" phi Archives - Page 2 of 7 - LuxSci

Posts Tagged ‘phi’

HIPAA Compliant Forms

Saturday, February 3rd, 2024

When it comes to digital data collection, there is often a lot of uncertainty surrounding HIPAA compliant forms.

Do Healthcare Websites Need HIPAA Compliant Forms?

We often have customers ask if their website forms need to be HIPAA compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

person entering info into login form

Criteria for HIPAA Compliant Forms

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

  1. You are a Covered Entity or Business Associate and,
  2. The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
  2. Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
  3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health
  2. Past, present, or future provisioning of healthcare
  3. Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA Compliant Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

  1. Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
  2. That warning is understandable to most laypeople without further explanation.
  3. They must check a box (or sign their name) to consent to the insecure form transmission.
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.

Overcoming Barriers to Successful Digital Health Patient Engagement

Tuesday, October 31st, 2023

Effective patient engagement is a goal for many healthcare organizations because of the benefits. When patients are engaged in their healthcare, illnesses are diagnosed sooner, bills are paid faster, and patient satisfaction is increased, leading to better business outcomes for the healthcare organization. Advances in technology have made it easier to achieve successful digital health patient engagement. Nevertheless, barriers remain when using digital channels to engage patients effectively. This article discusses the main barriers to digital patient engagement and how to overcome them to drive better results.

hand pointing at ipad with digital health symbols

Barriers to Digital Health Engagement

Patient engagement involves encouraging patients to make informed decisions about their health. Engaged patients are activated patients, meaning they participate in positive behaviors to manage their health. Proactive management of healthcare conditions helps improve outcomes and achieve lower costs. Digital health tools offer scalable ways to engage patients but must be thoughtfully implemented and deployed to achieve the best results.

Let’s review the most common barriers to digital health patient engagement and potential solutions for these issues.

Limited Access to Technology

Digital patient engagement tools may be a poor choice for patients without access to the internet, smartphones, or other digital devices. Though broadband access and smartphone users have risen over the past few years, the individuals without access are often the most in need of patient engagement efforts.

Solution: Invest in Consumer Technology

Some organizations have experimented with providing low-income, at-risk populations with the tools they need to monitor their health digitally. Providing smartphones, internet-connected medical devices, and even mobile hotspots can help increase access to digital health tools that drastically improve patient lives.

Low Health Literacy

If you’ve ever received a bloodwork report and struggled to understand what it meant, you can relate to the struggles that patients with low health literacy face. Suppose the digital health patient engagement tactics you employ are heavy with medical jargon and unclear to lay people. In that situation, patients cannot act on the information to improve their health.

Solution: Create Content for Users

Strip technical jargon from patient communications and keep patients from being overwhelmed with information. Engagement messages should be easily understood and clearly define the patient’s next step.

For example, if you use remote patient monitoring tools for patients with diabetes and send weekly reports on their average A1c levels, you must 1) make sure the patient knows what the reading means and 2) provide a clear direction for what the patient should do with that information. If the reading is too high, clearly state that and provide some next best steps. If the reading looks good- celebrate that and encourage them to continue to make the right choices to manage their diabetes.

Privacy and Security Concerns

It’s no secret that healthcare data is valuable to cybercriminals, and many high-profile breaches have made patients wary about digitally sharing health information. Patients may be concerned about the privacy and security of their personal health information, particularly if they are unsure how it is used.

Solution: Invest in Tools Designed for HIPAA Compliance

Ensure that the digital tools you use to engage with patients have recommended security features, including encryption and access controls like multifactor authentication. You can also work with your legal and security teams to craft policies that outline how patient data is used and when it will be securely disposed of. Patients have a right to control their data, and these policies can help build trust and increase confidence in your patient population to boost the adoption of digital health tools.

Limited Provider Support

Patients may be less likely to engage with digital health tools if they do not receive adequate support or encouragement from their healthcare providers. Even basic patient portals are more likely to be used by patients to review their health information only once prompted by their healthcare provider.

Solution: Work with Providers to Encourage Adoption

Digital health patient engagement tools must have buy-in from providers to be effectively deployed. Eighty-five percent of patients say they always trust their healthcare providers, meaning their support can influence patient adoption rates. Having providers explain the solution, why it is in use, and how patients can utilize it to improve their health can significantly increase engagement with the tools.

Age and Cultural Differences

Patients from different ages and cultural backgrounds may have different preferences and expectations regarding digital health tools. We are all familiar with the stereotypes of older people not understanding how to use technology. That does not mean digital health engagement tools cannot be used, but instead must be deployed in a culturally specific way.

