Mobile Health Apps Need a Security Check-Up

Ken Blackwell is Senior Fellow for Human Rights and Constitutional Governance at Family Research Council. This article appeared on on December 9, 2021.

The age of mask and vaccine mandates has sparked important conversations about what employers, businesses and our government can ask about our personal health decisions. These discussions often reveal widespread misconceptions about who is responsible for keeping that information confidential and secure. Clarity on this issue is of utmost importance for consumers, especially with the rise of smartphone apps hungry for health data.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards for protecting individuals’ health information. Many people assume the law applies to any entity that might request or handle health information. In fact, the law only requires “covered entities” to protect patient privacy and security while they share information to provide high-quality care. Covered entities include health care providers, insurers, healthcare clearinghouses and “business associates” such as electronic health record developers and other organizations that serve covered entities. 

Health data that would be HIPAA-protected in the hands of healthcare companies can be used for any purpose, without federal privacy and security protections, when it is collected by big tech companies. Understanding this distinction is critical for privacy-conscious consumers amid the growing trend of health-related apps. 

The risk to consumers is real. On two separate occasions this year alone, the cybersecurity company Approov has reported on major security vulnerabilities affecting dozens of apps with millions of users. In February, Approov tested 30 mobile health apps covering 23 million users and found all of them to be vulnerable to hacking. In October, Approov was able to access more than 4 million patient and clinician records through the vulnerabilities.

Personal health data is extremely attractive to hackers because of the value of a real, full medical record to bad actors. Health records can fetch prices 1,000 times higher than a Social Security number and 200 times higher than a credit card number, according to Experian. A hacked medical record can be worth as much as a stolen passport on the dark web. 

Even if it’s not stolen by hackers, health data that is not protected by HIPAA can be used and sold in ways patients never intended. We may be comfortable giving fitness trackers and other apps access to our personal data to alert us to health risks, remind us to take our medication, or even share important information with loved ones. But do we want Big Tech companies using that data to sell us advertising based on our private medical conditions or decisions or profile us for potential future employers, life insurers, or lenders?

It’s past time to close the “covered entity” loophole, especially since new regulations issued by the U.S. Department of Health and Human Services mandates health care organizations to share health data with app companies and big tech if they say they’re acting on a patient’s behalf. When health information moves from their electronic health record to a Big Tech firm, patients should be informed that their data is transferring from an entity that is required to protect their data and use it for certain purposes to a company that is not. Burying a disclaimer and broad data use rights in dense terms and conditions shouldn’t count. 

Better yet, the legislative and regulatory landscape needs to catch up with the technological advances in the 25 years since HIPAA became law. The Federal Trade Commission already views apps that handle health data as healthcare companies. In November the FTC told app makers to comply with the Health Breach Notifications Rules governing how and when healthcare companies must alert consumers to a data breach. 

The rest of the regulatory landscape should follow the FTC’s lead and Congress should update HIPAA for the mobile app age. Health apps that access and function as digital health records should be treated as such, and they should be required to protect users' privacy and secure their data to the same standard as providers, insurers, and other healthcare companies.