While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy Protection Act, which requires certain operators of commercial websites and online services that collect personally identifiable information to conspicuously post privacy policies. Such laws that cover personally identifiable information in general have a much broader focus than HIPAA, which only targets covered entities and business associates exchanging medical information. Even companies not regulated under HIPAA must therefore take such state laws into consideration, and given the potentially severe penalties, noncompliance could be devastating—for example, California seeks penalties of $2,500 per violation, which the complaint defines as each copy of the app downloaded by California consumers. Moreover, simply having a privacy policy will not be enough. While the lawsuit targets the airline for not posting a privacy policy, state legislation and enforcement will be augmenting their focus on the content of such policies to ensure the adequate protection of consumer information.
Additionally, companies need to be mindful of federal privacy laws. For example, the Federal Trade Commission has become increasingly concerned with the failure of children’s-app developers to explain to parents the kinds of personal information the apps collect from children. The problem is widespread, as the FTC reviewed 400 popular children’s apps and found that only 20 percent disclosed their data collection practices. This nondisclosure could violate the Children’s Online Privacy Protection Act, a federal law that requires web site operators to get parents’ consent before collecting or sharing certain information obtained from children under 13. The FTC is in the process of tightening these protections, but not without pushback from major tech companies, who claim that the FTC’s proposals could inhibit the development of apps and other services for children. However, children’s-app developers are not the only entities that should be mindful of these developments. The FTC is investigating a wide array of app and internet activity, including activities that more directly intersect with healthcare such as peer-to-peer file sharing and certain online advertising practices.
Figuring out whether your telehealth company is regulated under HIPAA is certainly of the utmost importance. But even if your telehealth company is not HIPAA-regulated, you are not out of the woods yet. As we venture further into the age of mobile computing, and the associated privacy concerns become more publicized, states and federal agencies will be increasingly vigorous in going after telehealth companies that collect personal information.