By Morgan E. Doiron
You often hear the saying, with great power, comes great responsibility, and with the direction Apple is going in the healthcare industry with their newest health care applications, while great in theory, the applications raise some major concerns involving their users personal information. [1]
Since its founding in 1976, Apple has been well known for its technological innovations, and the company does not appear to be stopping anytime soon. Apple has recently revealed its plans to break into the healthcare market with new applications, such as Healthkit, Researchkit, and Carekit that will change the way we view healthcare. Apple has been foreshadowing its break into the healthcare market with introductions to its massive product line of more health related items such as the Apple Watch, which allows individuals to not only track their activity, nutrition, and sleep, but also their heart rates. With the release of the Series 4 watch, Apple has taken heart monitoring to new heights by configuring the Apple Watch to be able to take an electrocardiogram directly from your wrist.[2]
The latest update to Apple’s Health application is supposed to provide individuals easy access to their medical records straight from their cellphone, without all the hassle of logging into different portals to view them all. Apple states that it does not store your data, it goes directly from your medical provider to your phone, and it is encrypted throughout transit and at rest in your device. But is that enough protection for your highly sensitive medical information?
Apple should comply with the Health Insurance Portability and Accountability Act (“HIPAA”) to ensure the protection of their user health information. HIPAA was enacted in 1996 to provide data privacy and security provisions for safeguarding medical information.[3] Most notably, Title II of HIPAA establishes policies and procedures for maintaining the privacy and the security of individually identifiable health information, outlines numerous offenses relating to healthcare, and establishes civil and criminal penalties for violations. HIPAA protects an individual’s protected health information (“PHI”). PHI is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates.[4] PHI includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage.[5] Apple’s health application provides users with their medical records, information that is classified as PHI.
HIPAA requires compliance from specific types of entities and their business associates. There are three categories of covered entities under HIPAA: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (“HHS”) has adopted standards. Apple likely doesn’t fit under any of the aforementioned categories, but HIPPA also has a provision requiring compliance from business associates.
Is Apple a Business Associate under HIPAA?
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to PHI.[6] A “business associate” is also a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.[7] This is where Apple’s updates to the Health application become unclear as to whether Apple is now considered a business associate. In reading the simplified definition from HHS’s website, one can argue Apple is a business associate. While the medical records function is in its beta phase, Apple is still partnering with hospitals to provide patients with easy access to their records. On the one hand, Apple could be seen as providing “services,” like a business associate would, to a covered entity that involves protected health information; the hospital allows access to PHI through Apple’s mobile devices. On the other hand, Apple argues it is not a business associate because Apple does not access your health records. Even if you store health records in the iCloud, the records are still encrypted, and therefore, Apple argues, protected. Encryption security measures, along with not currently being able send your medical records to a new medical doctor or other healthcare provider, leave Apple’s status as a business associate and subjectivity to HIPAA, unclear.
Apple has not revealed if individuals will be able to send their records to prospective healthcare providers in the near future. One reason for Apple’s secrecy on this issue may be because they have not yet developed the technology to share the health records from the application. Another reason may be Apple’s reluctance to comply with HIPAA. Apple does have numerous protections on the health information stored in your phone and the iCloud in place. Apple has strict privacy policies for individuals wishing to place their applications on Apple’s application store. Apple also requires user’s consent before allowing applications to share data. Even though Apple has general protections for their users, if Apple is going to continue breaking ground in the healthcare field, they should seriously consider looking into what compliance with HIPAA entails. Being a technology-based company shouldn’t mean Apple has less of an ethical obligation under the law than healthcare providers to protect their user’s information. Compliance with HIPAA will provide users with the protection they need while still allowing Apple to be creative and innovative.
Morgan Doiron is a 2L staff member on the Journal of Health and Biomedical Law. Morgan interned at the Hartford Immigration Court and has interests in immigration law, criminal law, and litigation. As a staff member, she is working on a full year note about the adverse psychological effects of separating migrant children from their primary caregivers at the border.
[1] A Bold Way to Look at Your Health, Apple, https://www.apple.com/ios/health/ (last visited Oct. 13, 2018) (discussing the new and improved health applications accessible on your phone).
[2] Electrocardiogram, Mayo Clinic (May 19, 2018), https://www.mayoclinic.org/tests-procedures/ekg/about/pac-20384983. An electrocardiogram records the electrical signals in your heart. Id. It is a common test used to detect heart problems and monitor the heart’s status in many situations. Id.
[3] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936, (enacted August 21, 1996) (explaining how to protect personal information to prevent fraud and theft in the healthcare industry).
[4] What is Protected Health Information?, HIPAA Journal (Jan. 10, 2018), https://www.hipaajournal.com/what-is-protected-health-information/ (listing different types of protected health information).
[5] See Id.
[6] Business Associate Contracts, Department of Health and Human Services (Jan. 25, 2013), https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html (defining business associates and their roles under HIPAA).
[7] Id.