Vol. 144 March 15, 2016 Health Apps Are Not “Secure”

Hub thumbnail 2015

Health apps are not subject to HIPAA rules designed to protect the confidentiality of health information.

The news media these recent weeks has been filled with the controversy between Apple and the FBI about the encryption of private information on smartphones. Apple’s argument is that EVERYONE who has a smartphone has a stake in this battle for access to their personal information. Since most of us are unlikely to become terrorists or gang leaders and have our smartphones seized by the FBI to crack them open, do we have any skin in this game?

“You betcha!”

For example, according to a recent Journal of American Medical Association article (1,2) some of our personal health and medical information is already widely shared by “health apps”. One out of five smartphones had health apps in 2012. Today that number is much higher.

Health apps are all those downloadable programs for your phone that can measure and record your number of steps, heart rate, calories consumed, medication schedules, etc. Newer ones can do the same with blood pressure, blood sugar level, sleep cycles, and soon-to-be-on- the-market gene testing and complete infectious disease history.  (See http://greatist.com/fitness/best-health-fitness-apps for the 49 greatest health apps of 2015; based on user’s ratings, user friendliness, relative drain on the phone’s battery. etc. without consideration of any data privacy protection.) 

Most health apps say they encrypt your data when it is sent from your phone over the internet to the Cloud to “safeguard your electronic data.”. That sounds great, and is essential to thwart any hacker who really wants to know what your blood sugar level is on Thursday at 3 PM. But, it is the “privacy policy” of the app that determines how your data AND OTHER PERSONAL DATA can be shared by the apps company.  Health app data is shared and it can be used for marketing new products and services, targeting you for specific infomercial activity or internet “push” ads, and potentially for assessing your “risk” by insurance companies.

This JAMA study of “private policies” revealed that 80% of the 211 diabetic apps did NOT have private policies. Further study of the 41 of 211 diabetic apps that had a policy revealed many opportunities for widely sharing your personal data:

86% used tracking cookies so that information about your use of the computer could be shared with other companies like marketing companies.
64% requested the ability to delete or modify information anywhere on your phone!
17% asked to track your location
11% sought to switch on your smartphone camera!
54% stated they could use your personal information in aggregated data reports (Use of personal information’ ie. like patient identification data, in aggregated data reports like published scientific articles has always been a big”No-No” since medical researchers started using computers. Only “de-identified” patient data has been the accepted standard for use. )

Most of this private policy information was in the fine print of the user’s agreement that no one ever reads which we just check off with “agree” rather than “decline”. If you read the fine print well enough or scroll down to the very bottom of the app screen some of the apps gave you a choice to opt out from three “sharing” elements:

31% allowed you to opt out of receiving cookies
22% allowed you to nix receive emails related to the app content
11% allowed you to block receiving marketing information and materials.

Scant “protection” to say the least.

Health apps are not subject to federal HIPAA rules designed to protect the confidentiality of health information. App sponsors are free to trade, sell, and use in any way the personal health data they collect from their apps on your smartphone. Health apps are completely unregulated. If you are at all nervous about sharing health and personal data, be careful about what you download.

1.Boston Globe, March 14, 2016, p. 12, Eric Boodman
2. JAMA. March 8, 2016;315(10):1051-1052.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: