Amid Pandemic, Health Apps Face Privacy Law Patchwork

By Ben Kochman
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Compliance newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (September 18, 2020, 9:13 PM EDT) -- In a surging market thanks to the coronavirus pandemic, developers of mobile health apps are facing challenges on how to comply with a patchwork of state data security laws, industry attorneys say.

Much of the traditional health care space is covered by the rigorous data security requirements outlined by federal regulators in the Health Insurance Portability and Accountability Act, or HIPAA. But other companies, like private businesses building apps to screen employees for symptoms of COVID-19, may not be subject to HIPAA's requirements despite handling sensitive health data.

Those companies are instead struggling to navigate a slew of differing state laws addressing how health data should be protected and how to handle a potential data breach, attorneys say.

"If a company doesn't have a law like HIPAA to comply with, their regulatory compliance regime is not going to be nearly as straightforward," said Liisa Thomas, head of the privacy and cybersecurity practice group at Sheppard Mullin Richter & Hampton LLP. "It can be confusing, and they might miss something because of this quilt of legal obligations."

All 50 U.S. states have enacted their own data breach notification laws, many of which include different requirements for how companies need to protect sensitive information. The state widely considered to have the most stringent set of data privacy laws affecting health data is California, where businesses are subject to both the state's Confidentiality of Medical Information Act — which allows consumers to bring suits if companies "negligently" release confidential data — and its general data privacy law, the California Consumer Privacy Act.

Questions over how the burgeoning mobile health industry should comply with different state data security laws come as the Senate Committee on Commerce, Science and Transportation is set to hear testimony Wednesday about the need for a national privacy law. Witnesses at the hearing will include three former heads of the Federal Trade Commission: Maureen Ohlhausen, William Kovacic and Jon Leibowitz.

Separately, the current FTC in May solicited input about whether it should change a decade-old, little-used rule requiring companies that are not covered by HIPAA but still handle health information to publicly report data breaches. The commission asked for advice on whether it should change its Health Breach Notification Rule in light of "legal, economic, and technological changes," including "developments in health care products or services related to COVID-19."

The FTC noted at the time that more companies may soon be covered by its rule as patients increasingly turn to technologies such as virtual assistants and mobile health apps that might not be subject to HIPAA.

"We think health care and HIPAA go together in this country, and that's true most of the time, but not always," said Jennifer Hennessy, senior counsel in the privacy and cybersecurity practice at Foley & Lardner LLP.

Many of the public comments on how the FTC should enforce its breach notification rule have come from stakeholders in health care, who have claimed that adding another data breach law for companies to consider could lead to confusion for both businesses and consumers.

The American Dental Association, for example, urged the commission to define in more detail cases when vendors of personal health records and third-party service providers that handle that data are subject to the its rule, versus HIPAA's breach notification requirements, which are enforced by the U.S. Department of Health and Human Services. HIPAA covers a broad swath of the health care industry, including medical providers that bill insurance companies and entities that have entered into "business associate" agreements with them.

"If they had their way, many health entities and businesses would prefer the HIPAA breach notification process, which is well established and has worked well for a long period of time," said Ryan Logan, counsel in the privacy and information management practice at Hunton Andrews Kurth LLP. "Companies don't want to deal with overlapping jurisdictions that might take away from the process they already are familiar with."

Debate about whether regulators should be more active in health care privacy comes as authorities in the U.S., Canada and Europe have warned in recent months that cybercriminals have taken specific interest in targeting the health care industry. The international crime-fighting agency Interpol, for example, said in April that it had seen a spike in online attacks targeting overburdened hospitals during the pandemic by trying to lock them out of critical systems and extort them into paying ransoms in digital currency.

And the telehealth industry has not proven immune from data security incidents during the pandemic. In June, U.K.-based telehealth company Babylon Health announced that a "small" number of patients were able to view recordings of other patients' appointments in what the company called the result of a "software error" rather than a malicious attack.

Consumers may also be more likely to demand that companies handing their health data be upfront with them about privacy and data security matters — regardless of whether they are subject to a particular state or federal law telling them to do so — following a slew of high-profile data breaches and security incidents in recent years, including at Equifax Inc. and Facebook Inc.

In cases where they have such a choice, consumers may also take cybersecurity into account in deciding which health care apps they want to use, attorneys said.

"Telehealth app developers have a tremendous opportunity here, but they need to understand their obligations to present the public with a complete picture of their information collection and use, so that your average user knows what data is being collected about them, how that data is being used and how it is being shared," Logan told Law360.

Users of coronavirus screening apps, for example, may understand why an app developer would share their information with health authorities but only feel comfortable with that data being disclosed in aggregate or on a de-identified level, Logan said.

"Any app developer in this space should evaluate which laws that they are subject to and develop technical solutions to control access to sensitive information," Logan said. "People don't want information about their COVID testing results being made public."

--Editing by Alanna Weissman.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!