Health experts raise alarm over app data risks - health data risks
Health experts raise alarm over app data risks

The Confidentiality Coalition and the Workgroup for Electronic Data Interchange called on federal officials to fix gaps in health data protections that expose patients when using third-party apps.

In a March 24 letter to Health and Human Services Secretary Xavier Becerra and Commerce Secretary Gina Raimondo, the organizations highlighted how current laws fail to protect sensitive information once it leaves regulated healthcare systems. HIPAA covers only hospitals, insurers, and similar entities—not the apps patients use to track symptoms, manage prescriptions, or share records.

The coalition, which represents hospitals, health plans, and electronic health record vendors, pointed out that patients rarely receive clear details about how these apps use their data. The letter noted that providers face no obligation to verify an app’s security before sending patient information.

Related: Healthcare embraces innovation after pandemic shift

The Workgroup for Electronic Data Interchange, a nonprofit focused on health data exchange, supported the push for stronger oversight. While neither group proposed specific legislation, both stressed the need for federal guidance to prevent misuse of health information outside traditional healthcare settings.

Regulators have previously attempted to update health data rules. In 2020, the Centers for Medicare and Medicaid Services proposed a rule to improve electronic data exchange, which took effect last year. It mandates that health plans and providers adopt standardized APIs, simplifying patient access to and sharing of records. During HIMSS22, CMS Administrator Chaquita Brooks-LaSure said the measures still fall short of ensuring secure data sharing.

Many patients believe their health data remains protected regardless of where it goes. That assumption is often wrong. Apps collecting information directly from users, rather than through a doctor’s office, exist in a legal gray area.

Related: How Botox Therapy Can Help You Look Younger

The letter did not specify a timeline for action but urged the departments to explore policy changes. Options include broadening HIPAA’s scope, requiring app developers to disclose data practices more clearly, or establishing a certification system for apps meeting privacy standards.

Patients currently bear most of the responsibility. Many apps feature lengthy privacy policies, yet few users read or fully grasp them. The warning from these groups highlights how convenience often involves trade-offs, and in healthcare, those trade-offs can have serious effects.

Brooks-LaSure suggested additional rulemaking could arrive soon, with CMS potentially pushing for stricter data exchange requirements. Whether those rules will cover third-party apps is uncertain. For now, the letter’s authors contend the existing system allows too much risk.