Health professional with stethoscope making notes on an electronic tablet

mHealth Is Putting Patient Data at Risk. Who’s Responsible?

April 4, 2019 | Purdue Global Law School

The market for mobile health (mHealth) applications has grown steadily over the past few years, driven by the potential for improving patient outcomes while reducing health care costs. However, data privacy and security issues could significantly restrict that growth. In a 2018 survey of more than 2,000 health care payers and providers commissioned by Change Healthcare and the HealthCare Executive Group, nearly half reported that they have become reluctant to adopt mHealth apps due to privacy and security concerns.

There’s good reason for their apprehension. Health care is the most-hacked industry in the U.S., with more than 13 million records exposed in some 350 data breaches in 2018, according to Department of Health and Human Services data reported by HIPAA Journal. Health care data is worth far more to hackers and fraudsters than Social Security numbers, credit card numbers, and other personal information. While financial institutions can spot fraud quickly, medical identity theft can take months or years to detect, enabling criminals to file bogus insurance claims and obtain equipment and drugs to resell.

Pushing health care data to patients’ mobile devices only increases the risk, and existing security and privacy regulations do not adequately address the threat. This leaves open the question of liability if a consumer’s mHealth data is compromised.

Regulatory Confusion

mHealth refers to the use of mobile phones, wearables, and other devices to track and manage health data. Apps are commonly used to monitor heart rate, blood pressure, and other vital signs as well as for prescription tracking, fall detection, and appointment reminders. They also enable physicians and nurses to communicate and collaborate with colleagues, ancillary workers, and patients regardless of their physical location.

The portability of mHealth apps also enables better integration with electronic health records. Caregivers can capture and record critical patient information right from the bedside, eliminating error-prone manual transcription processes and improving the accuracy of the patient records.

In theory, mHealth apps must comply with federal data privacy and security standards because they process and store protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established technical, physical, and administrative safeguards for medical records, and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extended those protections to electronic records.

The regulatory landscape can be confusing, however. There are many gray areas in HIPAA, which was enacted well before mobile devices and mHealth apps became widespread. In December 2018, the American Health Information Management Association and the American Medical Informatics Association asked Congress to modernize HIPAA regulations to address some of the ambiguities. In particular, the organizations have asked for clarification of existing regulatory guidance on third-party access to patient data.

Legal Uncertainty

Updating those protections may not be sufficient, because the security threats aren’t limited to apps. Hackers can also target PHI stored on smartphones and other mobile devices themselves, which are notoriously vulnerable to exploitation and attacks.

In one Ovum study of 4,500 users, about 70% reported they have no device management or security functionality of any kind on their devices. In a 2017 report, the Department of Homeland Security concluded that threats “exist across all elements of the mobile ecosystem” and require substantially different security measures than desktop computers.

These factors combine to create uncertainty about who is legally responsible in the event of a data breach. App developers naturally try to deflect liability through their end-user license agreements (EULAs). These “click-through” agreements may state, for example, that users of the app are responsible for the protection of their own data, or that responsibility for PHI and HIPAA compliance remains with the patient’s health care provider.

EULAs are a modern-day manifestation of the contract of adhesion, a term that originally applied to insurance contracts but has been developed through case law to encompass any “boilerplate” agreement. These agreements are drafted by the party with superior bargaining power, who engages in numerous similar transactions as a routine course of business.

Risks and Rewards

Contracts of adhesion protect the party drafting the agreement, while the party who must adhere to the contract has little or no ability to negotiate more favorable terms. They are often described as “take-it-or-leave-it” contracts. In the case of EULAs, the user has two options—accept the terms and conditions or don’t use the app.

Under the legal principle of contra proferentem, contracts are construed against the party drafting the document, particularly in situations of unequal bargaining power such as with contracts of adhesion. In the internet age, however, many courts have come to honor EULAs as long as there is evidence that the user had adequate notice of the agreement’s terms. Courts often look for active assent, such as clicking a box. If the consumer didn’t read the agreement, perhaps it’s the consumer’s fault.

The health care industry is taking steps to resolve these issues in light of the benefits of mHealth apps. In February, a consortium of professional health care organizations including the American Medical Association and the American Heart Association proposed a series of new privacy and security requirements related to data retention, use, and disclosure. They also suggest new access control, authentication, and compliance requirements.

Because these recommendations are voluntary and do not have the force of law, it remains to be seen the extent to which they will be adopted. Meanwhile, many mHealth EULAs continue to place responsibility for PHI security on parties who have no control over the app. Patients and providers need to understand the risks and determine whether the benefits of the mHealth app are worth the potential threat to sensitive data.

Learn More About Health Law

If you're interested in learning more about mHealth or health law, the following resources may be helpful:

If you're interested in gaining a better understanding of health law or working in the field of law, explore Purdue Global Law School’s online Executive Juris Doctor degree and health law courses.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.