One of the reasons why consumers, healthcare providers, investors, the government and others have been slow to adopt mobile health applications and software (apps), are concerns about the privacy and security of data collected through the apps. For instance, Appthority, a service provider that offers an app risk management solution, recently reported that the iPharmacy Drug Guide and Pill ID app “is playing fast and loose with your personal info.” www.appthority.com/news/mobile-threat-monday-android-app-leaks-your-medical-info-online. iPharmacy is a free app that allows consumers to maintain a personal health record on their prescription drugs, look up information on a drug, provide reminders, and maintain pharmacy discount cards. Continue reading mHealth App Use: Is Data Truly Protected?
Covered Entities Cautioned Regarding Use of Business Associates
On July 8, 2013, health insurer WellPoint, Inc. entered into a Resolution Agreement with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS), agreeing to pay HHS $1.7 million to resolve an HHS complaint regarding violations of the HIPAA Privacy and Security Rules during the period of October 23, 2009, through March 7, 2010. WellPoint reported a breach of electronic protected health information (ePHI) on June 18, 2010, leading to an HHS investigation that commenced on September 9, 2010.
The WellPoint matter serves as a reminder to HIPAA-covered entities and subcontractors that are business associates to comply with the HIPAA Security Rule and to prudently oversee the services provided by these business associates.
Click here to read the full Alert.
We live in the data age where every day a new technology is announced in business- and consumer-oriented ecommerce and mobile health (mhealth). In response, in recent years, federal and state legislators have enacted strict data privacy and security laws, such as HIPAA, COPPA, and Gramm-Leach-Bliley, to protect data whether in electronic (IT) or physical form. This data is known as protected health information under HIPAA and personally identifiable information under other statutes. New federal and state laws also mandate comprehensive data breach responses, including notifications to individuals whose PHI or PII was breached and some agencies and state attorneys general. The shared premise behind these laws is that the public expects the highest standard of data protection from businesses and government. (Whether or not this is true – after all we regularly give our credit card numbers to anonymous persons over the phone – is a subject for another day…)