Top 2020 Privacy Developments Relevant to Digital Health Apps

Top 2020 Privacy Developments Relevant to Digital Health Apps

January 8, 2021, Covington Alert

For several years, mobile health and wellness applications (“digital health apps”) have grown in scale and popularity. A global pandemic in 2020 further accelerated the trend, with increased demand for remote monitoring and communication platforms, as well as new methods for wellness and disease prevention. In parallel, there were a number of important U.S. legal developments in 2020 relevant to the privacy frameworks applicable to digital health apps. In this client alert, we highlight some of the most important of these legal developments, many of which did not get much attention during 2020.

Confidentiality of Medical Information Act Enforcement

In a recent settlement, the California Attorney General (“AG”) alleged several Confidentiality of Medical Information Act (“CMIA”) violations against Glow, Inc. (“Glow”), a digital health app used by individuals for fertility tracking purposes.

In 2013, the CMIA was amended to treat as a “provider of health care” for purposes of its requirements an entity that:

“offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual.” Cal. Civ. Code § 56.06(b).

Historically, enforcement of the CMIA against digital health apps has been limited, but the California AG’s settlement suggests the potential for broad application to digital health apps that maintain medical information.

In alleging that Glow was a “provider of health care” under the definition in this provision, the complaint emphasized that the app provided by Glow “collects and stores deeply sensitive personal and medical information related to a user’s menstruation, sexual activity, and fertility.” According to the complaint, the types of information collected by the app include “intimate details of [] sexual experiences and efforts to become pregnant.” Developers of digital health apps should carefully consider whether their apps may be subject to future enforcement actions under the CMIA. For more details on the settlement, see our blog post here.

California Privacy Rights Act

The California Privacy Rights Act (“CPRA”), a 2020 ballot initiative, affords users of digital health apps new rights over certain uses of health and other sensitive information that is not protected by the CMIA. Among the ways it amends the California Consumer Privacy Act (“CCPA”), the CPRA affords consumers special protections for “sensitive personal information,” which includes “personal information collected and analyzed concerning a consumer’s health” and “a consumer’s genetic data.”

The CPRA retains the CCPA’s exemptions for information already subject to regulation under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the CMIA, or certain clinical trial records. However, digital health app developers that do not meet such exemptions may need to provide additional rights to consumers with respect to their information. Most of the key terms of the CPRA will not go into effect until 2023, and many of the CPRA’s details will need to be clarified and refined through regulation. Additional information can be found in our blog post here.

Dinerstein v. Google

A recent putative class action complaint against Google, the University of Chicago, and the University of Chicago Medical Center (“Medical Center”) highlights the importance of carefully considering HIPAA compliance when digital health app offerings involve partnerships with covered entities subject to HIPAA. In the Dinerstein case, the plaintiff, a patient at the University of Chicago, alleged that the Medical Center—a HIPAA covered entity—shared several years of medical information with Google in a form apparently designed to constitute a “limited data set” for HIPAA purposes. (At least for purposes of the motion to dismiss, the court determined the information was not fully deidentified—and therefore protected health information (“PHI”)—for purposes of HIPAA because it included dates of services provided and potential identifiers in unstructured notes accompanying files and no expert determination of deidentification was made.)

In exchange, Google planned to create machine learning tools to predict future health conditions. The district court found a prima facie case that the Medical Center violated HIPAA by selling the PHI to Google. In particular, the court’s analysis suggests a broad interpretation of a sale of PHI for HIPAA’s purposes. Indeed, the court reasoned that the Medical Center sold the PHI even though it did not receive any money from Google in exchange for the data. The court highlighted that the Medical Center received an in-kind exchange by receiving a license to use Google’s ultimate creation, and therefore received the requisite remuneration. Such an exchange, the court determined, went beyond the reasonable cost-based fee that HIPAA permits in its safe harbors even though the Medical Center could only use the license for internal purposes.

The district court ultimately dismissed the case because the plaintiff failed to sufficiently allege damages, and an appeal is pending. A future decision in this case may guide how digital health apps plan for and structure partnerships with covered entities.

Proposed Changes to HIPAA & Current Guidance

A proposed change to HIPAA may clarify that digital health apps can be used to fulfill a request to access PHI without rendering the digital health app a business associate subject to HIPAA (where the digital health app was not already subject to HIPAA). In December 2020, the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the Standards for the Privacy of Individually Identifiable Health Information ( “Privacy Rule”) promulgated under HIPAA, as amended. In relevant part, HHS proposed to revise a patient’s right to access her PHI under the Privacy Rule to address fulfillment of such right through use of a “personal health application” (i.e., an electronic application used by an individual to access certain electronic health information). The revisions would clarify that a request for access can be fulfilled by transmitting an electronic copy of an individual’s PHI to a personal health application, and HHS specifically stated that doing so would not render a personal health application (or its developer) a business associate, as long as the personal health application does not create, receive, maintain, or transmit PHI on behalf of a covered entity. More details can be found in our blog post here.

The HHS Office for Civil Rights published a new “Health Apps” feature on the HHS.gov website. The new website highlights and compiles existing guidance regarding HIPAA regulations that may be relevant to digital health apps. More information about this website can be found in our blog post here.

Cybersecurity Industry Practice Guide

New industry guidance may provide digital health app developers with helpful resources and best practices to ensure their products are equipped with sufficient cybersecurity measures moving forward. In 2020, the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence released its Draft Special Publication (SP) 1800-30, Securing Telehealth Remote Patient Monitoring Ecosystem Practice Guide ( “Practice Guide”), which it developed in collaboration with industry partners. NIST sought public comments on the Practice Guide by the end of 2020, which comments are still under review. When finalized, the Practice Guide will not have the force of law. Nonetheless, the Practice Guide will likely provide helpful insight into approaches industry partners have developed to address privacy and security risks that have arisen from the increased use of telehealth and patient monitoring.

Other Health Privacy Developments Relevant to Digital Health

COVID-related HIPAA Waivers and Enforcement Discretion

Regulators relaxed enforcement of certain HIPAA Privacy Rule violations during the public health crises. Specifically, HHS announced that it would not enforce good faith violations of several Privacy Rule violations during the COVID-19 public health crises. More details can be found in our blogposts here and here.

CCPA Exemption

In September 2020, the California legislature passed AB 713, a new healthcare-related exemption under the CCPA. Under the new exemption, information is not subject to the CCPA’s obligations if it is deidentified in accordance with the deidentification requirements in the HIPAA Privacy Rule, and the information is derived from patient information of an entity regulated under HIPAA, the CMIA, or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule. More information on the exemption can be found here. The impact of the passage of CPRA on AB 713 remains an open question.

Proposed New Federal Legislation

During 2020, Congress considered various legislative proposals that would impose additional restrictions on the usage of certain health data. In addition to general privacy proposals that would have protected health data, members of Congress considered specific legislation to regulate the collection and use of health and location information in connection with efforts to track and limit the spread of COVID-19. Such legislation includes the proposal described in our blog post here.

SAMHSA Part 2 Revisions

The U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a final rule revising the Confidentiality of Substance Use Disorder Patient Records regulations located at 42 C.F.R. Part 2, commonly referred to as “Part 2.” In brief, the revisions clarified the applicability of Part 2 to non-Part 2 providers, delineated certain permitted disclosures with written consent, and expanded the research exemption to permit disclosures without patient consent to non-covered entities for research purposes. For additional information on these and other revisions, please see our blog post here.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Data Privacy and Cybersecurity practice.