It’s 2015 and you want to develop an app that will collect and leverage medical data. Great! However, you are unsure about the privacy requirements you will need to consider. And how do you make your app compliant with relevant laws? It’s not as easy, nor as difficult, as it sounds to find an answer. We’ve already done most of the research for you.
This blog post offers a comprehensive overview of the regulations you (might) need to take into consideration when working with medical data, but first let’s have a look at some background.
Please note that this article will only cover EU and US law. Looking to launch somewhere else? You will need to refer to the specific law of this country. Unfortunately there is no one-size-fits-all law.
The healthcare industry is pushing for devices that would allow doctors to collect physiological and fitness data about their patients outside of the doctor’s office. For example, Apple recently launched its HealthKit and ResearchKit platforms, which allows doctors to collect real-time data from iPhones and other Apple devices. IBM also announced the launch of their Watson Health global analytics cloud that should provide a tool for analyzing healthcare data.
Here are the main questions you will need to answer when developing an app that collects medical data:
1. Do you know if you are collecting personal medical information in the app you are building?
Protected health information is defined as any individually identifiable health information that is transmitted or maintained in any form or medium; is held by a covered entity or its business associates, identifies the individual or offers a reasonable basis for identification; is created or received e.g.: information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and other; information about you in your health insurer’s computer system.
Personal data is defined as any information relating to an identified or identifiable natural person (data subject):
“an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, metal, economic, cultural or social identity.“
Sensitive personal data is further defined as processing has a more profound impact on the right of privacy of individuals- and this includes health information.
2. Where are my end-users located?
The question here is not about where your company is based but rather about where your end-users will use your application, as the requirements will differ between regions.
a) My end-users are US based
You may need to comply with HIPAA and HITECH
You may need to comply with GINA
You may need to comply with COPPA
b) My end-users are EU based*
You will need to comply with the EU Data Protection Directive 95/46/EC and any additional national legislation, which may add further requirements.
*Why does this still apply to you if you are a US based company? The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU citizens would process some personal data and would be using equipment in the EU to process the data (i.e. the customer’s computer). As a consequence, the website operator would have to comply with the European data protection rules.
3. Are you covered by the law?
a) EU Data Protection Directive 95/46/EC
The directive applies to organizations acting as data controller that are established in an EU member state or where there is no such establishment but where the organization makes use of the data processing equipment on the territory of a member state.
The concept that I find the most relevant is the one of processing. The definition of processing is:
“any operations or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”
Here the concept of processing is very wide. For example if you are collecting and not using the data you will still need to abide by the law.
b) HIPAA and HITECH
Defining whether you should abide by HIPAA may not be straight forward.
However, note that it covers Covered entities and Business associate only. This means that it is not applicable to e.g. a doctor that would only accept cash or credit cards and not bill for insurance; or surfing the web on a healthcare website or purchasing a book on healthcare in a bookstore.
Are you an employer (of more than 15 employees) or a health insurance provider? More information here.
Do you operate a commercial website? Will you also collect children’s personal information? More information here.
You can find additional information on the COPPA Safe Harbor Program here.
4. Should my approach be limited to implementing legal requirements?
In order to answer this question it is important to understand why the law exists.
Why the EU directive exists
A rapid increase in the field of electronic data processing and the appearance of large mainframe computers in both the public and private sectors provided major advantages to organisations in terms of efficiency and commercial productivity. At the same time, these developments had the potential to undermine individual human rights and privacy. There was a need for harmonization between the internal market provision (“free movement of goods, persons, services and capital”) that cannot take place without the free movement of personal data and consistent provisions to endure the protection of individual privacy.
Why HIPAA exists
HIPPA was not initially created to protect security and privacy, but was implemented with the goal of improving efficiency of healthcare delivery.
Why HITECH exists
To promote the adoption and meaningful use of health information technology while addressing the impacts on privacy of the expanded use of electronic health records.
Why GINA exists
Genetic testing before symptoms appear would allow individuals to take steps to reduce the likelihood of ultimately developing a disease. At the same time, such testing could create the risk of misusing that information for healthcare or employment. GINA prohibits discrimination on the basis of genetic predispositions in the absence of manifest symptoms.
Why COPPA exists
In response to a growing concern about the privacy of children using the Internet and the large amount of personally identifiable information given. This can affect both children and their families, and the information is often collected without parental knowledge or consent.
This article is not intended to provide a final answer on the laws you must consult while collecting medical data, but is meant to raise awareness of the complexity of the matter. However, the task shouldn’t be considered overwhelming and is straightforward enough if taken step by step.