Skip to main content

Out with the fax machine, in with the smartphone. In early February, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) released two proposed rules regarding interoperability. Much of the rules’ buzz centers on the standardization of APIs to make sharing patient data more useful and transferable. With Apple’s Health Records already having met these standards, one can imagine the number of apps and businesses eager to take advantage of the gap in interoperability and optimize personal health information (PHI).  

With great power comes great responsibility. Some entities already in the space have failed, representing a harbinger of what could come in health information technology. The same month CMS and ONC released the rules, Wall Street Journal reported apps like ovulation tracker Flo Health and Azumio Inc., the popular heart rate tracker, submitted user data to a social network without notifying the users through privacy policies or terms of service.  

A new study by the University of Toronto seems to support that this was not an isolated incident. After looking at 24 of the top-rated Android apps for health medicine management in the U.S., U.K., Canada and Australia, the researchers found that 19 shared user data outside the app, though it is unclear whether the users were informed in these cases. Consumer trust in this field is already weak. Rock Health’s 2018 National Consumer Health Survey found that just 11 percent of respondents said they would be willing to share health data with technology companies.  

If a company decides to join the health space, the onus is on it to go above and beyond in securing its consumers’ privacy and security. The business enters an entrusted relationship with a consumer who expects their most vulnerable parts—their health—to remain inviolate. Laxity or indiscretion with one’s PHI could lead to financial or identity loss, as traditionally feared.  

As society grapples with both the benefits and repercussions of living in an increasingly digitalized world, our concept of privacy and its abuses is shifting too. The University of Toronto’s study found health data can be commercialized when shared with digital advertising companies and consumer credit reporting agencies. Quinn Grundy, Assistant Professor at the University of Toronto Nursing Program, said, “We quickly realized that data is the currency for mobile health. This information is really valuable to commercial interests like drug companies, insurance companies, or anyone that wants to market products that have anything to do with health.” 

Those in the health space should ponder whether it is okay for someone to report to an app that they are trying to get pregnant, only to later to see an advertisement for at-home ultrasounds. In what way is this different from shopping for a pair of shoes to see it appear on your social media feed the next day? 

Considering the recent breaches and the changing face of the healthcare industry, entities must take all necessary precautions and follow privacy and security regulations. Sean Duffy, the co-founder and CEO of Omada Health, a digital behavioral medicine company, recently outlined the steps a company in the space should take to protect a consumer’s PHI. We will compare the steps Softheon has taken to secure its consumers’ privacy and security.  

First, Duffy said companies should comply with regulations. The bedrock legislation for companies in the health space to be compliant with is the 1996 Health Insurance Portability and Accountability Act (HIPAA). Title II of the Act sets up national standards for electronic health care transactions, and addresses the security and privacy of health data, defining required administrative, physical and technical safeguards. Softheon, which is classified as a business associate under HIPAA, remains compliant by having a privacy official and training all employees on HIPAA policies and procedures.  

Second, Duffy said companies should also inform regulations. As law struggles to keep pace with technological changes, companies in the space have a duty to help shape legislation to make it more effective. Softheon recently went to D.C. to meet with the staff of New York state senators and representatives, including Senator Chuck Schumer, Senator Kirsten Gillibrand and Representative Lee Zeldin, to inform them that infrastructure must be rethought to include technology, such as 5G.  

Third, Duffy said companies should keep compliance at its “core.” Softheon employs a robust compliance and governance team that keeps privacy and security at the forefront of all product and business considerations. In accordance with our commitment to abiding by the compliance requirements and best practices of our industry, Softheon’s approach to protecting the security and integrity of data hosted on our systems includes network segmentation, the practice of burying the most sensitive information deep behind firewalls separate from the resources we make available to the internet. Softheon enforces role-based, least-access policies to ensure an equal protection from threats from both inside and outside of the organization. We also maintain and follow formal procedures for scanning software code and live services, for both vulnerabilities and attack vectors, and for evaluating and applying security related software patches to provide us with the best defenses against malicious entities. 

Matt Schumpf, Softheon’s Managing Director of Governance, Risk and Compliance said, “What we have to remember is that privacy and security regulations are the baseline measurements for compliance. At Softheon, we are constantly assessing our policies and procedures to ensure our customers’ data is held to the highest possible standards.” 



The views and opinions expressed by the authors on this blog website and those providing comments are theirs alone, and do not reflect the opinions of Softheon. Please direct any questions or comments to

Leave a Reply