Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Health Privacy/HIPAA

New York Regulators Lead the Charge to Fill Health Data Protection Gaps Left by Federal Law

shutterstock_134749508New York AG Settles Data Protection Enforcement Against Mobile Health Apps

After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General (NY AG) settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor.

Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.

The mobile health apps were not FDA-approved and none of the three was able to provide sufficient documented evidence to the NY AG to support their claims of effectiveness. Although the FDA has an approval process for heart monitors and fetal heart monitors and broadly maintains regulatory oversight for “medical devices,” the federal agency is not exercising its regulatory authority over direct-to-consumer mobile health apps, like those marketed by Cardiio, Runtastic, and Matis.

Under the settlements, the developers agreed to enhance privacy protections, ensure marketing claims were not misleading, and pay $30K in combined penalties to the NY AG. Before sharing any de-identified user information with third parties, the apps are now required to request, in writing, that such third parties not attempt to re-identify the information; both Cardiio and Runtastic also must receive express agreement from third parties prior to such disclosure. In addition, the developers agreed to post clear and prominent disclaimers on their websites, in app store listings, and in a pop-up message that appears upon first use of the apps to inform consumers that the apps are not medical devices and are not approved by the FDA. They also agreed to require affirmative consent to their privacy policies and disclose that they collect and share information that may be personally identifying. Finally, the settlements require the developers to “[e]stablish and implement reasonable security policies and procedures designed to protect user information,” which must be “appropriate to the nature and scope of [the apps’] activities and the sensitivity of the covered information,” and review and update these policies as necessary, at least bi-annually.

The NY AG is sending a clear message to health app developers that their apps must (1) function as advertised, (2) not make misleading claims, and (3) protect user information. The NY AG’s press release announcing the settlements can be found here.

New York Department of Financial Services Cybersecurity Regulations: August deadline looms

The New York Department of Financial Services is imposing detailed cybersecurity regulations on health insurers, banks and other institutions operating under a license or authorization of New York state law. In some cases, the rules impose on health care insurers standards more exacting than those required by the HIPAA security regulations. For example, under the NYDFS regulations, all nonpublic information must be encrypted in transit and at rest (with time-limited exceptions for use of compensating controls) and the Chair of the Board or a Senior Officer must annually, and in writing, certify that the cybersecurity program complies with the regulations. By August 28, 2017 those subject to the law must comply with requirements covering: (1) documenting a cybersecurity program; (2) maintaining an incident response plan; (3) designating a CISO; (4) cyber-security training; (5) role-based access limitations; and (6) breach/cyber-incident notification. Health insurers will need to take a fresh look at their cybersecurity programs (and those of their third-party vendors) to confirm adequate practices are in place to meet the NYDFS rule deadlines.

New York Regulators Moving to Fill Federal Regulatory Voids

These actions by New York highlight state regulator willingness to fill perceived regulatory and enforcement gaps unaddressed through federal data privacy and security oversight. Direct-to-consumer mobile health apps often fall outside the reach of traditional care health care regulators: they are often not covered by HIPAA and historically have not been regulated as medical devices by the FDA. However, states have wide latitude to regulate such apps for potentially deceptive or fraudulent business practices, and state regulators claim broad authority to enforce privacy, data breach, and security rules. Even entities, such as health insurers, that operate in federally regulated industries may find themselves subject to new state law requirements. Regulators in other states may soon follow New York’s lead. Organizations should monitor state enforcement and regulatory activity to understand the expectations of regulators from the states in which they operate and market their services.