According to a report in Mobile Health News last month, Apple has a problem with patient-entered glucose readings in its Health app. Devices in the U.S. and some other countries measure blood glucose levels in “milligrams per deciliter” (mg/dL). In some other countries, the standard unit is “millimoles per liter” (mmol/L). The Health app is not able to accept manual entry of data in those units, so the company is going to release an update to the program so that it will not let users manually enter data unless it’s in mg/dL. The Apple HealthKit does support both units of measure, so presumably in the future Apple will be able to release a version of the Health app that accepts either one.
This problem simply highlights just how difficult it is to create data systems that are robust enough to handle the wide variety of information that is generated by consumer and clinical devices. This includes handling different units of measure and tracking them accurately. Add on the layers of data security and protecting patient privacy (such as required by HIPAA) and the task becomes positively daunting. If your running app miscalculates the distance you covered in this morning’s run by a multiple of 10, it’s just annoying. If a health app gets the units wrong on a measure used by healthcare professionals for diagnosis and treatment, the results can be catastrophic.
This misstep by Apple is not likely to improve its reputation among healthcare professionals for handling patient data. Apple’s response to the problem is available here.
As far as HIPAA is concerned for apps such as these, I would focus on the merits of who is accessing the data and from what data points, etc. More specifically, I would want to ensure that two-factor is in place. Two-factor authentication is essential for helping ensure the safety and security of Protected Health Information (PHI), no question about it. And even though two-factor is not specifically mentioned or discussed anywhere within the HIPAA Security Rule specifically, it is expressed indirectly within numerous supbarts of 164, such as information access and access control. Think about it, if you have employees or other workforce members accessing PHI remotely or outside of the trusted network, two-factor becomes highly essential, no question about, so use it! By the way, if you have to be PCI DSS compliant, two-factor authentication is a mandate. Lastly, using a password to authenticate into systems is nothing more than single factor done over and over again, and that’s NOT two-factor authentication.
Good points, Heather. Security is a critical component of any health- or medical-related personal data, and two-factor authentication is an important part of that.
Another issue that does not get discussed enough is the whole question of “depersonalizing” information so that it can be used for Big Data analysis of health and medical issues and trends. My concern is that it does not take too many data points to be able to identify someone uniquely, even without any identifiers. If you were to look for white males aged 63 with chronic atrial fib living in my zip code, I expect that the list of targets would be pretty small. Adding income level or some other triangulating data point could probably find me as a specific person. And then any data with my depersonalized identification code could be linked to me from that point on. Yet without tying all these data sources together, we can’t get the benefits of Big Data analytics.
There are a lot of privacy issues that must be dealt with before we reap the full value of the connected person and mobile Health Tech.