Telehealth App Lawsuit Spotlights Privacy QuestionsLegal Experts Note Regulatory and Other Gaps
A class action lawsuit against telehealth software vendor MDLive shines a spotlight on regulatory gaps and other murky privacy and security issues related to the growing use of consumer health applications.
See Also: Ransomware: The Look at Future Trends
The lawsuit says MDLive violated consumers' privacy by allegedly collecting and disclosing patients' confidential medical information to a third-party technology vendor that provides app testing services to MDLive.
Some legal experts say the case highlights regulatory gaps and other murky privacy and security issues related to the growing use of consumer health applications.
The MDLive situation "is the kind of thing that exposes a growing, substantial gap where HIPAA does not apply," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "A gap has always existed, but now there are more situations falling into the gap. When HIPAA was written, mobile health apps, personal health records, and many other apps didn't exist."
The lawsuit filed in a federal court in Florida claims that MDLive, which operates in Sunrise, Florida, but is incorporated in Delaware, committed intrusion of privacy, breach of contract, fraud, and other violations related to consumers who downloaded the company's telehealth app. Court documents note that although the app is free to download, patients pay $49 for a virtual doctor consult.
The complaint alleges that MDLive, without notifying patients, programmed its app to transmit screenshots of consumers' personal and sensitive health information to an overseas third-party Israel-based tech company, TestFairy, that provides application performance testing on Android and iOS mobile apps.
"MDLive takes an average of 60 screenshots of a patient's screen," the lawsuit says. "By design, the screenshots capture all the sensitive medical history information entered by the patient," including health conditions, medications, allergies, behavior health history and family history, according to the suit.
"Without notifying patients, MDLive programmed the app to transmit those screenshots to TestFairy ... [which] works to 'insert the necessary hooks to gather information' about an app's user experiences and to possibly identify bugs," the suit says.
The complaint says TestFairy uses "live data" and directly tracks user interactions within an app to test software applications.
However, TestFairy "is not a healthcare provider, and MDLive patients are not made aware that MDLive will send their medical information to TestFairy in near real time," the suit notes.
The lawsuit claims that MDLive secretly monitored, collected and transmitted consumers' usage of the MDLive App "by taking consecutive screenshots of patients' screens, which revealed specific details regarding their personal health and medical information."
In addition, the complaint alleges MDLive permitted TestFairy to "store and/or control" medical information of consumers without encrypting the screenshot images or allowing consumers to grant restrictions on the individuals permitted to access their health information.
As a result, plaintiffs' "privacy was violated, causing them to suffer embarrassment, anxiety, and concern regarding the safety and confidentiality of their medical information."
Because the MDLive mobile app software is available by download directly by consumers, and doesn't appear to involve electronic health insurance related transactions, it doesn't appear to fall under the umbrella of HIPAA, says attorney Steven Teppler of Abbott Law Group.
But even if the MDLive software situation did fall under HIPAA, the regulations don't require that patients be informed about the individual business associates and subcontractors who might handle their protected health information as part of the technology or other services provided to a HIPAA covered entity or business associate.
"A hospital, for instance, could have 2,000 vendors, and that's not disclosed to patients," Nahra says.
Under HIPAA, a business associate agreement is needed between vendors and subcontractors that handle PHI on behalf of a covered entity, but even in those cases, "consumers don't generally know what's going on, it just happens," he says."
Privacy attorney David Holtzman, vice president of compliance at security consulting CynergisTek notes: "In this case, the complaint does not allege that MDLive was a HIPAA business associate to the healthcare providers that provided treatment to the individuals who used the service. The HIPAA Rules do not require a covered entity or their business associates to disclose to individuals the existence or identify of contractors or subcontractors who create, maintain or transmit protected health information. The HIPAA Rules require that the CE or BA obtains satisfactory assurance in the form of a business associate agreement have that the contractor or vendor will appropriately safeguard the information."
Privacy Violation, or Not?
Also, unless the MDLive privacy notice for the app was "buried" and not easily accessible by consumers, Teppler notes that MDLive's website indicates that MDLive may also disclose personal information that the company collects "to contractors, service providers and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them."
One potential question is whether TestFairy used the MDLive data collected from consumers only for purposes such as helping MDLive improve the performance of its app, Teppler notes.
But Holtzman says it is common for mobile health apps to disclose an individual's information to third parties. "A 2014 study of diabetes apps conducted by the Illinois Institute of Technology Chicago-Kent College of Law found that over 75 percent of the apps routinely shared information with third parties which was collected by tracking the users' location, activating the camera, activating the microphone or modifying or deleting information," he notes.
"Mobile health apps often collect and transmit sensitive medical data, including disease status and medication compliance. Consumers are often left on their own to assess and interpret the privacy risks posed by disclosing information through these apps because many health care apps are not subject to government oversight or regulation," Holtzman says.
However, controversies like the one involving MDLive potentially could draw the attention of other regulators, such as the Federal Trade Commission, Nahra notes. For example if health app privacy notices are misleading, or "if the application works in ways that people don't understand," FTC could step in, he says.
Aside from the regulatory gaps that are illuminated by the MDLive case, in order for plaintiffs in that class action lawsuit to succeed, "they need to show the harm," Nahra says.
While the lawsuit charges MDLive with breach of contract, the complaint does not allege that a data security breach or other cyber-related incident occurred compromising consumer information.
In a statement to Information Security Media Group, a MDLive spokesperson says, "Protecting patient privacy and confidentiality is a top priority for MDLIVE. We have confirmed that patient information is safe and we have located no evidence of any breach of HIPAA. Our services, policies and procedures are designed to keep personally identifiable information secure and meet the strictest legal and regulatory standards. The claims of this lawsuit are entirely without merit, and we will immediately seek its dismissal."
TestFairy did not immediately respond to ISMG's request for comment on the lawsuit.
Several mobile health application vendors have also recently been the focus of scrutiny by regulators in New York State due to their privacy practices (see NY Deals With App Vendors Could Fuel More Privacy Actions).
Eric Schneiderman, New York State's attorney general, recently announced settlements with three mobile health application vendors - Matis Ltd., Runtastic GmbH and Cardiio Inc. - over misleading privacy and marketing practices. Settlements totaling $30,000 with those vendors, which sold their mobile health apps online, were the result of a year-long investigation by the attorney general's office.
Holtzman notes that the FTC has created a web-based tool in conjunction with the FDA and Department of Health and Human Services to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.
"The guidance tool asks developers a series of questions about its function, the data it collects, and the services it provides to users. Based on the developer's answers to those questions, the guidance tool will point the app developer toward detailed information about federal laws that might apply to the app."
Also, Holtzman suggests consumers be mindful of their privacy when using health apps.
"Consumers are often left on their own to assess and interpret the privacy risks posed by disclosing information through these apps because many health care apps are not subject to government oversight or regulation," he says. "Consumers have to be diligent in understanding what information they are disclosing through the app, how it is being collected and what will be done with it. Research apps thoroughly before downloading," he suggests.