PRIVACY &
SECURITY
Regulatory
Patchwork:
Mobile Health
Anna Watterson, Davis Wright Tremaine, LLPOverview
When HIPAA applies to mobile apps When FTC has jurisdiction over mobile apps Other considerations: FDA mobile device
regulations and guidance, children's privacy laws, financial privacy laws, international data protection laws, and state privacy and data security laws
Privacy practices and privacy policies Data security for mobile apps and
devices
HIPAA
Who’s
Covered?
Covered Entities Business AssociatesWho’s Not
Covered?
ConsumersEntities that do not fall within the HIPAA definition of covered entity or business associate
HIPAA Hot Potato
Claims data held by a health plan (covered by HIPAA) downloaded to an individual’s phone (not subject to HIPAA) sent to the individual’s health care provider (covered by HIPAA) uploaded to a health app (possibly subject to HIPAA)HIPAA Hot Potato
Claims data held by a health plan (covered by HIPAA) downloaded to an individual’s phone (not subject to HIPAA) sent to the individual’s health care provider (covered by HIPAA) uploaded to a health app (possibly subject to HIPAA)
FTC Authority
Section 5 of the FTC Act broadly prohibits
“unfair or deceptive acts or practices in or affecting commerce.”
Deception: a material representation or omission
that is likely to mislead consumers acting reasonably under the circumstances
Unfairness: a practice that causes or is likely to
cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers
FTC Cautionary Tales
Is your app collecting date of birth? If so, do you
have an effective age-gate?
Is your app collecting unique device identifiers and
precise GPS location? Is your app employing an analytics services that tracks location info?
Are you overselling or making promises that aren’t
100% true (e.g., don’t say something can be “deleted forever” if there are ways it could be retained without the user’s consent)?
Does the app validate SSL certificates and adhere
to other applicable industry standards?
Does the app obtain appropriate permissions to
obtain certain data stored for the user’s phone or access certain functionalities (e.g., access to camera functionality)?
PaymentsMD
PaymentsMD provided billing services to medical providers – patients
could pay bills through PaymentsMD website. PaymentsMD launched a free “Patient Portal” where consumers could view their billing history. PaymentsMD then launched “Patient Health Report,” where consumers could access, review, and manage their health records.
According to the FTC, PaymentsMD “tried to obtain the sensitive health
information of consumers registering for the Patient Portal from health insurance plans, pharmacies, and a medical testing lab, without appropriate authorization from those consumers. … [M]any consumers registering for the Patient Portal had no idea that respondent would seek to collect their sensitive health information from third parties.”
Required individual authorizations, BUT FTC alleged that the
authorizations were hard to read and offering a single check box option for all four authorizations made the authorizations easy to skip over
The Allegations: Deceptive Omission, Deceptive Representation
The Result: Prohibited from engaging in the behavior at issue, required to
delete or destroy data, notification to FTC required prior to certain corporate changes, FTC order is in effect for 20 years, among other things
Personal Health Record (PHR)
The FTC defines personal health record asan electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
PHR Breach Notification Requirements
PHR Model Notice of Privacy Practices
http://www.healthit.gov/policy-researchers-implementers/personal-health-record-phr-model-privacy-notice
“Much like a ‘soup can label,’ it
requires transparency about the practices (or ingredients) but does not specify the practices that must be followed. “
Voluntary standardized template
Modeled after standard notices such as the FDA
Nutrition labels and the financial industry model notice
Goal is to “provide[] a uniform and
easy-to-understand approach for PHR companies to be transparent about certain key privacy and security issues”
Other Considerations
State law (particularly California) International data protection
laws
FDA - Mobile Medical App
guidance (updated issued Feb. 9, 2015)
COPPA requirements Gram-Leach-Bliley New proposed legislation –
Consumer Bill of Privacy Rights
Privacy
Practices
FTC Report: “Protecting Consumer
Privacy in an Era of Rapid Change”
Calls on companies handling consumer data to implement recommendations for protecting privacy, including:
Privacy by Design - Build in privacy protections at every stage of development.
Simplified Choice for Businesses and Consumers - Give consumers control over what information is shared about them, and with whom.
Greater Transparency - Disclose details about collection and use of consumers' information; provide consumers access to the data collected about them.
Privacy by Design
7 Foundational Principles
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality – Positive-Sum, not
Zero-Sum
5. End-to-End Security – Full Lifecycle
Protection
6. Visibility and Transparency – Keep it Open 7. Respect for User Privacy – Keep it
User-Centric
Fair Information
Practice Principles (FIPPs)
TransparencyIndividual Participation Purpose Specification Data Minimization Use Limitation
Data Quality and Integrity Security
Accountability and Auditing
FTC Recommendations to Build
Trust in Mobile Marketplace
Provide timely, easy-to-understand disclosures Apps should have an easily accessible privacy policy
Apps should provide just-in-time disclosures and obtain affirmative
express consent before collecting and sharing sensitive information
App developers should understand what data is collected by third
parties (such as analytics or advertising companies) and how that data is used and shared
App developers should consider participating in self-regulatory
programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.
“[C]onsumers should have to actively consent before apps are allowed to access "sensitive" information such as geolocation, contacts, photos or media recordings.”
FTC Guidelines for Financial
Privacy Notices:
Does Your Financial Privacy Notice... use legal jargon?
give new meaning to dense, indecipherable text? contain lengthy, unnecessarily complex sentences
with convoluted clauses, multiple punctuation marks, and incomprehensible polysyllabic verbiage?
Was Your Notice... "borrowed" from another
company without regard for your privacy practices or your customers' concerns or needs?
Security Requirements
Does HIPAA apply?
If so, implement the HIPAA
Security Rule requirements
Implement reasonable and
appropriate security –
consider FTC data security
related enforcement
actions
Consider State data
HIPAA Security Rule
Ensure the confidentiality, integrity, and availability
of all electronic protected health information (ePHI) that the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably
anticipated: (1) threats or hazards to the security or integrity of such information; and (2) uses or disclosures not permitted by the HIPAA Rules.
3 sets of safeguards implemented
through standards and required and addressable implementation specifications Addressable ≠ Optional Administrative Safeguards Technical Safeguards Physical Safeguards
Risk Analysis and Risk Management
Risk Analysis: Assessment of potential risks andvulnerabilities to the confidentiality, integrity, and availability of ePHI
Have you identified all ePHI within your organization? What are the threats (human, natural, and
environmental) to, and vulnerabilities (technical and non-technical) of, information systems (devices, or media) that contain e-PHI?
Risk Management: Implementation of security
measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
Risk = Threat x Vulnerability x Likelihood x Impact
Administrative Safeguards
Security Management Process Risk Analysis Risk Management Sanctions Policy Information System ActivityReview Assigned Security Responsibility Workforce Security Authorization, Supervision, Clearance, Termination Information Access Management
Access Authorization, Access Establishment and Modification Security Awareness and
Training
Security Incident Procedures – Response and Reporting Contingency Plan – Backup,
recovery, Emergency plans Periodic Evaluation Business Associate
Physical Safeguards
Facility Access Controls Workstation Use Workstation Security Device and MediaControls
Disposal Media Re-use Accountability
Data Backup and Storage
Technical Safeguards
Access Control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls Person or Entity Authentication Integrity –Mechanism to Authenticate Electronic Protected Health Information Transmission Security –Integrity Controls –EncryptionMobile App Security
Adopt and maintain
reasonable data security practices. The FTC doesn’t
prescribe a one-size-fits- all approach.
Consider the amount and type of data the
app collects, and how such data will be used and shared to determine the appropriate security posture.
Consider where the information collected is