Solution: Improve Accessibility and Invest in Training

Based on the patient’s comfort level with technology, allocate resources to help educate and train individuals on how best to use the tools. Make sure any technology you use is adequately designed to support individuals with disabilities, i.e., is accessible by screen readers and can support assistive technologies. Also, make sure the digital health tools support the patient’s first language and are personalized to their cultural context.

Lack of Personalization

Digital health engagement tools that do not account for individual patient preferences or needs may not be as effective at engaging patients as tools tailored to their specific needs. After the 2020 pandemic, patients have higher expectations for personalized digital experiences. 90% of patients surveyed want to receive communications that reflect where they are in their healthcare journey. If your tools cannot provide a personalized experience, you may be annoying patients rather than helping them.

Solution: Adopt Tools That Enable the Use of PHI

Use digital health engagement tools that are secure enough to transmit protected health information. When patient data is adequately protected, it can be used to transform your digital patient engagement efforts and improve the patient experience.

Conclusion: Successful Digital Health Patient Engagement starts with the Right Tools

Digital health tools for patient engagement can be quite effective if properly configured and deployed. When looking at ways to improve patient engagement, ensure you are using tools that are easy for patients to use and fit seamlessly into their day-to-day lives. With over 90% of adults already using email, secure email messaging is an effective way to reach patients and provide them with the information they need to improve their health. Contact LuxSci today to learn more strategies for improving patient engagement with digital health tools.

How Online Tracking Technologies & Data Collection Threaten Patient Privacy

Tuesday, October 10th, 2023

Many healthcare marketers use online tracking technologies to gather user information as they interact with a website or mobile application. After several breaches tied to improper uses of third-party tracking pixels, the Department of Health and Human Services has clarified that data collected via online tracking technologies are often PHI and must be secured according to the Privacy Rule. This decision has put many organizations at a crossroads- how can they balance patient privacy with the financial pressures to grow their business and provide a superior digital experience?

online tracking technologies

What are Online Tracking Technologies?

Tracking technologies collect information about website visitors in various ways, many of which are invisible to the user. Some of the most common types of tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps also include tracking codes within the application to enable the collection of user information.

After collecting the information, it is analyzed to create insights about users’ online activities. Marketers often use the data to create highly targeted advertising campaigns. In the case of third-party tracking technologies, they may continue to track users and gather information about them even after they leave and visit other websites. You’ve likely experienced this when online shopping. You look at a pair of shoes on a retailer’s website, and then they continue to follow you and appear as ads as you browse other websites and social media platforms. However, if you replace ads about shoes with advertisements for treatments for an individual’s medical conditions, this raises serious patient privacy concerns.

What Does HIPAA Say About Online Tracking Technologies & Data Collection?

Online tracking technologies have been widely utilized for over a decade but have only recently been considered in the context of health data privacy. The Dobbs vs. Jackson Women’s Health Organization decision by the Supreme Court in June 2022 kicked off a wave of reporting on how reproductive health information was collected and sold online. Some worried that this information could be used in court cases to convict people who sought abortions, leading to significant concerns over digital health data privacy.

In this context, researchers began looking at the websites of major health systems to explore how they used trackers to collect and transmit data. A study revealed that 99% of US hospitals employed online data trackers that transmitted visitors’ information to a broad network of outside parties, including major technology companies, data brokers, and private equity firms. Some hospitals even employed these trackers on internal patient portal web pages, potentially exposing highly sensitive patient data to advertisers.

As a result of the confusion surrounding this issue and the seemingly clear violation of HIPAA rules, OCR issued a bulletin explaining how covered entities can and cannot use tracking technologies on their websites.

You would think that is the end of the story. However, there is still a lot of confusion surrounding the proper use of these technologies. In July 2023, the FTC and OCR issued another warning to 130 hospital systems that continued deploying online tracking technologies despite the bulletin.

Gray areas still exist in how the bulletin is interpreted. The American Hospital Association recently asked OCR to reconsider its guidance, stating it contradicts interoperability efforts. As this situation evolves, healthcare providers must be aware of the risks of online tracking technologies and how they can balance risk with their business objectives.

How is this Data Protected Health Information?

One of the reasons this issue flew under the radar for so long is that it is not necessarily obvious that the information collected by these pixels qualifies as PHI. It may not be evident to end-users, but tracking technology vendors can infer a lot of personal data through tracking technologies placed on a healthcare provider’s website. Some of the information that can be captured by tracking technology could include:

  • medical record numbers
  • email addresses
  • appointment dates or requests
  • IP addresses
  • medical device IDs
  • geographic locations

Marketers may not realize that individually identifiable information collected on a covered entity’s website or mobile app is often protected health information (PHI). Even if the individual has no pre-existing relationship with the healthcare provider, DHHS’s recent update is clear that this information is protected. Collecting this information establishes a relationship between a covered entity and an individual relating to their past, present, or future provisioning of health care. A visit to a healthcare provider’s website may be the first step taken by a future patient in accessing healthcare treatment.

