Previously, legal liability by a provider has hinged on “direct contact and care,” they said. But today, with remote monitoring and mobile health apps “there is no agreement as to what a doctor's liability would be if he or she injured a patient as the result of faulty or inaccurate information supplied by the patient.”
They advise hospitals and healthcare systems to develop “stringent” policies “for the use of any app” to prevent data breaches and to monitor for adverse events. They predicted the Food and Drug Administration and Federal Trade Commission would take strong regulatory roles over telehealth applications. Yang is an associate professor in the department of health policy and management at George Mason University; Silverman is a professor of health policy, public health and law at Indiana University.
What's needed, argued authors of a second article, is a “comprehensive federal policy framework protecting privacy and security of information collected by telehealth technologies.”
“For telehealth to succeed, privacy and security risks must be addressed” is written by Joseph Hall, chief technologist at the Center for Democracy & Technology, a Washington, D.C., think tank; and Deven McGraw, director of the CDT's Health Privacy Project. McGraw is a member of the federally chartered Health IT Policy Committee, which advises HHS, and she serves as co-chairwoman of its Privacy & Security Tiger Team.
Their review focused on “network-enabled telehealth devices” that receive data from patients and transmit data to healthcare providers. They found, as have others, privacy and security risks with mobile apps, which “may be financed by sharing potentially sensitive data from the app with third-party advertisers that target ads to patients based on app use.”
Right now, the Health Insurance Portability and Accountability Act, the chief federal privacy law, may not cover the many providers of telehealth services under its “business associates” provisions, they argued.
Whether HIPAA covers a vendor of a so-called “patient-facing” technology “depends on whose interests are being served by the technology.” HIPAA liability may hinge on whether the device is used in a “direct-to-patient transaction” between vendor and consumer or whether the technology is provided by a doctor.
Neither HHS, whose Office for Civil Rights enforces the privacy and security provisions of HIPAA, nor the FDA, which regulates some mobile medical devices, are the best agencies to oversee privacy and security in consumer telehealth, they said. “No HHS office or agency has experience with the privacy and security risks introduced by consumer-facing commercial technologies” while “the FDA's focus is on safety, not privacy.”
That leaves the FTC—building on its work in enforcing rules against unfair and deceptive business practices—as the agency to regulate mobile medical devices, Hall and McGraw concluded. The FTC has already been given authority under the HITECH section of the American Recovery and Reinvestment Act of 2009 to enforce its breach notification provisions regarding some personal health-record systems—those untethered to a healthcare provider's electronic health-record system.
The FTC should first seek industry consensus around a set of “voluntary codes of conduct” on consumer privacy that were called for by the U.S. Commerce Department in 2010, Hall and McGraw said.
With adherence to the voluntary code should come a “safe harbor” from FTC enforcement actions, they said. But if no code of conduct can be agreed upon, then the FTC should develop its own set of regulations “establishing a basic set of privacy protections and security controls for the telehealth industry.”
Follow Joseph Conn on Twitter: @MHJConn