Worried about HIPAA compliance for your healthcare website or digital health app?
Consider a class action privacy lawsuit that came—and went—against MDLive.
MDLive received a class-action lawsuit alleging the MDLive did not protect patients’ protected health information. The lawsuit sought $5 million in damages.
In a nutshell, the complaint alleged that MDLive took screenshots of information entered by patients into the MDLive app and “covertly,” without notifying patients, shared these screenshots with TestFairy, an Israeli technology company that tracks user experiences and locates and reports on potential bugs inside the app.
The lawsuit apparently resolved with any paid settlement to the plaintiffs.
MDLive’s response, in Setting the Record Straight, was that:
- There was no data breach.
- MDLive complies with “all applicable privacy laws and regulations.”
- No data was shared with unauthorized third parties.
- TestFairy has no access to patient information that arises from patient-physician consultations.
Importantly, the Fact Sheet provides explains the way MDLive does share information with third parties:
- “Authorized third parties are bound by contractual obligations and applicable laws to keep personal information confidential and use it only for the purposes for which we disclose it to them.”
This suggests several takeaways:
Policies and procedures with respect to data breaches should also be in place, including policies with respect to disciplining employees responsible for sharing unauthorized PHI (protected health information) or other data breaches.
- To the extent that third parties would be considered Business Associates or subcontractors of the company under HIPAA, the company should have executed Business Associate agreements under which such third parties agree to abide by HIPAA.
- It was probably beneficial to MDLive that the information at issue did not involve patient information from patient-physician consultations, and presumably was only shared for the purpose of facilitating testing of the app.
A cardinal principle of HIPAA is that only the minimum necessary information should be disclosed to accomplish the intended purpose of the disclosure.
There’s no doubt that HIPAA is dangerous territory for any digital health, mobile health, telemedicine, or patient software company.
Even if HIPAA doesn’t apply, anyone who claims they are HIPAA compliant now has obligations under HIPAA. And state laws pertaining to the privacy and security of protected health information (PHI) also will come into play.