Health Apps and Information Blocking: What You Need to Know

Health apps and medical wearables are surging in both innovation and popularity. What does this  mean for the regulation of health information?

Here we will explore what the trends are for health apps and wearables, the regulations and coverage of these technologies, cybersecurity and privacy risks associated with health apps and wearables, and the impacts of both on compliance with the Information Blocking Rule.

Health Apps and Medical Wearables Boom!

Currently, there are over 150,000 mobile apps for managing health conditions. By 2031, wearable medical technologies (like glucose monitors and smartwatches with health information) are projected to be a $132.5 billion industry. We are going to see massive growth in ways for patients and their providers to screen, assess, monitor and manage their health.

For example, on the market now are apps and wearables like:

Regulation and Coverage of Apps and Wearables

As health apps and wearables are becoming more popular and useful, they are increasingly both regulated and covered as health interventions. In order for an app or wearable to receive FDA approval as a medical device, it must interpret or analyze clinical laboratory tests, medical images, or other medical device data and results; so not all health and fitness apps count as medical devices.

Some app developers are finding ways around needing FDA approval, like the aforementioned Signos: which includes a continuous glucose monitor CGM and a mobile application that interprets the data from the the CGM. Rather than acquire FDA approval for their app to integrate with the CGM, Signos is pursuing a large clinical trial that allows for that integration without FDA approval. This workaround of the traditional process, in which the FDA can evaluate if the benefits of a device outweigh the risks, has people raising eyebrows and concern that other technologies might try to make the same move, potentially putting people’s health and health information at risk.

Cybersecurity and Privacy Concerns

According to a 2021 study, 100% of health apps tested were vulnerable to attacks that compromised personal health information. Meanwhile, 87% of women’s health apps sell data to third parties.

The Federal Trade Commission (FTC) published a rule in 2009 regarding the privacy and security of health information, and clarified in 2021 that the Health Breach Notification rule applies to health apps. This rule requires vendors of personal healthcare records to notify both the FTC and consumers in the case of a breach of unsecured health information. Failure to report a breach can result in a penalty of $43,792 per violation per day.

So while the FTC’s Health Breach Notification rule is a step in the right direction towards ensuring the security of sensitive health information, not all health apps and wearables are subject to it. In order to be considered under the rule, the app or device has to not only pertain to health and contain health information, but it has to pull information from multiple sources, such as user input and an API. Only then does a breach (a disclosure of sensitive health information without the users’ authorization or a cybersecurity attack) fall under the conditions for necessary notification.

What Does This Mean for Information Blocking Compliance?

Information blocking, the practice of restricting access to health information through contractual limitations, excessive fees, or utilization of health IT that restricts the access, exchange, or use of medical information, is illegal under the 21st Century Cures Act.

As we explained in our webinar on information blocking, healthcare providers may be considered to be information blocking if they refuse to share a patient’s health information with a third party app of the patient’s choosing. While there are exceptions allowed within the information blocking rule, they are not always relevant or applicable to these apps.

The Office of the National Coordinator for Health Information Technology warns that any information about the security of an app must:

    1. Focus on any current privacy and/or security risks posed by the technology or the third-party developer of the technology.
    2. Be factually accurate, unbiased, objective, and not unfair or deceptive; and
    3. Be provided in a non-discriminatory manner.

With both the boom in health apps and medical wearables, how can providers comply with information blocking and still provide education for patients and caregivers regarding the cybersecurity and privacy concerns with these technologies?

  • Make sure that your practice has policies and procedures in place that comply with information blocking regulations.
  • Stay up-to-date on new technologies and regulations. You can subscribe to our newsletter with updates about compliance in the footer below.
  • Although you can still issue the blanket this-app-is-not-covered-by-HIPAA disclaimer, it may behoove you to mention that it is covered by the breach notification rule.
    • You can recommend that your patients carefully read the permitted disclosures that they agree to when signing on to the app to ensure that the app meets their privacy and security needs.
    • Unlike HIPAA, under the Rule, any disclosure that a patient agrees to is considered fair and lawful, even if the patient did not realize that they were agreeing to it.

Next Steps

  • Share this information with your practice colleagues.
  • If you’re not a MarsdenAdvisors client and you want hands-on, personalized information blocking compliance assistance, contact us and we will have your back.