Deven McGraw: HIPAA likely doesn't cover Apple Watch

Apple's announcement of its forthcoming HealthKit platform and its new wearable device, Apple Watch, has brought to the forefront concerns that privacy protections aren't keeping up with development of wearables that collect health information.

Overall, mobile healthcare application privacy policies are hard to find, and those in place are not providing transparency on privacy practices, according to research published recently in the Journal of the American Medical Informatics Association.

FierceHealthIT spoke with Deven McGraw (pictured), a partner in the healthcare practice of Manatt, Phelps & Phillips and longtime member of the Office of the National Coordinator for Health IT's Policy Committee, about this. McGraw recently was named chair of the committee's Privacy and Security workgroup.

FierceHealthIT: Has the FDA or other agencies made any distinction between what is fitness data and what is medical data?

McGraw: The FDA put out some guidance on mobile medical apps making clear that it's only going to be concerned with apps that function like a medical device, where the consequences if the device were to malfunction could be significant. If my fitness app tells me that I'm running faster than I actually am, I might be disappointed when I find out that's not the case, but it's not going to cause me injury or risk my life. On the other hand, if I've got an app that reads a glucose monitor and it gives me the wrong reading, and I give myself an insulin dose, thinking that I'm low and I'm not, that could have pretty significant consequences for me.

There's a security component to the FDA regulations because if somebody hacks it, if security is lax in an app or device with a medical function, that could impair the functionality of the device to the point it's problematic for the patient. [FDA] cares about security, but doesn't care very much about privacy. 

Apple's watch, if it's just uploading mostly fitness and nutrition data, it's probably not a device that needs to be approved by the FDA. But if it starts to upload information from a medical device, if it were functioning more as part of a medical device where its malfunction could be a problem for a user, then potentially the FDA would be very interested in regulating that.

FHIT: It would seem that if Apple is getting involved in medical pilots with Duke and Stanford regarding HealthKit, that it would at least have to be HIPAA compliant.

McGraw: Well, maybe, maybe not. It's not clear that they would have to be HIPAA-compliant.

HIPAA doesn't regulate all medical data. It only regulates that data when it is in the hands of, within the control of, or within the purview of a medical provider, a health plan or other covered entity under the law. It's a sectoral law [covering specific context of information use], not a data-protection law.

If you've got a device where the consumer is downloading off the Internet, that device is not being offered by their hospital. The Office of Civil Rights clarified in guidance in 2013 that mere connectivity on behalf of a consumer to an electronic medical record does not make that device covered by HIPAA.

When the data goes into the doctor's record, it will be covered by HIPAA, but when it's sitting on the consumer's phone, it's not. Because of the odd way that HIPAA was enacted, as a set of protections over a discrete number of entities, [it] doesn't follow the data wherever it goes and doesn't apply to data outside the purview of those doctors and hospitals. It's by no means guaranteed that the data on that watch is covered by HIPAA, and I would say that in most cases, it won't be.

FHIT: But I understand Apple is requiring third-party developers for HealthKit to have a privacy policy.

McGraw: Apple's making a statement, I think. It recognizes that a lot of people may be reluctant to use apps or have their apps connected to HealthKit if there aren't some protections for the privacy and security of that data. Rather than wait for the regulators to [write new laws covering that data], it's saying, "We want to create a platform that's more trusted than the marketplace in general, and we're going to set some rules." It's prohibiting app developers from selling data they get through HealthKit to data brokers or for marketing purposes. Rather than requiring the consumer's consent, it's just prohibiting that, which is very interesting, given that the business model for apps is to sell the data--that's how so many of them are offered for free.

FHIT: Do you see more regulation coming in this area?

McGraw: Yes and no. States seem much more willing to step into the void. California in 2013 enacted amendments to its state health privacy law, the Confidentiality of Medical Information Act, extending it to hardware and software that collects medical information on behalf of a consumer. Medical information is defined in a way that it's not necessarily information the consumer uploads into the app, but data that comes from a medical provider's record. Where we talked about earlier the mere connectivity would not trigger HIPAA coverage, it could very well trigger CMIA coverage.

Other states may be interested in jumping into that void. And it might not be California's last word on this topic. 

Congress, on the other hand, seems to be pretty stuck. It's not been terribly interested, at least not on a bipartisan level, in moving consumer privacy legislation. The closest we've been able to come, and we still don't have an enacted law, is on a single set of breach notifications that would apply across the country and trump the various state laws. That seemed to have some bipartisan support, but hasn't significantly moved anywhere.

Editor's Note: This interview has been edited for clarity and content.