This Article investigates whether nonsectoral state laws may serve as a viable source of privacy and security standards for mobile health research participants and other health data subjects until new federal laws are created or enforced. In particular, this Article (1) catalogues and analyzes the nonsectoral data privacy, security, and breach notification statutes of all fifty states and the District of Columbia; (2) applies these statutes to mobile-app-mediated health research conducted by independent scientists, citizen scientists, and patient researchers; and (3) proposes substantive amendments to state law that could help protect the privacy and security of all health data subjects, including mobile-app-mediated health research participants.
This Article proceeds as follows: Part I provides background information regarding mobile apps and their use by independent scientists, citizen scientists, and patient researchers as well as conventional researchers who fall outside traditional sources of privacy and security regulation. After reviewing federal and international data privacy, security, and breach notification standards, Part II shows why some citizen scientists, independent researchers, and patient researchers, as well as the mobile-app developers and data storage and processing companies that support them, are not subject to such regulation.
Part III of this Article reports the results of a comprehensive survey of state privacy, security, and breach notification laws. In particular, Part III investigates the presence or absence in the statutes of each state and the District of Columbia of nonsectoral data privacy and security standards, including prior notification of and authorizations for the use and disclosure of individually identifiable data; administrative, technical, and physical data safeguards; and breach notification to individuals, government agencies, and consumer reporting agencies. Part III applies these rights and protections, when they exist, to individuals who conduct and support mobile-app-mediated health research. Part III finds that all jurisdictions have at least one potentially applicable breach notification statute, more than two-thirds of jurisdictions have at least one potentially applicable data security statute, and more than one quarter of jurisdictions have at least one potentially applicable data privacy statute. These findings suggest that states have the current or potential infrastructure to protect the privacy and security of mobile health research data and other health-related data that is not protected by traditional, federal health laws such as the HIPAA Rules.
Taking a nonsectoral approach to data privacy and security, this Article concludes by proposing amendments to breach notification statutes as well as content for states that lack generally applicable data privacy and security statutes. If adopted, these proposals could create cross-industry privacy and security protections that will benefit all health data subjects, including participants in mobile-app-mediated health research. This Article also considers the challenges and opportunities associated with both intra- and interindustry data privacy and security regulation. Although sectoral approaches to privacy and security made sense even a quarter of a century ago, the time has come for generally applicable forms of data protection.
Stacey A. Tovino,
Going Rogue: Mobile Research Applications and the Right to Privacy,
Notre Dame L. Rev.
Available at: https://scholarship.law.nd.edu/ndlr/vol95/iss1/4