Hostname: page-component-78c5997874-ndw9j Total loading time: 0 Render date: 2024-11-18T08:18:43.871Z Has data issue: false hasContentIssue false

Mobile Research Applications and State Data Protection Statutes

Published online by Cambridge University Press:  01 January 2021

Abstract

This article focuses on state privacy, security, and data breach regulation of mobile-app mediated health research, concentrating in particular on research studies conducted or participated in by independent scientists, citizen scientists, and patient researchers. Prior scholarship addressing these issues tends to focus on the lack of application of the HIPAA Privacy and Security Rules and other sources of federal regulation. One article, however, mentions state law as a possible source of privacy and security protections for individuals in the particular context of mobile app-mediated health research. This Article builds on this prior scholarship by: (1) assessing state data protection statutes that are potentially applicable to mobile app-mediated health researchers; and (2) suggesting statutory amendments that could better protect the privacy and security of mobile health research data. As discussed in more detail below, all fifty states and the District of Columbia have potentially applicable data breach notification statutes that require the notification of data subjects of certain informational breaches in certain contexts. In addition, more than two-thirds of jurisdictions have potentially applicable data security statutes and almost one-third of jurisdictions have potentially applicable data privacy statutes. Because all jurisdictions have data breach notification statutes, these statutes will be assessed first.

Type
Symposium Articles
Copyright
Copyright © American Society of Law, Medicine and Ethics 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

