Just how private is that information your patient records in a mobile headache diary?
TECHNOLOGY IN NEUROLOGY: HEADACHE & MIGRAINE
Mr. Stieglitz is an attorney who represents clients regarding technology matters. Dr, Minen is Chief of Headache Research at NYU Langone Medical Center in New York.
Patient: Doctor, I don’t think I need migraine preventive medication.
Doctor: You told me that you have three severe attacks each month and I’m concerned about the amount of ibuprofen you’re taking for more mild to moderate headaches. How often are you actually taking the medication?
Patient: I‘m not sure because I don’t keep track. But I don’t want to take a daily medication.
Doctor: I know that you’re worried about adverse effects of migraine preventive medication but I’m concerned about the frequency of your headaches and the amount of pain medication you’re taking each month. Download a smartphone application to document your headaches and medication over the next month. We’ll review the results at your next visit.
Patient: That sounds fine, doctor. Which smartphone application should I use?
Doctor: Some patients like [X] and others like [Z]. Why don’t you look into both of them and choose the one you like.
In headache medicine, the treatment plan frequently includes daily headache diaries. Historically, doctors have recommended paper diaries as the most common approach. However, studies show that electronic diaries have more reliability than traditional paper diaries, and their instant availability means that people with migraine can enter data whenever and wherever they have their phone.1 Over 100 commercial headache applications (apps) are currently available.2
Physicians may advise the use of smartphone apps that allow migraine patients to record the severity and frequency of headaches, remind patients about medication use, and more. However, before recommending that patients use a particular app, doctors should consider whether patients understand the privacy implications of using the app, and whether the app could make use of recorded patient data that differs from the patient’s privacy expectations.
In the US, privacy law protections generally depend on the business sector collecting or holding the information rather than whether the information itself is considered private. (The sector-based approach of the US differs from many other countries that apply privacy protections to personally identifiable information regardless of the business sector involved.)
For the medical sector, the Health Insurance Portability and Accountability Act (HIPAA) requires “covered entities,” (including health care providers, health plans, and health care clearinghouses) to ensure that patients’ protected health information (PHI) is only disclosed for specific permissible uses, such as treatment, payment, and health care operations. HIPAA also applies by extension to “business associates” who receive PHI from a covered entity to provide necessary functions, such as billing and information technology. Covered entities must use a contract to ensure that business associates comply with HIPAA.
For the vignette above, the patients’ disclosure directly to the doctor of headache frequency and severity, along with medication history, receives strong privacy protection under HIPAA and may only be disclosed by the doctor for permitted purposes. For example, HIPAA generally prevents a doctor from selling information about a patient’s headaches to third parties for the purpose of marketing products to the patient (see, eg, 45 CFR § 164.508).
However, HIPAA’s privacy protection does not always apply to data recorded using an app, even if a doctor advises patients to use the app to facilitate medical discussions. Because the US uses a sector-based approach to privacy, a patient’s health information has no privacy protection under HIPAA if the patient discloses that information to an entity-such as an app service provider-that is not a “covered entity” or “business associate.”
When a patient downloads a mobile headache diary unaffiliated with the recommending doctor, HIPAA provides little protection of the personal information input by the patient, even if that information is later shared with a doctor. If HIPAA does not apply to the personal information collected by the app, the patient’s private health information may be collected, used, and sold by the app company for many purposes not related to health care, including advertising and marketing. (Even if HIPAA does not apply to a particular app, patients may still have some privacy protections based on other sources of US privacy law, such as the app’s privacy policies, or from regulation based on unfair and deceptive trade practices. These other sources of law are beyond the scope of this article.)
The US Department of Health and Human Services (HHS)-responsible for enforcing HIPAA-has provided guidance about when health apps are subject to HIPAA.3,4 The mere recommendation of an app to a patient by a doctor does not bring that app under HIPAA regulation. According to this guidance, HIPAA does not apply even if the doctor and app developer “have entered into an interoperability arrangement” at the patient’s request to facilitate transfer of the patient’s information to the doctor (HHS recommends this because the patient rather than the doctor initiated the relationship with the app developer.)
If HIPAA does not apply to the personal information collected by the app, the patient’s private health information may be collected, used, and sold by the app company for many purposes not related to health care.
On the other hand, HHS says that HIPAA does apply if the app developer contracts with the health provider for access to patient health records, patient messaging, and similar patient management services. This distinction can be ambiguous, and health care providers should consult an attorney regarding individual situations. This summary describes the current guidance; however, HHS may change this guidance and its recommendations.
Patients may not appreciate this very legalistic distinction regarding their privacy rights. They generally understand that the doctor-patient relationship includes confidentiality, but their expectations may differ from HIPAA’s legal requirements.5 In addition, individuals with lower health literacy perceive privacy protections provided by health-related apps to be greater than they actually might be.6 Because patients have an expectation of privacy and confidentiality when disclosing information directly to health providers, doctors should consider explaining that their recommendation of third party apps does not include any specific knowledge of the data practices of the apps' developers.
1 Giffin NJ, Ruggiero L, Lipton RB, et al. Premonitory symptoms in migraine: an electronic diary study. Neurol. 2003;60:935-940.
2 Minen MT, Torous J, Raynowska J, et al. Electronic behavioral interventions for headache. J Headache Pain. 2016;17:51.
3. Health App Use Scenarios and HIPPA. https://www.aptible.com/assets/what-is-a-hipaa-baa/OCR-health-app-developer-scenarios-2-2016.pdf. Accessed July 25, 2017.
4. Federal Trade Commisssion. Mobile Health Act Interactive Tool. https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool. Accessed July 25, 2017.
5. Jenkins G, Merz, JF, Sankar P. A qualitative study of women’s views on medical confidentiality. J Med Ethics. 2005;31:499-504.
6. Mackert M, Mabry-Flynn A, Champlin S, et al. Health literacy and health information technology adoption: the potential for a new digital divide. J Med Internet Res. 2016;18:e264.