Xavier Becerra: ” Today’s settlement is a wake up call not just for Glow, but for every app maker that handles sensitive private data.”
Landmark settlement against GlowHQ – a fertility app that had serious privacy and security failures that risked exposing millions of women’s medical information.
As part of the settlement, Glow will be required to:
- incorporate privacy and security design principles into its mobile apps,
- get consent from users before sharing private information,
- and allow users to revoke previously granted consent.
Link to settlement: https://oag.ca.gov/sites/default/files/2020%2009-17%20-%20People%20v%20Upward%20Labs%20-%20Stipulation.pdf
Link to complaint: https://oag.ca.gov/sites/default/files/2020%2009-17%20-%20People%20v%20Upward%20Labs%20-%20Complaint.pdf
OCR launched a new feature on HHS.gov, titled Health Apps. This new webpage takes the place of OCR’s previous Health App Developer Portal, and is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html.
The new webpage highlights OCR’s guidance on when and how the Health Insurance Portability and Accountability Act (HIPAA) regulations apply to mobile health applications, including:
was released on February 21, 2019. For ease of use, the draft guide is available to download or read in volumes:
- SP 1800-4a: Executive Summary
- SP 1800-4b: Approach, Architecture, and Security Characteristics
- SP 1800-4c: How-To Guides
The objectives of the study focus on:
- Defining the context and conceptual framework of the detection of the personal data communications in applications executed on an Android operating system.
- Demonstrating the elevated risk in the mobile application environment of leaks of personal data and the need to carry out an evaluation of data flows
- Studying the existing techniques for the detection and analysis of personal information flows in Android Applications.
Interesting article that tries to summarize some of the latest HHS guidance. Includes “If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained.