Can HIPAA Compliance Derail your Healthcare Website or Digital Health App?

Worried about HIPAA compliance for your healthcare website or digital health app?

Consider a class action privacy lawsuit that came—and went—against MDLive.

MDLive received a class-action lawsuit alleging the MDLive did not protect patients’ protected health information.  The lawsuit sought $5 million in damages.

In a nutshell, the complaint alleged that MDLive took screenshots of information entered by patients into the MDLive app and “covertly,” without notifying patients, shared these screenshots with TestFairy, an Israeli technology company that tracks user experiences and locates and reports on potential bugs inside the app.

The lawsuit apparently resolved with any paid settlement to the plaintiffs.

MDLive’s response, in Setting the Record Straight, was that:

  • There was no data breach.
  • MDLive complies with “all applicable privacy laws and regulations.”
  • No data was shared with unauthorized third parties.
  • TestFairy has no access to patient information that arises from patient-physician consultations.

Importantly, the Fact Sheet provides explains the way MDLive does share information with third parties:

  • “Authorized third parties are bound by contractual obligations and applicable laws to keep personal information confidential and use it only for the purposes for which we disclose it to them.”
  • “Our privacy policy tells members who register that we may disclose their personal information to contracted third parties we use to support our business, such as the use of the TestFairy tool.”

This suggests several takeaways:

  1. If a company claims HIPAA compliance, then the company should be sure to have in place not only a Privacy Policy, but also all the policies, procedures and forms required under HIPAA, as well as other planks of HIPAA compliance such as HIPAA training for all the workforce, and appointment of HIPAA Privacy and Security Officials.
    Policies and procedures with respect to data breaches should also be in place, including policies with respect to disciplining employees responsible for sharing unauthorized PHI (protected health information) or other data breaches.
  2. The Privacy Policy should contain language allowing the company to disclose personal information to contracted third-parties that the company uses to support its business operations.
  3. To the extent that third parties would be considered Business Associates or subcontractors of the company under HIPAA, the company should have executed Business Associate agreements under which such third parties agree to abide by HIPAA.
  4. It was probably beneficial to MDLive that the information at issue did not involve patient information from patient-physician consultations, and presumably was only shared for the purpose of facilitating testing of the app.

A cardinal principle of HIPAA is that only the minimum necessary information should be disclosed to accomplish the intended purpose of the disclosure.

There’s no doubt that HIPAA is dangerous territory for any digital health, mobile health, telemedicine, or patient software company.

Even if HIPAA doesn’t apply, anyone who claims they are HIPAA compliant now has obligations under HIPAA.  And state laws pertaining to the privacy and security of protected health information (PHI) also will come into play.

Legal Strategy Session
Michael H Cohen Logo

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.


Start typing and press Enter to search