Big Tech and Health: Implications for HIPAA?

This week, Apple announced that it will now allow users to download and view portions of their medical records on their Apple products. This function will become a part of Apple’s Health app, and now enables consumers to transfer clinical data from their health care providers to their iPhones. This tool will allow for “easier sharing across multiple providers,” meaning that users will be able to bring their medical records with them in the event of switching doctors or moving, rather than going through the process of getting their records faxed or sent by the office itself. However, the risk to consumers may be substantial. By having a considerable amount of protected health information (PHI) on a mobile device or wearable technology, it exposes the consumer to the potential risk of hacking and theft.

While this feature has just begun beta testing, with some high-profile medical institutions among the first to provide access to their patients, the introduction of this feature leaves open some important questions regarding the Health Insurance Portability and Accountability Act (HIPAA).

Although HIPAA does not act as a general medical privacy law, HIPAA standardizes the privacy of health information in the United States by creating baseline protections for health information. The privacy rule, promulgated by the Department of Health and Human Services, focuses on HIPAA in its relation to “covered entities” and “business associates.” In doing so, the rule created a loophole that seems to be growing steadily as more and more of the population engages with websites, phone applications, and wearable technology that collects and stores health information, known as “non-HIPAA” health data.

As most of this health data falls outside of the scope of HIPAA’s protection, there is a serious question as to if, and how, this data should be regulated and protected. While Apple stated that it will not be able to view users’ medical data, which is encrypted, accessible only with the users’ password, and stored locally on the iPhone, users are also given the option to share such data with the company.

While the Apple was initially reluctant to consider the potentiality for HIPAA privacy and security issues, the tech giant has signaled, by seeking and retaining “Privacy Counsel” focused on HIPAA and health, that they are taking the issue of health privacy and security seriously. Recently, CEO Tim Cook stated that “the holy grail of the watch is being able to monitor more and more of what’s going on in the body.” As the Apple Watch itself has been held out to be and adopted as a “health monitoring device,” with 80 percent of its consumers utilizing the health and fitness tracking function, it becomes even more important for Apple to consider adopting a HIPAA-compliant system to protect the plethora of data collected by such devices.

As a recent report issued by the Obama White House demonstrated, “big data analytics” wield the potential to undermine established civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace. With implications such as these, one has to wonder what the next steps will be in addressing the proliferation of non-HIPAA data.