Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Should Apps with Personal Health Information Be Subject to HIPAA?

Posted on April 10, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

With news of Grindr’s sharing of user’s HIV status and location data, many wonder how such sensitive information could be so easily disclosed and the answer is quite simply a lack of strong privacy and security standards for apps.  The question then becomes whether apps that store personal health information should be subject to HIPAA? Should apps like Grindr have to comply with the Privacy and Security Rules as doctors, insurance companies, and other covered entities already do?

A lot of people already think this information is protected by HIPAA as they do not realize that HIPAA only applies to “covered entities” (health care providers, health plans, and health care clearininghouses) and “business associates” (companies that contract with covered entities).  Grindr is neither of these. Nor are most apps that address health issues – everything from apps with mental health tools to diet and exercise trackers. These apps can store all manner of information ranging simply from a name and birthdate to sensitive information including diagnoses and treatments.

Grindr is particularly striking because under HIPAA, there are extra protections for information including AIDS/HIV status, mental health diagnoses, genetics, and substance abuse history.  Normally, this information is highly protected and rightly so given the potential for discrimination. The privacy laws surrounding this information were hard fought by patients and advocates who often experienced discrimination themselves.

However, there is another reason this is particularly important in Grindr’s case and that’s the issue of public health.  Just a few days before it was revealed that the HIV status of users had been exposed, Grindr announced that it would push notifications through the app to remind users to get tested.  This was lauded as a positive move and added to the culture created on this app of openness. Already users disclose their HIV status, which is a benefit for public health and reducing the spread of the disease. However, if users think that this information will be shared without explicit consent, they may be less likely to disclose their status. Thus, not having privacy and security standards for apps with sensitive personal health information, means these companies can easily share this information and break the users’ trust, at the expense of public health.

Trust is one of the same reasons HIPAA itself exists.  When implemented correctly, the Privacy and Security Rules lend themselves to creating an environment of safety where individuals can disclose information that they may not want others to know.  This then allows for discussion of mental health issues, sexually transmitted diseases, substance use issues, and other difficult topics. The consequences of which both impact the treatment plan for the individual and greater population health.

It would be sensible to apply a framework like HIPAA to apps to ensure the privacy and security of user data, but certainly some would challenge the idea.  Some may make the excuse that is often already used in healthcare, that HIPAA stifles innovation undue burden on their industry and technology in general.  While untrue, this rhetoric holds sway with government entities who may oversee these companies.

To that end, there is a question of who would regulate such a framework? Would it fall to the Office for Civil Rights (OCR) where HIPAA regulation is already overseen? The OCR itself is overburdened, taking months to assess even the smallest of HIPAA complaints.  Would the FDA regulate compliance as they look to regulate more mobile apps that are tied to medical devices?  Would the FCC have a roll?  The question of who would regulate apps would be a fight in itself.

And finally, would this really increase privacy and security? HIPAA has been in effect for over two decades and yet still many covered entities fail to implement proper privacy and security protocols.  This does not necessarily mean there shouldn’t be attempts to address these serious issues, but some might question whether the HIPAA framework would be the best model.  Perhaps a new model, with new standards and consequences for noncompliance should be considered.

Regardless, it is time to start really addressing privacy and security of personal health information in apps. Last year, both Aetna and CVS Caremark violated patient privacy sending mail to patients where their HIV status could be seen through the envelope window. At present it seems these cases are under review with the OCR. But the OCR has been tough on these disclosures. In fact, in May 2017, St. Luke’s Roosevelt Hospital Center Inc. paid the OCR $387,200 in a settlement for a breach of privacy information including the HIV status of a patient. So the question is, if as a society, we recognize the serious nature of such disclosures, should we not look to prevent them in all settings – whether the information comes from a healthcare entity or an app?

With intense scrutiny of privacy and security in the media for all aspects of technology, increased regulation may be around the corner and the framework HIPAA creates may be worth applying to apps that contain personal health information.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at

Second Opinions and Dr. Google – Fun Friday

Posted on November 3, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I have a feeling that this cartoon might rub some people the wrong way. Although, on Fun Friday’s I’m never one to not share something as funny as this.

The key discussion point in this cartoon is doctors’ frustration with patients who are already “self-diagnosed.” Rational people know that there’s a need for balance and respect, but not everyone is rational. Patients should respect the doctor and collaborate with them in their diagnosis process. If patients aren’t careful it’s easy to see how it can go too far and show a lack of respect to the doctor. That said….

It’s also easy to see how doctors can be disrespectful to patients. In today’s #HITsm chat, Erin Gilmer commented that patients wanted to be treated as equals. I suggested that “equals” wasn’t the right term since they weren’t equals. Doctors know some things that patients don’t know and patients know some things that doctors don’t know.

Erin then suggested the term “respected” which is what I used above and I think is a great term to describe how the doctor-patient interaction should be. They should equally respect each other. If that were the case, the above cartoon wouldn’t be so funny.

Patient Burnout – #HITsm Chat Topic

Posted on October 31, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 11/3 at Noon ET (9 AM PT). This week’s chat will be hosted by Erin Gilmer (@GilmerHealthLaw) on the topic of “Patient Burnout.”

“We talk a lot about physician burnout. When do we talk about patient burnout?”

A few weeks ago I tweeted this out and it seems to have struck a nerve. Patient (and caregiver) burnout is a topic that is not addressed nearly enough outside of patient communities. However, burnout needs to be recognized and acknowledged in order to understand the patient experience and to create new solutions to improve health.

Patients are tasked with a lot to maintain and improve their health – things like scheduling appointments, dealing with insurance, managing multiple medications at the pharmacy, preparing for and going to appointments, communicating with healthcare providers, coordinating care between providers, and following care plans at home. All of this is in addition to their everyday lives – including family, work, social lives, and more – and dealing with sometimes very disabling conditions or while in great pain.

Providers who recognize this burnout may be able to understand why a patient might be “noncompliant” and find ways to address the patient’s needs. And those in HIT who want to create real change, can learn from the patient experience and work with patients to ease the burden patients face in managing their health.

Note: Before the chat, you might read: Rethinking the patient: using Burden of Treatment Theory to understand the changing dynamics of illness (open access).

Join us as we dive into this topic during this week’s #HITsm chat using the following questions.

Topics for This Week’s #HITsm Chat:

T1: What does patient burnout mean to you? #hitsm

T2: What would you like healthcare providers to know about patient burnout? #hitsm

T3: How could healthcare providers help you feel less burnt out? #hitsm

T4: What ways can technology help ease patient burnout? #hitsm

T5: What ways has technology made patient burnout worse? #hitsm

BONUS: What helps you deal with patient burnout? What advice would you give to other patients about burnout? Or what do you wish others had told you about burnout? #hitsm

Upcoming #HITsm Chat Schedule
11/10 – Medical Data Impact to Financial Health, Disability and Job Protection
Hosted by Kimberly George (@kimberlyanngeo) from @sedgwick

11/17 – TBD
Hosted by TBD

11/24 – Thanksgiving Break!

12/1 – Using Technology to Fight EHR Burnout
Hosted by Gabe Charbonneau, MD (@gabrieldane)

12/8 – TBD
Hosted by Homer Chin (@chinhom) and Amy Fellows (@afellowsamy) from @MyOpenNotes)

12/15 – TBD
Hosted by David Fuller (@genkidave)

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.