New technologies are constantly making it easier for the average consumer to track and manage their own health. There are numerous apps, tests, and devices that cover everything from measuring your blood sugar to tracking your weight-loss goals.
These devices have helped millions of people save time and energy by letting them take their health into their own hands. Consumers beware, though: much of the personal information that you put into these health-based technologies can easily be picked up by third parties on the web. And the worst part? None of this information is currently protected by medical data privacy laws.
This information was discovered quite accidentally by a security expert, according to a ProPublica report. While examining the tech used for a home paternity test that she'd purchased, the expert found that making a small change to the information in the browser's address bar allowed her to see health information for over 6,000 other consumers.
As surprised as she was about this apparent breach of medical data privacy law, the fact that she could access this health directory is not actually illegal. In the U.S., health data is something that is very stringently protected by the government. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to keep your health information private and secure. Those that fail to due so face stiff penalties for their negligence.
However, HIPAA is not a universal law. Only certain organizations – such as health care practitioners, health insurance companies, and “health care clearinghouses” – have to follow it, along with any employees that work for them. Any apps or devices that record health data do not have to be so careful with your information. In fact, they can do anything they want with that data.
After making her discovery, the security expert immediately reported what she thought was a violation to the Department of Human Services. They replied, telling her that there was nothing they could do about the breach since at-home apps and personal devices do not fall under their jurisdiction.
But why is there such a glaring weakness in this privacy law? When HiPAA was first created, those who drew it up did their best to make sure that there were as few loopholes as possible that could be exploited. Unfortunately, the law was created more than 20 years ago when much of the technology that we have now did not even exist. There were no provisos made for things like apps or personal health devices, so they simply aren't covered under the law.
This giant loophole has been a problem for years now in different areas of the world. ProPublica reports that the full paternity and drug test records of an Australian business were easily found using a Google search in 2011. Police were able to use public genealogy records just last year to match DNA to crime suspects. Of course, there is always the threat that a third party could do something much more insidious things with the personal information and health data of many consumers.
In order to rectify this lack of coverage, Congress asked the HHS and FTC in 2009 to make recommendations on how to update HIPAA. The organizations were charged with working together to find a solution on how to handle health data that is collected by new technologies - but six years later that report has still not been completed.