Lawmakers question efficacy, security of health apps
Mobile health apps and wearable sensors for diagnosing, tracking and treating diseases such as chronic conditions are growing in popularity among consumers. However, according to lawmakers, there are concerns with this technology that need to be addressed.
In a hearing last week, Ranking Member Rep. Dan Lipinski (D-Illinois) told the House Committee on Science, Space, and Technology’s Subcommittee on Research and Technology that the great promise of health apps is that they have the potential to result in better outcomes for users.
“But, whether this potential can be realized depends on the quality and reliability of the apps and the information they contain,” said Lipinski. “For mobile health apps not regulated by the FDA, there’s much greater uncertainty. We don’t want to stifle innovation but there are major concerns that must be considered including the potential for an app to lead to harm. Inaccurate readings, for example, could lead to a life-threatening situation.”
According to Lipinski, there are more than 100,000 health-related apps available through the Google and Apple app stores that have been downloaded by consumers hundreds of millions of times—many of which are used to monitor and respond to serious chronic conditions. However, he also expressed his concerns that human factors are not being integrated into the development of these apps.
“As an engineer, I know that if we do not incorporate human factors into the design and evaluation of these apps, they may not function as intended or may even cause harm,” charged Lipinski. “This is a very important area of research, one where the National Science Foundation has a role, possibly in collaboration with the National Institutes of Health.”
Another area of concern is the privacy and security of users’ personal information generated by mobile apps. Lipinski referenced a recent University of Illinois at Urbana-Champaign that found risks associated with the integration of advertising libraries in these apps.
“Many free apps use ad libraries as revenue sources which may expose users’ data,” he asserted. “This is clearly a privacy issue but it can also be a security issue if the app requires the user to enter personally identifying information or sensitive health data.”
Nonetheless, Subcommittee Chairwoman Rep. Barbara Comstock (R-Va.) argued that this data can aid in consumer decision-making regarding their health, benefitting those who suffer from chronic diseases such as cancer, epilepsy or diabetes. “The more data we have about ourselves that we are personally aware of, the more likely we are to be able to receive precise and comprehensive care from our physicians,” said Comstock.
“Giving physicians and nurses access to data being recorded by the apps brings up more questions about how to keep the data secure.”
However, Lipinski warned that apps incorporated into patient care by clinicians bring with them inherent security risks. “Giving physicians and nurses access to data being recorded by the apps brings up more questions about how to keep the data secure,” he said.
Still, Morgan Reed, executive director of the App Association representing more than 5,000 vendors, testified that HIPAA privacy and security rules and guidance applicable to mHealth apps have not been updated since before the introduction of the iPhone in 2007, and that the persistent lack of clarity around HIPAA applicability in a mobile environment prevents many patents from benefitting from these services.
“As a result, many physicians are reluctant to receive health readings from their patents electronically, and hospital systems are discouraged from adopting patient-centered technologies,” Reed said. “To date, clear guidance does not exist to explain whether physicians and patients can text or email each other.”
Likewise, Jordan Epstein, CEO of Stroll Health, expressed concerns about the challenges his company faced in developing HIPAA-compliant mobile and web apps used by both patients at home and by providers in a clinical setting.
“With today’s complex ‘app¬-in-¬app’ and data sharing infrastructure, it is not always clear who should be signing a Business Associate Agreement (BAA) with whom,” said Epstein, referring to HIPAA requirements. “This can lead to an arduous process of, for example, integrating with an EHR, only to have to obtain authorizations from each individual provider on a case¬-by-¬case basis, even when the total solution is already authorized by the provider with a BAA in place. This problem does not affect just small app providers, but also some of the largest, most innovative, publicly traded healthcare IT companies.”
Consequently, Epstein has urged the Department of Health and Human Services’ Office for Civil Rights to make clearer when patient permission is needed, when a BAA applies and to whom, and what sort of communication is permissible to patients without explicit consent.