Читать книгу Do No Harm - Matthew Webster - Страница 48

Over the last decade, a number of new devices and applications have hit the market. These include everything from wearable devices that track physiological data to health and fitness applications designed to make you healthier. What is interesting is that many fitness devices are eerily similar to IoMT devices that collect many of the same types of data as IoMT—in many cases, using the same types of technology. By all considerations, many of the devices are collecting HIPAA-like data, but the data they collect is not considered HIPAA data because the data created is not by a covered entity. A covered entity, defined in the HIPAA rules, is a health plan, healthcare clearinghouse, or health provider. Covered entities are beholden to HIPAA and have strong privacy and cybersecurity requirements. Data from health devices, despite the similarity to health data, does not have the same privacy or cybersecurity requirements. Data from health and fitness applications oftentimes has a great deal of additional information about you such as where you are, where you have been, personal information such as your address, and so on. These “free” applications mean you give up information about yourself, which is healthcare-like information.

A challenge with many of the health applications on the market is that some of them are providing health advice without sufficient science behind them to back up the claims. Within iTune and Google Play stores, there are more than a hundred thousand health applications. There have been numerous fines against many of these companies, but given the relative ease of designing apps and getting downloads, it becomes an almost impossible task of keeping track of them all and determining which are legitimate and which are not. Making an unsubstantiated claim may ultimately harm some people. The FDA has made recommendations for companies or individuals who develop these applications, but not everyone follows those recommendations.

There are also a host of companies that focus on your family tree based on some personal information and your genetic information. Today, that information can tell a tremendous amount about you. While not all genetic tests are equal, generally speaking genetic testing can tell if you have a genetic predisposition for specific diseases. The FDA prevents these companies from doing any kind of diagnostics, however.⁸ What these companies do is reference key information against publicly available databases—some of which have incorrect information. In the end, from a disease standpoint, the tests only have a 40% efficacy rate.⁹

Like fitness devices and applications, genetic testing that is direct to consumers is not covered by HIPAA. In many cases, it is the same as HIPAA data, but because it is not coming from doctor or hospital, it isn't afforded the same protections. The data walks like a duck. It quacks like a duck. It is a duck, but it does not have the same security considerations as the other ducks because it did not come from a doctor or hospital.

It should be pointed out that just because the data is not HIPAA data, it does not mean that the data is not sensitive. That additional information like name, address, and phone number is sensitive information. It is considered personally identifiable information (PII). PII is essentially information that can help identify someone including Social Security numbers. In the United States, PII must be protected, but the protection requirements are much less stringent for PII than it is for Protected Health Information (PHI). PHI is the data that is protected under HIPAA. It includes PII, but also the information required under covered entities. In the cases of fitness devices, genetic ancestry testing (not performed under a covered entity) the data is PII but also has health data that is not governed by the HIPAA law. Oftentimes, that means that the data is less secure.

But the story of this non-HIPAA medical data does not end here.