DiversityNursing Blog

Health Devices and Apps Outpace Privacy Protections

Posted by Pat Magrath

Thu, Jul 21, 2016 @ 10:59 AM

20160719-hipaa-report-630x420.jpgAre you wearing a Fitbit or another devise that tracks your daily steps, sleep and other information? Have you ever wondered who else might have access to your data? I’ve been wearing a Fitbit for close to 2 years and I love it, but I never thought about my privacy regarding the information it tracks and who else might have access to details like my weight, height, age and how physically active I am. Should these devices adhere to HIPAA protections? Do you care? Please share your thoughts with us.

The federal patient privacy law known as HIPAA has not kept pace with wearable fitness trackers, mobile health apps and online patient communities, leaving a gaping hole in regulations that needs to be filled, according to a much-delayed government report released today.

The report, which was supposed to be complete in 2010, does not include specific recommendations for fixing the problem, even though Congress asked the U.S. Department of Health and Human Services to provide them.

HHS’ findings largely mirror those in a ProPublica story from last November. The Health Insurance Portability and Accountability Act, the landmark 1996 patient-privacy law, only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners. Falling outside the law’s purview: wearables like Fitbit that measure steps and sleep, at-home paternity tests, social media sites, and online repositories where individuals can store their health records.

“Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” said the report written by HHS’ Office of the National Coordinator for Health Information Technology, in conjunction with other agencies. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.”

The report was mandated under a 2009 law that called on HHS to work with the Federal Trade Commission — which targets unfair business practices and identity theft — and to submit recommendations to Congress within a year on how to deal with entities handling health information that fall outside of HIPAA. Asked why the report did not include any recommendations, an official said readers could draw their own conclusions from the findings.

“At the end of the day, it’s a very complicated environment that we find ourselves in,” said Lucia Savage, chief privacy officer at the Office of the National Coordinator for Health Information Technology, which took the lead on the report. “We believe we’re fulfilling our duties. If Congress has concerns about that, I’m sure that we will hear about them.”

In 2013, the Privacy Rights Clearinghouse studied 43 free and paid health and fitness apps. The group found that some did not provide a link to a privacy policy and that many with a policy did not accurately describe how the apps transmitted information. For instance, many apps connected to third-party websites without users’ knowledge and sent data in unencrypted ways that potentially exposed personal information.

Paul Stephens, the group’s director of policy and advocacy, said the issue has grown more urgent in recent years as employers give workers incentives to log their activities on mobile apps as part of wellness programs. “It goes beyond someone voluntarily saying I want this app,” Stephens said. “There are basically going to be financial incentives to use the app.”

Stephens also said many people do not read an app’s privacy policy, leaving them open to having their information used in myriad ways.

The new report pointed to a number of major differences between information covered by HIPAA — your medical records, for instance — and data that’s not. Among them:

  • Under HIPAA, patients are entitled to copies of their health records. Companies that make trackers and apps “are not obligated by a statute or regulation to provide individuals with access to data about themselves.”
  • HIPAA delineates to whom and for what purpose a health provider may share a patient’s health information and limits the use of personal health information for marketing. People who have provided information to companies that fall outside the law “likely will not enjoy the same protections against unwanted marketing unless the data collector has promised in its terms of use not to use data for marketing and does not change its terms of use.”
  • HIPAA rules require tight security over personal health information. Apps and wearables may not have the same protections.
  • HIPAA requires understandable privacy policies and notices. Outside the law, those may not exist.

In addition, several federal agencies have a role in regulating privacy, new technology and consumer protections. The HHS Office for Civil Rights enforces HIPAA; the FTC acts against deceptive or unfair trade practices; and the Office of the National Coordinator encourages adoption of health information technology.

A 2014 study looked at 600 of the most commonly used health apps and found that fewer than a third had privacy policies. And for those that did, you’d have to have the reading level of a college senior to understand them, the HHS report said. Policies on Apple and Google mobile phone platforms “may be inconsistent, not articulated to individuals, or simply ignored by web developers skirting the rules that operating system developers attempt to impose on them.”

Attempts to fix the problem through voluntary efforts do not appear to be working. In 2015, the Consumer Electronics Association issued a set of “Guiding Principles on the Privacy and Security of Personal Wellness Data.”

“These guidelines can be adopted by companies, but are not required of CEA members,” today’s report said. “As of July 2016, we have been unable to identify any companies that have adopted the guidelines.”

The report offers no suggestions to change that, either.

Related Article: How Health Apps Will Change Nursing

If you like our articles, you'll love our enewsletter! Sign up below.
New Call-to-action

Topics: HIPPA, health apps, medical apps

Nurses and Facebook: What You Need to Know

Posted by Alycia Sullivan

Mon, Mar 17, 2014 @ 12:24 PM

by Danielle Logacho

Let’s say you’re a nurse at a local hospital. For the past several weeks, you’ve been for afacebook resized 600 young boy who needs a heart transplant.

One day, you learn that a donor organ has become available. You are elated – and you decide to share the news on your Facebook page.

“Great news! A new heart has been found for my five-year-old patient at Children’s. Be brave, Aiden – we’re all rooting for you!”

Good idea? Not really.

That’s because a post like this – while well intentioned – is a breach of confidentiality. There’s enough information here to identify the patient, his condition and the hospital where he is receiving treatment. Put it all together, and you’ve got yourself a HIPAA violation.

The truth is, there can be real consequences to nurses’ irresponsible use of social media. State boards of nursing may investigate reports of inappropriate disclosures on Facebook and other social media sites. If the allegations are found to be true, nurses can face reprimands, sanctions, fines, or temporary or permanent loss of their nursing license.

Many organizations have social media policies that govern employees’ use of social media, even if it’s for personal purposes. If yours is one of them, be sure to read and understand the guidelines.

Even if your employer does not have a specific policy, the main rule of thumb should be familiar to you: as a nurse, you have the legal and ethical obligation to maintain patient privacy and confidentiality. 

The Health Insurance Portability and Accountability Act (HIPAA) specifically defines “identifiable information” and when and how it can be used. Such identifiable information could cover the past, present or future health of a patient, or it could be something that would lead someone to believe that it could be used to identify a patient.  Brush up on your understanding of HIPAA.

How do you avoid problems? Do you need to stop using Facebook altogether if you’re a nurse? No, but you do need to be careful. Here are a few general guidelines:

- Simply put: Don’t reveal any personal health information about your patients in your posts. (And don’t think that it’s OK if you reveal their details but give them a fake name.)

- Don’t post any photos of your patients, even if they are cute kids. Photos are specifically called out in HIPAA as identifiable information.

- Maintain professional boundaries, even online. Friending your patients or patients’ families is, in most cases, a no-no. The Mayo Clinic’s guidelines for employees say, “Staff in patient care roles generally should not initiate or accept friend requests except in unusual circumstances such as the situation where an in-person friendship pre-dates the treatment relationship.”

- Don’t rely on privacy settings. No matter how meticulous you are about privacy settings, there’s no guarantee that a friend won’t like your post so much that she takes a screenshot and posts your “private” message elsewhere.

- Remember that anything online will be there forever, even if you delete it. Someone may have taken a screenshot before you took your post down. If you are under investigation, your posts can be still found on servers.

For more information, read A Nurse’s Guide to the Use of Social Media from the National Council of State Boards of Nursing.

 

These guidelines are for informational purposes only and are not legal advice.

 

References

National Council of State Boards of Nursing. (2011). A Nurse’s Guide to the Use of Social Media [Brochure]. Retrieved from https://www.ncsbn.org/NCSBN_SocialMedia.pdf

Pagana, K. (2014, January 21). Facebook: Know the Policy Before Posting [Webinar]. In Nurse.com Continuing Education series. Retrieved from http://ce.nurse.com/course/ce630/facebook/.

Source: Chamberlain College of Nursing 

Topics: nursing, social media, Facebook, HIPPA, caution

Click me

Article or Blog Submissions

If you are interested in submitting content for our Blog, please ensure it fits the criteria below:
  • Relevant information for Nurses
  • Does NOT promote a product
  • Informative about Diversity, Inclusion & Cultural Competence

Agreement to publish on our DiversityNursing.com Blog is at our sole discretion.

Thank you

Subscribe to Email our eNewsletter

Posts by Topic

see all