Application security, Privacy, Security Program Controls/Technologies

New framework aims to secure digital health apps not covered by HIPAA

Several healthcare groups issued new framework to address privacy and security risks posed by digital health tools and health apps that fall outside of HIPAA regulation. (Photo credit: "NEC-Medical-137" by NEC Corporation of America is marked with CC BY 2.0.)

A new framework developed and released by several healthcare stakeholder groups takes aim at securing digital health technologies and mobile health apps, the vast majority of which fall outside of The Health Insurance Portability and Accountability Act regulation.

Developed in partnership between The American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications, the U.S. framework is meant to support both healthcare professionals and consumers. 

The open Digital Health Assessment Framework is accessible for anyone to use and meant to support the adoption of high-quality digital health technologies, while supporting healthcare leaders and patients to make more informed decisions about the best digital health tools for their unique needs.

“Digital health technologies can offer safe, effective, and engaging access to personalized health and support, and provide more convenient care, improve patient and provider satisfaction, and achieve better clinical outcomes,” said Ann Mond Johnson, ATA CEO, in a statement.

“Our goal is to provide confidence that the health and wellness tools reviewed in this framework meet quality, privacy and clinical assurance criteria in the U.S,” she added.

Many health apps share data with third parties, vulnerable to cyberattacks

More than 86 million U.S. consumers leverage a health or fitness app, which are lauded for supporting patients with maintaining their health outside of the provider office. However, any health app not recommended for use by a healthcare provider falls outside the purview of HIPAA.

The trouble is that the data overwhelmingly shows that app developers engage in some less-than-transparent practices that put patient privacy at risk.

In April 2019, a study published in JAMA found the majority of health apps share data with third parties but just a handful disclosed the practice to consumers in the privacy policies, based on a cross-sectional assessment of the top ranked apps for depression and smoking cessation in the U.S. and Australia.

While most of the examined apps were upfront about the primary use of their data, only 16 of the apps shared the secondary uses for data sharing. That same study showed that nearly half of the apps transmitted data to a third party but lacked a privacy policy, with five apps failing to disclose the practice in policy text.

And in more than 80% of cases, the data sharing occurred for marketing purposes to Google and Facebook.

Another study published in BMJ in March 2019 found the majority of the top 24 health medicine management Android apps in North America shared user data without clearly telling consumers about the practice. 

Again in 2021, a Knight Ink and Approov study confirmed the 30 most popular mHealth apps are highly vulnerable to API cyberattacks, which could lead to the possible exploit of health data.

The Federal Trade Commission has previously announced it would use its health breach rule to enforce flagrant consumer privacy violations, but just a handful of app developers have been found in violation.

The new framework from ACP, ATA, and ORCHA means to support the healthcare sector with better understanding the safety of products. As noted in its release: “In a field of 365,000 products, where the vast majority fall outside of existing regulations, such as the medical device regulations, federal laws and government guidance, there has been no clear way to determine if a product is safe to use.” 

The lack of guidance is hindering the adoption of digital health, including condition management, clinical risk assessment, and decision support.

The new framework addresses these privacy and security components, as well as clinical assurance, patient safety, and usability. The health groups noted the insights were crafted to support guidance and regulations currently in use for digital health tech in the U.S.

The groups hope the guide can support the further adoption of digital health technologies.

For ACP President Ryan D. Mire, MD, the guide is an important step to identifying and developing digital health tools that provide value while maintaining patient safety. The guidance was crafted from the clinical expertise of ACP and ATA members, in tandem with ORCHA’s experience with app assessments.

Along with the new framework, ACP announced a pilot test of digital health tools that were reviewed against the new framework. Mire added that the hope is the pilot can help determine the most useful elements for providers to recommend high-value digital health tools to patients and identify the potential barriers to wider digital health adoption.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

You can skip this ad in 5 seconds