Medical organizations and legal experts are warning that patient data-sharing with health apps could exacerbate an already growing issue with invasions of privacy.
Both the American Medical Association and the American College of Obstetricians and Gynecologists have warned regulators that people who authorize certain consumer apps to retrieve, store and distribute their health data could be inviting data misuse and data theft.
Federal data privacy protections, which limit how health providers and insurers use and share medical records, do not apply the same way to consumer health apps.
According to a study published in the British Medical Journal, which analyzed over 20,000 mobile health apps, researchers found that 88 percent of the apps contained code with the ability to collect user data.
Most health app data collection protocols involve third-party providers, with only 47 percent of data transmissions complied with the app’s privacy policies. Some health apps fail to provide any privacy policy at all.
FTC Health App Data Collection Policy
The most recent Federal Trade Commission (FTC) policy on health app data privacy underlines the importance for corporate transparency. Health app developers are required to keep consumers informed of data breach incidents or they risk stiff FTC penalties.
The FTC policy provides clarification in the area of healthcare regulatory policies. Health apps are not regulated under HIPAA even though they collect and store the same types of sensitive data as HIPAA covered entities. Health apps and wearable fitness tracking devices that collect consumers’ health information, however, are usually covered by the Health Breach Notification Rule if they are able to lift data from multiple sources.
The FTC says that while the Health Breach Notification Rule is now more than ten years old, the “explosion in health apps and connected devices makes its requirements with respect to them more important than ever.” The Health Breach Notification has not been previously enforced, but the FTC’s policy statement warns that more regulation is necessary to protect consumer privacy.
Health Apps Store Consumer Data
Health App data that is regularly collected and stored may include the following:
- Names
- Device names
- Locations
- Operating system version
- Web browsing behavior
- Medications
- Email addresses
- International mobile equipment identity (IMEI)
- Fingerprint identification on mobile phones
- Media access control (MAC)
Consumer data may be shared with app developers, parent firms, and third-party digital ad, sales and marketing companies. Some fourth parties may also wind up with the data. Tech companies like Alphabet, Facebook, and Oracle build profiles of users and target them with ads.
For many companies collecting health information from health app consumers is part of their underlying business model, and will be expected to adhere to data breach notification policies to ensure compliance and transparency.