Closing the Security Gaps in Mobile Health Apps

Health-related smartphone apps unquestionably are popular. And many, as we’ve reported, are of questionable use. Some can be downright harmful.

But the utility of health apps isn’t the only possible downside to this technology. No governmental agency has regulatory oversight for mobile health applications, and that’s a situation that should be addressed, concluded papers recently published in Health Affairs ( here and here).

The feds should close the gaps in health app privacy and security, as approximately half a billion people will be using one by 2015, according to, which summarized the journal’s research.

Many mobile apps transmit personal health data over an electronic network, and other functions such as video conferencing about patients are increasingly popular among medical professionals who want to consult about cases. But they’re vulnerable to network breaches. (See our blog, “Medical Apps: When Sharing Goes Too Far.”)

The Health Affairs authors enumerated several security and privacy risks for telehealth and mobile app users, and before you and your caregivers rely on these information aids, consider how well the data they transmit is protected from prying eyes. If you’re uncertain, think twice before hitting “send.”

Some things to consider:

1. Communications via telehealth services fall outside the realm of HIPAA — the Health Insurance Portability and Accountability Act of 1996. And some network-enabled medical devices don’t fit into the HITECH Act’s security breach notification requirements.

Privacy and confidentiality are vulnerable in telehealth technology during the collection or transmission of sensitive data, and in the distribution of untrusted software and hardware. And you might not even know if a problem has occurred, because people whose information has been compromised may not even be able to request copies of whatever is collected by telehealth apps.

The HITECH Act – the Health Information Technology for Economic and Clinical Health Act of 2009 – extends HIPAA protections to users who “create, receive maintain, or transmit” identifiable health information. But consumers who use mobile apps outside a health-care setting aren’t “covered entities,” so they’re not subject to HIPAA regulations.

2. Device manufacturers and mobile app makers may be able to share patient information with third-party advertisers.

Such oversharing might be completely unanticipated by patients who, along with their providers, might feel more protected by consent forms than they should. Read the fine print carefully, and if you don’t understand it, ask. If you’re not provided a full and clear explanation, maybe this app isn’t for you.

3. Medical and consumer device software may contain security flaws or may come under attack from hackers.

Health apps are used mostly on portable devices that are easily stolen, leaving the data they contain available to prying eyes. Providers can avoid hack attacks if they accept data only from approved software. How many do?

4. Privacy laws outside of HIPAA might not apply to mobile health apps.

The Computer Fraud and Abuse Act of 1986 and the Electronic Communications Privacy Act of 1986 ban the unauthorized interception of communications. But they might not apply to patient information and the private use of health apps.

Providers should be concerned with medical liability issues associated with data collected from mobile apps. For example, there’s no agreement about what a doctor’s liability might be if he or she harmed a patient because that person was monitoring his or her health through a mobile device, and sending that data directly to the doctor.

Patrick Malone & Associates, P.C. listed in Best Lawyers Rated by Super Lawyers Patrick A. Malone
Washingtonian Top Lawyer 2011
Avvo Rating 10.0 Superb Top Attorney Best Lawyers Firm
Contact Information