Lisa Pierce Reisz, Member of the Firm in the Health Care & Life Sciences practice, in the firm’s Columbus office, was quoted in Renal+Urology News, in “New Health Apps May Pose Challenges to Patient Privacy,” by John Schieszer, MA.

Following is an excerpt:

The popularity of health apps raises significant issues in terms of patient privacy. HIPAA rules apply when protected health information (PHI) is created, received, maintained, or transmitted by covered entities (such as health plans and most healthcare providers) and business associates (such as individuals and companies that provide certain services for covered entities). HIPAA rules, however, generally do not protect the privacy or security of a patient’s health information when it is created through or stored on personal cell phones or tablets, or fitness trackers. The rules do not protect the privacy of an individual’s internet search history, information an individual voluntarily shares online, or an individual’s geographic location information. …

A Valuable Cybercriminal Target

According to data analyzed by the cybersecurity company NordLayer, more than 45 million patients had their information exposed in the first half of 2024 because healthcare organizations have become one of the most targeted industries by cybercriminals. The sensitive data stored at these institutions is valuable to hackers because it includes such information as social security numbers, names, home addresses, and health history. Cybercriminals can use this information to create believable phishing emails or sell it online to steal your identity, according to NordLayer, which provides network security for businesses of all sizes.

Lisa Pierce Reisz, a member of the law firm Epstein Becker Green in Columbus, Ohio, said healthcare providers or health plans that create or offer health apps to their patients or members must be aware of how these apps are collecting, using, storing, and guarding PHI. Similarly, developers who are creating health apps for a covered entity are likely to be that entity’s business associate and will have their own HIPAA obligations.

“Further, these particular health app developers should be building privacy and security protections into their apps that meet the standards required by HIPAA,” Reisz said. “Ongoing vigilance regarding uses and disclosures of PHI, especially with respect to innovative technology such as health apps, should be a hallmark of each provider or health plan’s HIPAA compliance program.”

Ensuring that health apps created or offered by a HIPAA-covered entity are actually baked into the covered entity’s HIPAA compliance plan can be challenging, she noted. “It requires that the practice identify which technologies have been adopted, ensure that the practice has done some due diligence to ensure that the health app has been developed in a HIPAA-compliant manner, and understands how the health app collects, uses, and discloses PHI,” Reisz said.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.