The healthcare field is beginning to hop onto the bandwagon of mobile computing. Mobile computing is spreading to healthcare in a number of ways. The first use case is in diagnostics, in which a doctor or nurse could use a device to monitor health metrics, such as vital signs (whether at hospital stays or simply during a routine check-up), glucose levels for diabetics, sleep data, caloric or nutritional intake and more. Using a mobile device allows the data to be delivered faster, and may even allow doctors to provide patients with real time test results, sparing them the hassle and expense of making several trips to and from a lab or specialist in order to obtain the information necessary for an accurate diagnosis. Another possibility in the realm of diagnostics is using a device for imaging, such as ultrasounds, by using specialized mobile devices. Some diagnostics are possible by affixing external hardware containing sensors to a general-purpose device.
Beyond diagnostics, patients may soon be able to use their mobile devices to maintain their own health care regimen via apps and hardware enabling them to monitor blood pressure and take preventive steps to control hypertension, judge air quality for asthma sufferers, or even conduct self-examinations for breast cancer. The possibilities are numerous, and could have a tremendously positive impact on both the length and quality of human life. However, there are serious privacy, security, and other legal concerns that must be addressed before the medical community plunges headlong into the world of mobile devices as tools for diagnosis and health care.
In California, the Confidentiality of Medical Information Act (CMIA) prohibits health care providers from disclosing patients’ private medical data without authorization. On September 9, 2013, Governor Brown signed AB 658, which extends CMIA to any business that offers software or hardware, including mobile devices and apps, to individual consumers for the management of their health care-related information, or for diagnosis or treatment purposes. This new law extends raises privacy issues, as many different parties, including the business offering a mobile app and service providers maintaining patient information collected by the app, are held to confidentiality standards of healthcare providers, which preclude disclosing that data without explicit authorization from the patient.
The old version of CMIA covered healthcare providers, health plans, and their subsidiaries and affiliates. It also covered businesses that maintain health records or allow individuals to manage their own health information. In other words, it covered electronic health record service providers and personal health record service providers. AB 658 extends CMIA to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual.” Cal. Civil Code § 56.06(b).
Note that the provision covers consumer software and hardware only. Mobile devices used by healthcare providers are not covered, presumably since the provider has an independent duty to comply with CMIA. However, healthcare providers should include and account for their mobile devices in their compliance programs, including the latest generation of mobile devices and medical apps.
AB 658 covers both diagnostics and wellness applications. For instance, a mobile app used to transmit blood sugar information to an online service for diabetes control would be covered. General wellness apps are covered if, for instance, they are sponsored by health plans for the purpose of coordination of care with healthcare providers under the plan. Even an individual’s own maintenance of wellness information appears to sweep in a provider of software or hardware used by the individual if it were used for management of a medical condition, such as obesity.
In any case, medical application software and hardware providers need to ensure their privacy practices comply with CMIA. Also, since some class actions have asserted CMIA violations for security breaches, these providers should also review their information security practices as a matter of legal risk management. Finally, they should coordinate their existing privacy policies with these new CMIA provisions.
Stephen S. Wu
Partner, Cooke Kobrick & Wu LLP