There is always some gray area when defining PHI, but it’s better to be safe than sorry in this case. If you are using any online tracking technology, you must confirm that it is processing and transmitting data in a way that aligns with HIPAA regulations.

How Healthcare Marketers Can Protect Patient Privacy

First of all, if you plan to use tracking technology on your website, the vendor needs to be a business associate of your organization. In these circumstances, covered entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) that outlines how PHI will be protected.

Think carefully about what data needs to be collected and why. In other industries, collecting user data and selling it to third parties or using it in advertising efforts is very common. Healthcare marketers must be more intentional in using online tracking technologies and take additional steps to ensure the data is processed and transmitted securely. Do not install tracking pixels without careful consideration. As many hospital systems learned, failing to do so can have profound privacy and compliance implications.

If you want to follow up with patients who browsed your website for available appointments, you must ensure their data is secure from when it is collected through the transmission to other systems. For example, a patient may enter their name, email address, phone number, and desired appointment time into an online form. When they click “Submit,” where and how is this data transmitted and stored? As they browse the available appointments and doctors, your system may log which web pages they visit and store them in a CRM, CDP, or another platform. If they leave without making an appointment, what do you do with the data you collect? If you transmit this data to other advertising or marketing platforms, you will also need business associate agreements with those vendors. As you can see, it can get complicated very quickly.

HIPAA-Compliant Marketing Technology

LuxSci’s Secure Form and Secure Marketing technologies offer a few ways to address the patient privacy issues associated with online data collection and transmission. Our fully HIPAA-compliant solutions enable you to securely collect data on your website and use secure email to engage prospects. Contact our sales team to learn more today.

Digital Strategies to Address Health Equity

Wednesday, July 5th, 2023

According to a HIMSS Market Insights study, nine out of ten healthcare executives see health equity as a top business priority. Improving health equity can drive value for other business metrics, including patient satisfaction, provider retention, health outcomes, and cost reduction. Email is an excellent way to address health equity issues, thanks to its widespread adoption across different ethnic and demographic groups.

 

doctor sending an email to patient

What is Health Equity?

According to the CDC, health equity is “achieved when every person has the opportunity to attain his or her full health potential and no one is disadvantaged from achieving this potential because of social position or other socially determined circumstances.”

 

Under President Biden, the Department of Health and Human Services has prioritized health equity in response to the COVID-19 pandemic. COVID-19 highlighted the healthcare system’s racial, economic, and social disparities. For example, COVID-19 killed Black, Latino, and Indigenous people at double the rate of White people. Native Hawaiians and Pacific Islanders remain three times more likely to contract the illness than White people. Addressing the social, cultural, racial, and economic factors contributing to this disparity is essential to improving individual and population health.

Improve Health Equity with Email Communications

Email is an excellent tool for patient engagement because of its widespread adoption across different demographic groups. As you can see in the data below, email has an overall adoption rate of 92%, and across all age and ethnic groups surveyed, adoption rates are above 80%.

email usage charts by age and ethnicity

Unlike phone numbers and addresses, email addresses seldom change because of economic instability. Email addresses are free to create and are typically accessed at least once a day. Broadband access continues to expand, though it still presents a barrier to email communication. However, even when broadband is unavailable, slower connections still permit text-based emails to be sent and received. Email is reliable, easy to use, and widely accessible to most individuals, making it an excellent channel for patient engagement.

The Technical Advantages of Email

Email also offers several advantages on the technical side to address digital health equity. Email’s main benefit is its ability to be personalized at scale. When using a secure email provider like LuxSci, you can create groups or segments of patients and send them relevant information about their health conditions or risk factors. These workflows can be automatically triggered when certain criteria are met to streamline operations and improve efficiency.

Thanks to the nearly universal use of EHR systems, healthcare marketers can access a wide variety of first-party patient data. Health records not only contain information about health conditions, but also information about patient demographics and preferences.

Intelligent marketers can use this data to close care gaps and improve health equity. Let’s take a look at an example.

An Example of Personalization and Segmentation to Address Health Equity

There are so many options when it comes to segmenting your patient population. To address health equity, you can use information like the patient’s native language and communication preferences to create personalized messaging. By doing so, you can increase response rates and close care gaps.

