By: Lucia Savage, Chief Privacy Officer & Carolyn Bradner Jasik, Chief Medical Officer
Since the release of the iPhone in 2007, healthcare has been wrestling with how to best incorporate digital health apps. This is especially true in the privacy space where HIPAA regulations about how to both safeguard and provide access to patient data have existed for decades.
However, questions about how digital health apps safeguard patient data have been circulating for a while. As recently as 2022, security researchers uncovered many instances where even traditional healthcare companies (like hospitals) in their direct-to-consumer advertising were leaking identifiable health data on patients and prospective patients to social media platforms like Meta (formerly Facebook), Pinterest, TikTok, and other platforms that produce revenue by sending us all “personalized” ads. Note: Omada does not advertise directly to individual consumers on social media platforms.
These revelations may be shaking patients’ and physicians' confidence in digital health at the very moment when digital health apps are being recognized (see: global pandemic). With one in five U.S. adults now using digital health apps, it’s more important than ever to ensure that health data is secure and private.
With that in mind, here are five key questions to ask when investigating a digital health app’s privacy practices.
There are tens of thousands of digital health apps available for free download in the app stores. And, the app stores do not themselves separate apps that are operated by HIPAA-covered entities from those that are not.
There are also documented failures to be clear about privacy practices in apps not regulated by HIPAA. Apps regulated by HIPAA, however, are required by law to not only comply with HIPAA's privacy and security requirements, but also to tell consumers about that in HIPAA privacy notices.
Apps outside HIPAA have little to no required privacy protections.
Mature digital health companies like Omada operate as healthcare providers and digitally deliver care. This is a key distinction, as true healthcare providers:
- Are HIPAA-covered entities that incur regulatory requirements for the storage and release of health records.
- Deliver evidence-based care.
- Are staffed with personnel trained and credentialed to deliver services--Omada’s app connects its patients to a care team of qualified professionals.
In contrast, as has been reported to Congress, a direct-to-consumer app is not required to meet HIPAA standards.
Whether it’s a patient browsing the app store or a physician being asked for advice on a digital health tool, it’s hard for the untrained user to know the differences between consumer health apps and true digital healthcare providers. This confusion can result in consumers putting personal data, and even their health, at risk.
2. Is the data treated as “user” data or “patient” data?
Patient data should never be sold. Period.
In fact, selling patient data is not allowed for healthcare providers under HIPAA.
Consumer apps may depend on advertising dollars as a source of revenue, and they fuel that by monetizing user data, which often includes identifiable health information. Healthcare provider apps like Omada, who are regulated by HIPAA, are not allowed to sell their data or let others use it for marketing.
Omada delivers its healthcare services under the same standards and rules that apply to doctors offices and hospitals throughout the United States. Our participants’ data is treated exactly like the data of a patient held by a doctor or hospital. We back up that regulatory adherence via industry-leading security controls independently validated by HITRUST and SOC2. And most importantly, we never sell the health information of our participants.
3. Does the company place personalized ads about healthcare on social media?
Another area of privacy peril is direct-to-consumer advertising. Twenty five years ago when HIPAA was enacted, we lacked the digital breadcrumbs of peoples’ lives to advertise healthcare so personally.
That evolved over time such that in 2010, Congress amended HIPAA to prohibit use of Protected Health Information (PHI) for “marketing” (as defined in the law) without a person’s individual authorization to receive such marketing. Even under that rule, it was always anticipated that if a healthcare organization was using PHI for advertising, the advertising agency that had that PHI would be the organization’s HIPAA-compliant vendor and business associate.
Fast forward to today, and we have hospitals allegedly arranging for personalized ads on Meta to be delivered to patients and prospective patients because the hospitals connected their web pages (and therefore, users’ browsing history) to Meta. We also see consumer health apps using the same method to reach prospective patients.
Omada doesn’t use direct-to-consumer advertising to reach prospective patients. We work with traditional healthcare organizations like employers, health plans and health systems to inform their employees and patients of Omada’s services, and we use old-fashioned email and U.S. mail to do it —not ads where we let a social media platform in on a person’s health profile to place an ad.
4. Does the company get paid via ads or medical claims?
It’s no secret that many digital platforms make their money through ads. However, much like a doctor’s office or health system, virtual health providers get paid by insurance companies to supply healthcare. They do not earn revenue via user/patient advertising.
Omada’s revenue does not depend on app downloads or getting paid via ads. We bill through medical claims like any doctor’s office would, with one key difference: Omada takes it to the next level by embracing value-based reimbursement, i.e. Omada gets paid dependent on its value-based contracts with payers..
In contrast, “free” consumer health apps are incentivized to drive user engagement regardless of outcomes because they get paid with advertising “eyeballs.” There are few healthcare providers, let alone health apps, that link their revenue to clinical improvement of their population.
5. What about state medical confidentiality laws?
When a company offers actual healthcare with credentialed professionals, it also needs to worry about state-based health information privacy laws.
For example, effective in 2023, California amended its medical information confidentiality law to expressly cover mental health services supplied via an app, whether via FDA-approved AI services or an app used for communication between a patient and licensed provider.
Whether you’re protecting yourself, your patients or your workforce, checking on your state’s medical confidentiality laws is essential.
Setting Standards for The Future of Healthcare
After $41 billion dollars invested in digital health in the past 10 years, we have yet to separate the wheat of a digital healthcare solution that is private, secure, and built on clinical best practices from the chaff of free “health apps” that monetize their users’ data and do not produce clinically valid results. COVID taught us that digital health can really move the needle in healthcare.
We’ve moved past “is there an app for that?” to “there’s a digital healthcare provider for that.”
We need to look deeper to make sure that digital health solutions are providing evidence-based protocols, evaluating results using standards of medical care, and adhering to best practices for privacy and security of its patients’ data.
Interested in learning more? Tune in to Patient Privacy & Digital Health: What Providers Need to Know, January 20th at 12pm PST. Save your spot here.