Congressman proposes legislation protecting privacy of mobile device users

Rep. Hank Johnson (D-Ga.) on Jan. 17 released draft legislation that would safeguard the privacy of mobile device users by requiring mobile app developers--including those for mHealth apps--to disclose how they collect personal data and which third parties would have access to that data. Johnson, pictured, unveiled the draft of the bill on AppRights, a web-based legislative project launched in July 2012 to facilitate public discussion about how Congress can help ensure consumer privacy on mobile devices.

"Because the majority of the feedback that we received on AppRights expressed strong support for user control, transparency, and security, we incorporated these principles into the bill," Johnson said in a written statement. "Many of you also told us that simple mechanisms are important to protecting your privacy on mobile devices.  After listening to these concerns, we have written provisions to address these concerns without threatening the functionality or integrity of the mobile apps that you love."

As the draft legislation is currently written, the Application Privacy, Protection and Security (APPS) Act of 2013 would inform consumers what information is collected and how long it could be stored, ostensibly allowing them to prevent mobile app developers from sharing or collecting their data. According to the proposed legislation, developers would have to identify the consumers before collecting any personal data and obtain their consent.

"Application developers often see data as point-of-purchase type collection of raw data that can be shared and used with just about anyone," Paige Joyner, a privacy consultant, wrote in a recent blog post on the website for mHealth vendor Preventice. "Unfortunately, healthcare data is different from other types of data collected like purchases at the grocery store, driving habits and history, claims data from property insurers, etc."

As Joyner argued, healthcare data "must be kept private and secure during its entire lifecycle" so that it is "controlled, validated, secured and made available to a patient upon request." In addition, she pointed out that the "holder" of the data must be able to "prove that they have policies and procedures in place, and that they are following them in order to maintain the privacy and security of the data in their possession and that they share."

When it comes to protecting this kind of data, the APPS Act would require app developers to "prevent unauthorized access to a user's data through reasonable and appropriate security measures. This provision would address sub-standard data storage practices by promoting responsible data storage." In addition, the Federal Trade Commission would be charged with enforcing the app privacy rules, and would be required to create regulations required by the APPS Act within a year of its enactment. 

In related news, the U.S. Department of Health & Human Services last week released the Health Insurance Portability and Accountability Act omnibus final rule which included changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.

To learn more:
- visit the website AppRights
- read Johnson's announcement

Related Articles:
New HIPAA rule falls short in protecting mobile patient information
Health privacy regs, metadata fuel heated debate
OCR: HIPAA mega rule in its 'last clearance lap'