major security vulnerabilities affecting dozens of apps with millions of users. In February, Approov tested 30 mobile health apps covering 23 million users and found all of them to be vulnerable to hacking. In October, Approov was able to access more than 4 million patient and clinician records through the vulnerabilities.
Personal health data is extremely attractive to hackers because of the value of a real, full medical record to bad actors. Health records can fetch prices 1,000 times higher than a Social Security number and 200 times higher than a credit card number, according to Experian. A hacked medical record can be worth as much as a stolen passport on the dark web.
Even if it’s not stolen by hackers, health data that is not protected by HIPAA can be used and sold in ways patients never intended. We may be comfortable giving fitness trackers and other apps access to our personal data to alert us to health risks, remind us to take our medication, or even share important information with loved ones. But do we want Big Tech companies using that data to sell us advertising based on our private medical conditions or decisions or profile us for potential future employers, life insurers, or lenders?
It’s past time to close the “covered entity” loophole, especially since new regulations issued by the U.S. Department of Health and Human Services mandates health care organizations to share health data with app companies and big tech if they say they’re acting on a patient’s behalf. When health information moves from their electronic health record to a Big Tech firm, patients should be informed that their data is transferring from an entity that is required to protect their data and use it for certain purposes to a company that is not. Burying a disclaimer and broad data use rights in dense terms and conditions shouldn’t count.
Better yet, the legislative and regulatory landscape needs to catch up with the technological advances in the 25 years since HIPAA became law. The Federal Trade Commission already views apps that handle health data as healthcare companies. In November the FTC told app makers to comply with the Health Breach Notifications Rules governing how and when healthcare companies must alert consumers to a data breach.
The rest of the regulatory landscape should follow the FTC’s lead and Congress should update HIPAA for the mobile app age. Health apps that access and function as digital health records should be treated as such, and they should be required to protect users' privacy and secure their data to the same standard as providers, insurers, and other healthcare companies.
Samsung had a nice app for reading its phone oximeter / pulse device. Now it wants to own your data with unlimited rights to sell it.
A third party app showed up, and deceptively hides that it expects to be able to sell your info in order to use the app.
.
The simplest, best way to protect your health data is to ignore the health aps. The aps have a very poor record of securing your data.
I never trust anyone telling me they're doing me a favor I didn't ask for.
I have a phone that's more of a nuisance than a convenience.
I read my email from one email source but never respond from my phone.
I recently recieved a $5 check from my bank to deposit using an app they want me to put on my phone. The check can only be deposited with the app I don't have.
I have news for the bank. I (you) can keep anything received unsolicited in the US mail.
A company sends you a gift in the mail — a tie, a good luck charm, or a key chain. You didn’t order the gift. What do you do? Many people will feel guilty and pay for the gift. But you don’t have to. What you do with the merchandise is entirely up to you.
If you have not opened the package, mark it “Return to Sender.” The Postal Service will send it back at no charge to you.
If you open the package and don’t like what you find, throw it away.
If you open the package and like what you find, keep it — free. This is a rare instance where “finders, keepers” applies unconditionally.
Whatever you do, don’t pay for it — and don’t get conned if the sender follows up with a phone call or visit. By law, unsolicited merchandise is yours to keep.
Yep!
Never use an App unless you are sure YOU need it.
Never use one where its only purpose is to send info to someone else.
I barely want a phone.
Can foresee a time when I no longer have one.
Likewise, a computer/laptop
For now it’s my only contact with family and work.
I have a Samsung phone and I absolutely hate it. It’s the worst phone I’ve ever had. I send my other Samsung phone that I had to my daughter in Texas for my grandson, but her husband kept it instead.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.