Digital Health Privacy: Growing Complexity

Watch the presentation >>  |  View the slides >>

Thursday, May 19, 2022
01:30 PM - 02:30 PM Eastern Daylight Time
12:30 PM - 01:30 PM Central Daylight Time
10:30 AM - 11:30 AM Pacific Daylight Time

Please join us for a review of the increasingly complex privacy regulatory framework applicable to digital health products. We will examine when a mobile health app may be subject to regulation by optical character recognition, the Federal Trade Commission, or a state attorney general, and cover the latest regulatory developments and enforcement actions.

Key Takeaways

Overlapping Federal Jurisdiction

One overarching theme in digital health privacy is the overlapping jurisdiction of the Federal Trade Commission (FTC), the US privacy regulator with the broadest purview; the US Department of Health and Human Services (HHS); the Office for Civil Rights (OCR), which enforces HIPAA; and state attorneys general. The FTC has taken note of the vast volumes of health information that consumers are sharing through mobile apps, wearable devices, and personal health records, referred to as consumer-generated health information.

CCPA and New State Privacy Laws

New consumer privacy laws have been passed in California, Virginia, Colorado, Utah, and Connecticut. Each of these laws includes an exception for HIPAA-covered entities, business associates, and/or PHI. However, digital health companies regulated by the FTC may also be subject to these laws if the agency applies its Section 5 regulatory authority to the detailed privacy policies mandated by the new state laws. For digital health businesses that do not qualify for its HIPAA exception, the California Consumer Privacy Act imposes new requirements.

Interoperability Rules Facilitate Patient Access

On May 1, 2020, CMS and ONC released regulations to implement Cures Act requirements for interoperability and patient access. Both final rules note that patients should be able to use certified health IT to access their health records through health apps using secure, standards-based application programming interfaces (APIs).

This approach gives individuals the ability to electronically access and share their health information with mobile applications of their choice. The CMS interoperability and patient access final rule also requires CMS-regulated payers to make information available to patients using their choice of health apps. CMS-regulated entities must implement and maintain a standard-based patient access API to support data exchange and empower patients using health apps.


When navigating this new digital health privacy landscape, keep an eye on the latest enforcement actions by the OCR, the FTC, and state attorneys general; review the latest guidance documents interpreting laws and regulations such as HIPAA and Section 5 of the FTC Act; and incorporate emerging privacy and security best practices, including privacy by design and security by design.

CLE credit: CLE credit in CA, CT, FL, IL, NJ (via reciprocity), NY, PA, and TX is currently pending approval.