Cyber Defense Magazine: Understanding health data privacy in the digital age

By Brian Foy | October 4, 2022

Over the past decade, the proliferation of health apps has made everything from fitness-tracking to calorie-counting more convenient for the everyday consumer. However, recent news regarding the lack of digital privacy protections has prompted major concern about the potential misuse of consumer health data. For example, the recent overturn of Roe v. Wade left some users unsure if the data collected by period-tracking apps could be used against them by law enforcement or other federal agencies. While worries over how third parties use data are more than warranted in this context, it is imperative to distinguish this from the use of health care data within hospitals and health care systems. Consumers should remain vigilant about the information their mobile devices and wearables collect about them while also understanding the protections in place that secure the data utilized by hospitals and health systems.

In hospitals and health systems, health care data comprises information providers collect from a variety of sources This could include a patient’s diagnosis, test results, medications, and treatment plans, among others. This data is often used and shared to determine a targeted approach to a patient’s particular care within and across networks, and is protected under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, the privacy of protected health information is protected by limits and conditions on the disclosures that may be made without an individual’s authorization. HIPAA also gives individuals rights over their protected health information and regulates identifying data such as names combined with health information. As a result, the patient and their data are prioritized within hospitals and health care systems. Without HIPAA, there would be little incentive for safeguarding data—and little chance of repercussions if there were a failure to do so.

These protections differ drastically from those afforded to data produced by mobile apps. HIPAA only protects data shared by health care providers, health plans, health care clearinghouses, and their business associates. Consumer health apps, because they are not classified as an official entity recognized under HIPAA, do not have the same obligations to secure and protect the privacy of the data they collect. Therefore, apps that fail to properly protect health data are not subject to the harsh consequences health care providers face. In fact, one study found that 88% of mobile health apps sold in the GooglePlay store are designed to harvest user information, despite many users’ assumptions that these apps protected the privacy of their sensitive health data. Furthermore, the study indicated that 23% of user data transmissions took place on insecure communication protocols, and less than half of data transmissions complied with the app’s privacy policies.

In all, health care data contains sensitive information that can be easily exploited and misused if not properly secured. Until mobile apps are held accountable for the wealth of information they store, consumers must better inform themselves on the current state of their data and privacy and take action accordingly.

Brian Foy is the chief product officer at Q-Centrix.

Published in Cyber Defense Magazine’s October issue. Download the issue here.