Skip to main content

CHIME Backs Effort to Protect Patient Data in mHealth Apps

Analysis  |  By Scott Mace  
   November 01, 2022

The Federal Trade Commission is weighing options to respond to health data winding up in the wrong hands.

Companies receiving healthcare data through avenues like mHealth applications on mobile devices should be regulated further, according to a trade association of healthcare CIOs.

The College of Healthcare Information Management Executives (CHIME) has submitted comments in response to the Federal Trade Commission's August 11 advance notice of proposed rulemaking. A 60-day public comment period followed the notice's publication in the Federal Register.

"A recent estimate by IQVIA Institute for Human Data Science pegged the number of health-related apps at 350,000," Russell P. Branzell, president and CEO of CHIME, said in the organization's letter to the FTC. "Given the explosion in mobile apps and data aggregation practices, it is entirely possible that the amount of health data held by entities who are not required to comply with HIPAA exceeds the data held by those who are HIPAA-covered entities, certainly a concerning development."

The FTC is seeking comments on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as how they transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.

CHIME said it supports these efforts, using existing authority under the Health Breach Notification Rule to hold non-HIPAA-covered third parties, such as vendors of personal health record (PHR) software and apps, responsible when they illegally disclose – intentionally or not – covered information.

"Actions from the FTC will make a consumer’s data more secure and help ensure that those entities who have a breach of this crucial private data are held accountable," Branzell said. "Not only does it hold bad and unsecure actors accountable, but it also creates a disincentive that urges all businesses with PHR and PHR-related entities to strengthen their data security practices."

Scott Mace is a contributing writer for HealthLeaders.

Get the latest on healthcare leadership in your inbox.