On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time. ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties. ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”
Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking advantage of wearable, mobile healthcare technology, also referred to as “mHealth”. The Office for Civil Rights (OCR) recently set up an mHealth webpage to collect questions and comments from healthcare mobile app developers whom most often are not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Food and Drug Administration (FDA) has jurisdiction over mobile healthcare technology that directly impacts the delivery of healthcare; however, many mobile healthcare apps would not be subject to FDA jurisdiction because they are not used by healthcare providers in monitoring or delivering healthcare.
To fill some of the gaps, the FTC has stepped in to take action against companies who make false claims about their mobile apps. It also has jurisdiction over the PHR developer or supplier with regard to a breach of medical data collected by the PHR when the PHR is not subject to HIPAA. The FTC has posted several articles to guide mHealth app developers on what they should consider when developing and marketing their apps: click here and here. It has also published more extensive guidance for mobile app developers generally, not only health apps but any app that collects highly personal or sensitive information. Here are just a couple: Mobile Privacy Disclosures, Building Trust Through Transparency, and Marketing Your Mobile App, Get it Right from the Start.
ONC’s Lucia Savage, Esq., Chief Privacy Officer, is scheduled to speak about “Privacy & Security in an App Enabled World” on March 1 at the annual 2016 HIMSS conference in Las Vegas, NV. ONC’s Request for Information on Updates to the ONC Voluntary Personal Health Record MPN will be published in the Federal Register on March 1, 2016. Click here to view a pre-publication version of ONC’s request. To read ONC’s recent blog post about the MPN, click here.