On March 2, Virginia Gov. Ralph Northam (D) signed the Virginia Consumer Data Protection Act. It is just one of several new state consumer privacy laws—California has been through at least two iterations in three years. States are passing these consumer protection laws because there is no nationwide consumer privacy law.
When I worked at the Department of Health and Human Services in 2016, the agency pointed out this gap in a report submitted to Congress. The report, approved by the White House and other federal agencies, explained how health information data is protected —or not—outside the bounds of the federal Health Information Portability and Accountability Act (HIPAA) and its privacy rules.
In essence, when health data is collected by businesses that are not subject to the same privacy laws as doctors’ offices, it lacks baseline protections against that data being sold or used by other businesses for marketing and advertising. HIPAA, when it applies, prohibits the sale of personally identifiable data, and prohibits the use of data for advertising.
Why is this important? As we pointed out in the 2016 report, individuals’ health information is now being collected in traditional health settings (like continuous glucose monitors) and in consumer settings (like exercise trackers). The ordinary consumer does not know where the privacy protections of HIPAA end. In some instances, such as if a state has not enacted a law, there are no baseline consumer protections at all.
Consumer technology such as Amazon’s Halo or Fitbit now connects directly to hospitals’ electronic health records, so from a consumer’s point of view, how do they know if their data will be used for advertising or otherwise re-used in a way that would surprise them?
New Health Data Tools And Consumer Trust
In the last few years, big tech has developed tools that are potentially beneficial, such as advanced data science-based search and AI tools that focus physicians’ attention and improve diagnostic precision.
At the same time, consumer trust in big tech has eroded. First, we all learned about Facebook data exploited by Cambridge Analytica. Second, we are regularly learning about direct-to-consumer “wellness” apps leaking personal health information that is not protected by HIPAA for advertising and other unexpected uses.
Where does this leave health-care innovation based on digital technology, aka “digital health?” According to Rock Health, in 2020 alone, $14 billion was invested in digital health. During the Covid-19 pandemic, digital health has shown its ability to deliver safe, effective, and cost-effective health care by connecting people to care through their smartphones and even through texting.
That’s how Omada Health, where I serve as chief privacy and regulatory officer, does it. We provide health care to people with Type 1 and Type 2 diabetes and physical therapy needs via asynchronous, secure, and private messaging between patients and their health care professionals. Omada is paid for its health-care services in the same way as physicians and other professionals are, that is, by insurance companies and self-insured employer health plans.
Omada, United Healthcare, and many other companies, from text-based primary care providers to secure messaging app companies to behavioral therapists, offer health and medical care under this “virtual healthcare” business model: delivery via app, but paid for as health care by an insurance company/employer plan.
Virtual Health Care Delivery Is HIPAA-Protected
Health care delivered this way is squarely within HIPAA, because the law, and all of its privacy and security provisions, are triggered by seeking payment via an electronic claim. HIPAA applies wherever and however the care is delivered—it makes no distinction between virtual and brick-and-mortar delivery modes.
Given the promise of digital health and the imminent empowerment of consumers to get and manage their own health information via apps, the time is ripe for consumer privacy protections that at least match HIPAA. To date, more than a dozen bills have been introduced in Congress.
But it’s unlikely we’ll see rapid action because the fundamental issues remain intractable: preemption (should a federal law preempt state laws such as Virginia’s and California’s) and private rights of action (should individuals be able to bring actions in court).
So where does that leave consumers? Well, with a free app (as in free, where your insurance company or employer is not paying for it as they do for your other health care) you indeed may be the product. Reading the terms before you click “download” is more important than ever.
As for businesses, the companies providing private and secure health care via apps need to broadcast their privacy and trustworthiness loudly, putting shady privacy practices to shame.
Then, gradually, patients will learn to tell the difference between free apps with less stringent privacy protections and legitimate health-care services that are not only private but are actually governed by federal privacy regulations. Only then will it be possible to fulfill the promise of digital health.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Lucia Savage is the chief privacy and regulatory officer at Omada Health, a digital health company that combines proven clinical protocols with behavior science to help build healthy habits that stick. Previously, she was chief privacy officer at the HHS Office of the National Coordinator for Health IT.