The holidays are a time of great gains… around waistlines everywhere. Perhaps it’s no coincidence that many people pledge to lose weight, get in shape, and take control of their health in the new year. Many of them will rely on technology to help them in the effort. Wearable fitness gear, like that from industry leaders FitBit or Garmin, and smartphone apps meant to track exercise and food intake, are excellent tools for helping stay on track, keep to your diet, and lose those extra pounds.
But they are also vulnerable to data breaches.
In early 2018, the online fitness app MyFitnessPal, owned by sports apparel giant Under Armour, suffered a data breach that exposed the data of as many as 150 million users . According to Forbes, the data was offered for sale on the dark web a year later. The asking price: $20,000 in bitcoin. A class-action lawsuit related to the data breach was referred to arbitration in May 2019.
In February 2019, fitness app 8Fit announced a security breach that affected approximately 20 million users . Though the company claimed that no credit card numbers, Social Security numbers, or private message contents were taken, it encouraged users to change their passwords and avoid opening attachments from or responding to any suspicious emails. More troubling about the breach: it had occurred a full six months before 8Fit became aware of it.
These are just two examples of a problem that grows with the spread of mobile apps and wearable technology. Security measures have not always kept up with the data that app users and fitness tracker wearers hand over to their providers, most of the time without thinking of the consequences.
In the above breaches, fortunately, no medically sensitive data was subject to the breaches. But as more health care applications become available for a variety of common illnesses — such as diabetes, insomnia, and substance abuse — the information collected and transmitted by the apps and wearables could implicate HIPAA (Health Insurance Portability and Accountability Act). Developers must be aware of, and prepared for, the security requirements demanded by the federal law.
The key, under Health and Human Services guidelines , is whether the patient voluntarily and independently chooses to use the app or wearable to transmit electronic protected health information (ePHI) to a HIPAA-covered health care entity. If that is the case, then the entity bears no liability under the law.
“If, on the other hand,” HHS tells us, “the app was developed for, or provided by or on behalf of the covered entity — and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity — the covered entity could be liable under the HIPAA rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer.”
App Developer Impact
So, if a health care provider directs the patient to use an app or wearable to transmit ePHI to the provider, the responsibility to keep the data secure belongs to the provider. And if the app developer worked in concert with the provider to create the app, it can also bear liability as a covered business associate if it has access to ePHI.
This is an important consideration for software, firmware, app, and wearable developers focusing on health care. If access to the patient data is not necessary to the project, it should be avoided.
On the other hand, if it is necessary for whatever reason to access ePHI, the entire project should undergo a thorough HIPAA compliance review.
Any developer not completely familiar with HIPAA requirements should seek qualified advice from security consultants fully trained in the latest HIPAA standards for data protection. The cost of expertise and guidance, and if necessary, in development and engineering security, is a small but important investment that protects the company, its partners, and patients down the road.