Activity trackers, “smartwatches,” wearable electronics, and smartphones all come with more than the ability to record your daily steps taken or calories burned; the devices’ ability to record the nuances of daily activity—thanks in large part to a growing collection of third-party apps—has subjected them to quite a bit of privacy-related scrutiny.
Increased privacy concerns at both the federal and state levels could eventually result in more regulation, driving mobile developers to ask whether they need to integrate a lawyer into their development process. “What you see a lot of developers having trouble with is, ‘I want to combine data, then I want to pass that data on to a covered entity, whether it’s a hospital, an insurance company or healthcare provider.’ So figuring out how to do that in a safe and secure manner is pretty critical,” said Morgan Reed, executive director of ACT | The App Association, which represents more than 5,000 mobile development companies.
Reed remains hopeful that the industry can adequately address the issue, especially if it means relieving developers of the need to spend lots of money on legal counsel: “I think it’s clear that leaders in the industry are trying to offer solutions that don’t require additional regulation.”
Among developers and manufacturers, the guiding ethos of the moment seems to be: Build it first, worry about regulation second. Apple recently updated its developer guidelines with data-sharing rules for health apps, for example, preventing developers from selling health data to advertisers. It also reportedly plans a “HealthKit Certification” stipulating the secure storage of data.
Crossing the Threshold
Arbormoon Software, a mobile-development shop in Ann Arbor, Mich., is in talks with clients about building apps that require HIPAA compliance. While the company’s already released a range of apps—including SPORT Weather, which provides hyper-local forecasts on Samsung’s Gear 2—it hasn’t yet dealt with sensitive health data.
“You can do the math and HIPAA violations become exceedingly frightening. Anything that crosses the threshold into HIPAA data, developers really need to be aware of it,” said Arbormoon President Dave Koziol. “You have to know where that line is.”
Crossing that line means the company’s $3,000-a-year liability policy instantly shoots to $8,000, so the client’s project has to be big enough to justify that added expense. Koziol has asked his staff to take HIPAA training, and plans on bringing a HIPAA consultant on board to ensure compliance for when health-related apps are actually in the production queue.
Given his experience, Koziol foresees cash-strapped startups and independent developers perhaps skipping these protections and just taking the risk. But while government regulation can be difficult, he added, more rules on privacy wouldn’t necessarily be a bad thing: “It’s certainly been a bit of the Wild West.”
More Regulation Coming?
States might be more willing to enact new privacy regulations than the federal government, according to Deven McGraw, a partner in law firm Manatt, Phelps & Phillips and longtime member of the Health IT Policy Committee within the Department of Health and Human Services.
“And that might not be California’s last word on the matter,” McGraw said.
Connecticut’s attorney general, meanwhile, wants Apple to more fully explain how it plans to protect information collected by the upcoming Apple Watch.
On the federal level, a White House report in May concluded that current privacy protections might be inadequate in this era of Big Data; the Federal Trade Commission (FTC) is reviewing security and privacy rules around consumer health data to figure out whether new regulations might be necessary.
Koziol sees the restrictions Apple, Google and others are putting into place as possible efforts to ward off further government regulation: “In the past, any app could get to all the data, and now on all the platforms that has to be approved by the user. So we’re seeing some changes in how much protection the data is getting from the operating system vendors.”
Know Your Stuff
Those contacted for this story offered their best advice for mobile developers: Educate yourself about the regulations that apply to the data used in your app, whether through reading on your own, hiring a consultant or lawyer, or talking to a company that’s already gone through the same process.
Reed suggests that being able to answer venture capitalists’ questions about whether your work is covered by HIPAA can ultimately pay dividends: “If two people come in the door pitching an app, and you come in understanding why you’re not covered by HIPAA, and why you are meeting the (FDA) standards for quality systems regulation, you get the funding.”
Knowing those answers can also help sell an app to risk-averse healthcare clients. “Be prepared to politely push back on people who might not be well versed,” Reed said. “Sometimes the risk officers in hospitals have a tendency to say no even when the facts aren’t on their side, when the technology doesn’t require a business associate agreement… You may have to educate your customer before they make the decision to purchase your product.”
- Apple Watch: Worth Your Development Hours?
- How Wearable Electronics Could Change Your Life
- Sample Resume: Healthcare IT Compliance and Security Officer