See, e.g., Cohen, G. and Mello, M., “HIPAA and Protecting Health Information in the 21st Century,” JAMA Online First, May 24, 2018 (“The reality … is that HIPAA-covered data form a small and diminishing share of the health information stored and traded in cyberspace.”); Terry, N.P. and Gunter, T.D., “Regulating Mobile Mental Health Apps,” Behavioral Sciences and the Law 36, no. 1 (2018): 136-144 (“[Mobile medical applications] tend to be developed outside of traditional health care spaces with the result that they exist in a lightly regulated, ‘HIPAA-free zone.’”); Rothstein, M.A., Wilbanks, J.T., and Brothers, K.B., “Citizen Science on Your Smartphone: An ELSI Research Agenda,” Journal of Law, Medicine & Ethics 43, no. 4 (2015): 897-903 (“[R]esearch undertaken by an individual or entity that is not a HIPAA-covered entity, such as a citizen scientist, is not required to follow federal privacy rules.”).Google Scholar
See Rothstein, Wilbanks and Brothers, supra note 1, at 899 (referencing states that extend research protections to non-federally supported research but noting that these laws “do not provide significant protections or remedies in the event of breaches of research or privacy standards”).Google Scholar
See Ala. Code § 8-19F (hereinafter Alabama); Alaska Stat. § 45.48 (hereinafter Alaska); Ariz. Rev. Stat. §§ 18-551 – 552 and Ariz. Rev. Stat. § 44-7601 (hereinafter Arizona); Ark. Code § 4-110 (hereinafter Arkansas); Cal. Civ. Code §§ 1798.1-.82 and Cal. Civ. Code §§ 1789.100-.198 (hereinafter California); Colo. Rev. Stat. §§ 6-1-713 - 716 (hereinafter Colorado); Conn. Gen. Stat. §§ 36a-701a-b and Conn. Gen. Stat. § 42-471 (hereinafter Connecticut); Del. Code tit. 6, Chapter 12B-100 – 104 and Del. Code tit. 6, § 5001C (hereinafter Delaware); D.C. Code §§ 28-3851—28-3853 (hereinafter District of Columbia); Fla. Stat. § 501.171 (hereinafter Florida); Ga. Code §§ 10-1-910 – 912 and Ga. Code § 10-15-2 (hereinafter Georgia); Haw. Rev. Stat. §§ 487N-1 – N3 and Haw. Rev. Stat. § 487R-2 (hereinafter Hawaii); Idaho Code §§ 28-51-104—107 (hereinafter Idaho); 815 ILCS §§ 530/1—50 (hereinafter Illinois); Ind. Code § 24-4.9 (hereinafter Indiana); Iowa Code §§ 715C.1—.2 (hereinafter Iowa); Kan. Stat. Ann. § 50-7a01—04 and Kan. Stat. Ann. § 50-6,139b (hereinafter Kansas); Ky. Rev. Stat. §§ 365.720—.734 (hereinafter Kentucky); La. Rev. Stat. §§ 51:3071-3074 (hereinafter Louisiana); Me. Rev. Stat. Ann. tit. 10 §§ 1346—1350-B (hereinafter Maine); Md. Code Com. Law §§ 14-3501—14-3508 (hereinafter Maryland); Mass. Gen. Laws §§ 93H-1-6 and 201 CMR §§ 17.01 - 17.05 (hereinafter Massachusetts); Mich. Comp. Laws §§ 445.63—79d (hereinafter Michigan); Minn. Stat. Ann. § 325E.61 (hereinafter Minnesota); Miss. Code § 75-24-29 (hereinafter Mississippi); Mo. Rev. Stat. § 407.1500 (hereinafter Missouri); Mont. Code Ann. §§ 30-14-1701—1736 (hereinafter Montana); Neb. Rev. Stat. §§ 87-801-808 (hereinafter Nebraska); Nev. Rev. Stat. §§ 603A.010.—.920 (hereinafter Nevada); N.H. Rev. Stat. §§ 359-C:19—21 (hereinafter New Hampshire); N.J. Stat. §§ 56:8-161—163 (hereinafter New Jersey); N.M. Stat. Ann. §§ 57-12c-1—12 (hereinafter New Mexico); N.Y. Gen. Bus. Law § 899-AA and N.Y. Gen. Bus. Law § 399-h (hereinafter New York); N.C. Gen. Stat. §§ 75-60—66 (hereinafter North Carolina); N.D. Cent. Code §§ 51-30-01—51-30-07 (hereinafter North Dakota); Ohio Rev. Code §§ 1349.19, 1349.191, 1349.192 and Ohio Rev. Code Ann. § 1354.01 (hereinafter Ohio); Okla. Stat. tit. 24 §§ 161—166 (hereinafter Oklahoma); Or. Reg. Stat. Ann. §§ 646A.600—.628 (hereinafter Oregon); 73 Pa. Stat. §§ 2301—2309 (hereinafter Pennsylvania); R.I. Gen. Laws §§ 11-49.3-1—6 and R.I. Gen. Laws § 6-52-2 (hereinafter Rhode Island); S.C. Code § 39-1-90 (hereinafter South Carolina); S.D. Cod. Laws §§ 22-40-19—26 (hereinafter South Dakota); Tenn. Code §§ 47-18-2101—2111 and Tenn. Code § 39-14-150(g) (hereinafter Tennessee); Tex. Bus. & Com. Code §§ 521.002, 521.053 (hereinafter Texas); Utah Code § 13-44-101—301 (hereinafter Utah); Vt. Stat. tit. 9 §§ 2430—2445 (hereinafter Vermont); Va. Code § 18.2-186.6 (hereinafter Virginia); Wash. Rev. Code § 19.255.010 and Wash. Rev. Code § 19.215.020 (hereinafter Washington); W.Va. Code §§ 46A-2A-101—105 (hereinafter West Virginia); Wis. Stat. Ann. §§ 134.97-98 (hereinafter Wisconsin) Wyo. Stat. §§ 40-12-501—40-12-509 (hereinafter Wyoming). See generally Tovino, S.A., “Going Rogue: Mobile Research Applications and the Right to Privacy,” Notre Dame Law Review 95, no. 1 (2019): 155-209 (thoroughly discussing state data breach, data security, and data privacy statutes potentially applicable to mobile app-mediated research studies conducted by independent scientists, citizen scientists, and patient researchers).Google Scholar
See supra note 1 (at all jurisdictions listed).Google Scholar
See id. (at all jurisdictions except Alaska, Rhode Island, and South Dakota).Google Scholar
See id. (at Alabama, Alaska, Arizona, Colorado, District of Columbia, Florida, Georgia, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nevada, New Hampshire, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, West Virginia, and Wisconsin).Google Scholar
See id. (at Alabama, Arizona, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Indiana, Iowa, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Rhode Island, South Carolina, South Dakota, Vermont, Virginia, and Washington).Google Scholar
