PRIVACY & SECURITY Regulatory Patchwork: Mobile Health Anna Watterson, Davis Wright Tremaine, LLP Overview When HIPAA applies to mobile apps When FTC has jurisdiction over mobile apps Other considerations: FDA mobile device regulations and guidance, children's privacy laws, financial privacy laws, international data protection laws, and state privacy and data security laws Privacy practices and privacy policies Data security for mobile apps and devices HIPAA Who s Covered? Who s Not Covered? Covered Entities Consumers Business Associates Entities that do not fall within the HIPAA definition of covered entity or business associate 1
HIPAA Hot Potato Claims data held by a health plan (covered by downloaded to an individual s phone (not subject to uploaded to a health app (possibly subject to sent to the individual s health care provider (covered by HIPAA Hot Potato Claims data held by a health plan (covered by downloaded to an individual s phone (not subject to uploaded to a health app (possibly subject to sent to the individual s health care provider (covered by FTC Authority Section 5 of the FTC Act broadly prohibits unfair or deceptive acts or practices in or affecting commerce. Deception: a material representation or omission that is likely to mislead consumers acting reasonably under the circumstances Unfairness: a practice that causes or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers BUT: Limited jurisdiction 2
FTC Cautionary Tales Is your app collecting date of birth? If so, do you have an effective age-gate? Is your app collecting unique device identifiers and precise GPS location? Is your app employing an analytics services that tracks location info? Are you overselling or making promises that aren t 100% true (e.g., don t say something can be deleted forever if there are ways it could be retained without the user s consent)? Does the app validate SSL certificates and adhere to other applicable industry standards? Does the app obtain appropriate permissions to obtain certain data stored for the user s phone or access certain functionalities (e.g., access to camera functionality)? PaymentsMD PaymentsMD provided billing services to medical providers patients could pay bills through PaymentsMD website. PaymentsMD launched a free Patient Portal where consumers could view their billing history. PaymentsMD then launched Patient Health Report, where consumers could access, review, and manage their health records. According to the FTC, PaymentsMD tried to obtain the sensitive health information of consumers registering for the Patient Portal from health insurance plans, pharmacies, and a medical testing lab, without appropriate authorization from those consumers. [M]any consumers registering for the Patient Portal had no idea that respondent would seek to collect their sensitive health information from third parties. Required individual authorizations, BUT FTC alleged that the authorizations were hard to read and offering a single check box option for all four authorizations made the authorizations easy to skip over The Allegations: Deceptive Omission, Deceptive Representation The Result: Prohibited from engaging in the behavior at issue, required to delete or destroy data, notification to FTC required prior to certain corporate changes, FTC order is in effect for 20 years, among other things Personal Health Record (PHR) The FTC defines personal health record as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. PHR Breach Notification Requirements ONC Model Notice of Privacy Practices 3
PHR Model Notice of Privacy Practices Voluntary standardized template Modeled after standard notices such as the FDA Nutrition labels and the financial industry model notice Goal is to provide[] a uniform and easy-to-understand approach for PHR companies to be transparent about certain key privacy and security issues Much like a soup can label, it requires transparency about the practices (or ingredients) but does not specify the practices that must be followed. http://www.healthit.gov/policy-researchersimplementers/personal-health-record-phr-model-privacy-notice Other Considerations State law (particularly California) International data protection laws FDA - Mobile Medical App guidance (updated issued Feb. 9, 2015) COPPA requirements Gram-Leach-Bliley New proposed legislation Consumer Bill of Privacy Rights Privacy Practices 4
FTC Report: Protecting Consumer Privacy in an Era of Rapid Change Calls on companies handling consumer data to implement recommendations for protecting privacy, including: Privacy by Design - Build in privacy protections at every stage of development. Simplified Choice for Businesses and Consumers -Give consumers control over what information is shared about them, and with whom. Greater Transparency - Disclose details about collection and use of consumers' information; provide consumers access to the data collected about them. Privacy by Design 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality Positive-Sum, not Zero- Sum 5. End-to-End Security Full Lifecycle Protection 6. Visibility and Transparency Keep it Open 7. Respect for User Privacy Keep it User- Centric Fair Information Practice Principles (FIPPs) Transparency Individual Participation Purpose Specification Data Minimization Use Limitation Data Quality and Integrity Security Accountability and Auditing 5
FTC Recommendations to Build Trust in Mobile Marketplace Provide timely, easy-to-understand disclosures Apps should have an easily accessible privacy policy Apps should provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information App developers should understand what data is collected by third parties (such as analytics or advertising companies) and how that data is used and shared App developers should consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, shortform privacy disclosures. [C]onsumers should have to actively consent before apps are allowed to access "sensitive" information such as geolocation, contacts, photos or media recordings. FTC Guidelines for Financial Privacy Notices: Does Your Financial Privacy Notice... use legal jargon? give new meaning to dense, indecipherable text? contain lengthy, unnecessarily complex sentences with convoluted clauses, multiple punctuation marks, and incomprehensible polysyllabic verbiage? Was Your Notice... "borrowed" from another company without regard for your privacy practices or your customers' concerns or needs? Security Requirements Does HIPAA apply? If so, implement the HIPAA Security Rule requirements Implement reasonable and appropriate security consider FTC data security related enforcement actions Consider State data security requirements 6
HIPAA Security Rule Ensure the confidentiality, integrity, and availability of all electronic protected health information (ephi) that the covered entity or business associate creates, receives, maintains, or transmits. Protect against any reasonably anticipated: (1) threats or hazards to the security or integrity of such information; and (2) uses or disclosures not permitted by the HIPAA Rules. 3 sets of safeguards implemented through standards and required and addressable implementation specifications Addressable Optional Physical Safeguards Administrative Safeguards Technical Safeguards Risk Analysis and Risk Management Risk Analysis: Assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ephi Have you identified all ephi within your organization? What are the threats (human, natural, and environmental) to, and vulnerabilities (technical and nontechnical) of, information systems (devices, or media) that contain e-phi? Risk = Threat x Vulnerability x Likelihood x Impact Risk Management: Implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level Administrative Safeguards Security Management Process Risk Analysis Risk Management Sanctions Policy Information System Activity Review Assigned Security Responsibility Workforce Security Authorization, Supervision, Clearance, Termination Information Access Management Access Authorization, Access Establishment and Modification Security Awareness and Training Security Incident Procedures Response and Reporting Contingency Plan Backup, recovery, Emergency plans Periodic Evaluation Business Associate Agreements 7
Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Disposal Media Re-use Accountability Data Backup and Storage Technical Safeguards Access Control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls Person or Entity Authentication Integrity Mechanism to Authenticate Electronic Protected Health Information Transmission Security Integrity Controls Encryption Mobile App Security Adopt and maintain reasonable data security practices. The FTC doesn t prescribe a one-size-fits- all approach. Consider the amount and type of data the app collects, and how such data will be used and shared to determine the appropriate security posture. Consider where the information collected is stored 8