Washington, District of Columbia

HomeDistrict of ColumbiaWashington

Email Jonathan Nace Jonathan Nace on LinkedIn
Jonathan Nace
Jonathan Nace
Attorney • (202) 930-0292

Personal Health Technologies Invade Your Privacy Rights

Comments Off

Consumers are finding that some of the “health apps” and other technologies that have become so readily available may be lacking the privacy protections consumers are accustomed to.  The Washington Post has a story on the privacy loopholes that these apps squeeze through:

Jacqueline Stokes spotted the home paternity test at her local drugstore in Florida and knew she had to try it. She had no doubts about the paternity of her daughter, but as someone with an interest in genetics, she couldn’t resist.

At home, she carefully followed the instructions, swabbing inside the mouths of her husband and their child, placing the samples in the pouch provided and mailing them to a lab. A few days later, the cybersecurity consultant went online to get the results. Part of the lab’s Web site address caught her attention, and her professional instincts kicked in. By tweaking the URL slightly, a sprawling directory appeared that gave her access to the test results of 6,000 people.

The home paternity tests online results were not well-safeguarded, as Ms. Stokes found.  But the WP deftly noted the loophole here as well, “The Health Insurance Portability and Accountability Act, a landmark 1996 patient-privacy law, only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners.”  Simply, HIPAA doesn’t apply to anything other than a “covered entity.” So long as these websites and apps don’t accept Medicare or health insurance, they aren’t bound by HIPAA.

Other similar breaches have occurred in the recent past, including losses of information by Fitbit and 23andMe.com.

HIPAA does not apply to these “health technologies,” but there may be ways consumers can protect themselves.  First, be aware of solid consumer protection websites which investigate complaints, such as The Privacy Rights Clearinghouse.  Second, be aware that the Federal Trade Commission – and not the Department of Health and Human Services – may be the more appropriate agency to report complaints because they have broader regulatory authority over deceptive trade practices.  Finally, consumers who have been deceived by misleading privacy policies or statements online may have an avenue to file a consumer lawsuit.

Technology has always moved faster than the law.  Today, we are seeing technology invade consumer privacy more and more, and in ways that were unexpected.  Now its time for the law to step forward as well.