See Ala. Code § 8-19F-2.Google Scholar
For example, the Kinsey Reporter mobile app collects real-time, reportedly anonymous data about sexual health, sexual behaviors, and other intimate behaviors reported by their citizen sex scientists. Kinsey Reporter communicates the collected data to Kinsey Reporter.org, a global mobile platform designed by researchers based in Bloomington, Indiana, that aggregates, maps, and shares reportedly anonymous data with the public. See Apple App Store, Kinsey Reporter; GooglePlay, Kinsey Reporter.Google Scholar
See supra note 3 (at Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Hawaii, Idaho, Indiana (also allowing Social Security number to suffice), Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Virginia, Washington, West Virginia, and Wyoming).Google Scholar
See, e.g., Kerry, C.F., “Why Protecting Privacy Is a Losing Game Today — And How to Change the Game,” Brookings, July 12, 2018 (“To most people, ‘personal information’ means information like social security numbers, account numbers, and other information that is unique to them. U.S. privacy laws reflect this conception by aiming at ‘personally identifiable information,’ but data scientists have repeatedly demonstrated that this focus can be too narrow. The aggregation and correlation of data from various sources make it increasingly possible to link supposedly anonymous information to specific individuals and to infer characteristics and information about them. The result is that today, a widening range of data has the potential to be personal information, i.e. to identify us uniquely. Few laws or regulations address this new reality.”).Google Scholar
See Mont. Code Ann. § 30-14-1702.Google Scholar
See Tex. Bus. & Com. Code § 521.002.Google Scholar
See Ga. Code § 10-1-912.Google Scholar
See N.H. Rev. Stat. § 359-C:20.Google Scholar
See Ind. Code § 24-4.9-2-4.Google Scholar
See 815 ILCS § 530/10.Google Scholar
See, e.g., Ind. Code § 24-4.9-2-3 (defining person as an individual as well as a corporation).Google Scholar
See 815 ILCS § 530/5 (defining “personal information,” which internally references the definition of “medical information”).Google Scholar
See supra note 3 (at Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin).Google Scholar
See, e.g., Ark. Code § 4-110-104 (setting forth a modest security law that applies to persons and businesses, which are also regulated by Arkansas’ breach notification law).Google Scholar
See, e.g., Alaska Stat. §§ 45.48.500 (setting forth a security law that applies to businesses and government agencies but not persons with more than ten employees, even though persons with more than ten employees are governed by Alaska’s breach notification law).Google Scholar
Id. § 45.48.510.Google Scholar
See Or. Rev. Stat. Ann. § 646A.622.Google Scholar
See Mass. Gen. Laws § 93H-2; 201 Code Mass. Regs. §§ 17.01-17.05.Google Scholar
See Ohio Rev. Code Ann. §§ 1354.01-.02.Google Scholar
See, e.g., Cal. Bus. & Prof. Code §§ 22575-22579.Google Scholar
See, e.g., Neb. Rev. Stat. § 87-302(15); Or. Rev. Stat. § 646.607(12); 18 Pa. Cons. Stat. Ann. § 4107(a)(10).Google Scholar
See, e.g., Utah Code §§ 13-37-101 - 13-37-203; Cal. Civil Code §§ 1798.83—.84.Google Scholar
See, e.g., California Consumer Privacy Act, California A.B. 375 (June 28, 2018), to be codified at Cal. Civ. Code §§ 1789.100 – 1798.198 (eff. Jan. 1, 2020) [hereinafter CCPA]; An Act Relating to Internet Privacy, Nevada S.B. 220, 80th Sess. (May 29, 2019), to be codified at Nev. Rev. Stat. 603A (eff. Oct. 1, 2019); Tex. Health & Safety Code §§ 181.001-.207 [hereinafter TMRPA].Google Scholar
TMRPA, supra note 30.Google Scholar
See, e.g., Office of the Texas Attorney General, Texas Medical Records Privacy Act Annual Report (2016) (summarizing the Texas Attorney General’s substantial enforcement activities relating to the Texas Medical Records Privacy Act).Google Scholar
See generally Rothstein, M.A. and Tovino, S.A., “California Takes the Lead on Data Privacy Law,” Hastings Center Report 49, no. 5 (2019), available at <https://onlinelibrary.wiley.com/doi/epdf/10.1002/hast.1042> (last visited January 23, 2020).Google Scholar
Cal. S.B. 1121, § 9 (Sept. 23, 2018).Google Scholar
Cal. A.B. 1355, § 7 (Final Date, 2019).Google Scholar
The CCPA defines “deidentified” as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information: (1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain; (2) Has implemented business processes that specifically prohibit reidentification of the information; (3) Has implemented business processes to prevent inadvertent release of deidentified information; and (4) Makes no attempt to reidentify the information.” CCPA, supra note 30, § 3.Google Scholar
The CCPA defines “aggregate consumer information” as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. The CCPA excludes from the definition of “aggregate consumer information” one or more individual consumer records that have been deidentified. Id.Google Scholar
See, e.g., Class Action Complaint and Demand for a Jury Trial, Dinerstein v. Google, No. 1-19-cv-04311 (N.D. Ill., June 26, 2019) (illustrating how defendant Google could identify University of Chicago Medical Center patients using health records containing date and time stamps but no other identifiers).Google Scholar
Id. § 11-12.Google Scholar