 

For example, say you have a significant portion of your patient population that speaks Spanish, and they are more likely to miss an appointment or not schedule a follow-up. How can you drive appointment attendance and reduce churn? The first step is to create an audience segment composed of patients who speak Spanish as their first language. Next, create email messages that are designed for the audience. This means writing the subject line and email contents in Spanish and using imagery they can identify with. But you can do more than that. Point people in this audience to schedule appointments with doctors who are fluent in Spanish. If there are other reasons this audience struggles to attend appointments, extend opportunities to help them with transportation, child/elder care, or access healthcare outside of regular working hours. Once you understand the barriers to attending appointments, you can extend personalized offers that help increase attendance and improve health outcomes. 

 

Most importantly, email allows you to test messaging and see what’s working. Review your campaign statistics and adjust your messaging to reach the most people and improve health equity among your patient population.

Conclusion

As we have seen, email is a highly effective way to engage marginalized patient populations. However, don’t forget about HIPAA compliance! Communications personalized and segmented using ePHI need to be secured.

 

LuxSci offers secure email services designed to meet HIPAA requirements. If you want to learn more about addressing health equity with secure communications, please contact us today.

The Future of Protected Health Information

Wednesday, May 10th, 2023

HIPAA was introduced in 1996 to protect patient privacy and enable individuals to control their health records. However, over the last 30 years, the proliferation of technology has enabled patients to collect, transmit, and store personal health data in ways that were unimaginable to the original authors of the legislation. This article discusses how the definition of protected health information may expand in the future to account for new types of data, covered entities, and technologies.

the future of phi

Protected Health Information Today

Under the current iteration of HIPAA, protected health information, or PHI, is defined as “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data must be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with health data, would constitute PHI.

protected health information

In addition, under today’s HIPAA rules, only covered entities and business associates must abide by the regulations. Covered entities fall into three categories:

  1. Healthcare providers include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists, and other providers.
  2. Health plans – Health insurance companies, company health plans, HMOs, and Government-paid health care plans such as Medicare are all considered health plans.
  3. Healthcare clearinghouses – These entities either process or facilitate the processing of health information they receive from other entities.

Business associates include a wide range of companies, but most importantly, they are contracted by a covered entity to perform a business function involving PHI. Business associates can include web hosts, billing companies, marketing agencies, legal firms, accountants, and more.

The Future of Protected Health Information

As the world has rapidly changed, new technologies that challenge how we think about personal health data have evolved. IT security teams must consider future security challenges and regulatory changes to futureproof their organization and mitigate risks. Below we explore how technology and PHI have progressed in a way that is pressuring regulators and legislators to protect patient privacy.

Technological Advances

The smartphone was still a decade away from being invented when HIPAA was introduced. In today’s world, the success of the iPhone has trickled down to other internet-connected smart devices like watches, scales, and other wearable devices. Even medical devices, including heart rate monitors and remote patient monitoring devices, can be found in people’s homes today. When medical providers ask patients to use these devices to capture biometric data, HIPAA rules apply.

But what about when healthcare providers do not recommend these technologies? If a consumer wants to use an application to record their daily activity, record their weight, or monitor their heart rate without direction from a doctor, HIPAA does not apply. However, due to the sensitivity of the data and lack of consumer understanding, some are calling for additional privacy protections for device and application manufacturers. It is not hard to imagine that any application designed to collect, store, or transmit health data will become subject to stricter regulations regardless of whether they are involved in an individual’s healthcare.

New Types of Data

When HIPAA was envisioned, genetic science was progressing but still confined to the upper levels of academia and research. Improvements in genetic testing and increased knowledge of the human genome could completely alter what is defined as PHI and how individuals interact with their healthcare providers. In 2013, amendments to the Privacy Rule clarified that genetic information is PHI and needs to be secured. However, over the past decade, genetic testing capabilities have exploded. Anyone can order a genetic test from numerous consumer-facing companies. As a result, personalized medicine is thriving and is likely to grow over the next decade.

As doctors have more access than ever before to information about our genomics, it’s of the highest importance to ensure it is secured.

Change is On The Way: Are You Ready?

Covid-19 rapidly accelerated many of these technological changes, and recent events in the news have already sparked changes to HIPAA enforcement. For example, the use of online tracking pixels to collect and transmit PHI recently caused OCR to issue a statement on their proper use. In addition, last year’s Supreme Court decision in Dobbs vs. Jackson Women’s Health spurred many reproductive health-tracking apps to take additional steps to protect users’ data. The incident highlighted just how much personal health data is contained in unregulated applications.

Even without government intervention, organizations that process health data must secure it to build consumer trust and differentiate from the competition. With breaches and cyberattacks on the rise, only the best-prepared organizations will be able to grapple with future challenges and regulatory changes.