Study Raises Privacy Concerns Related to Health Care Smartphone Apps

Share this content:

the Infectious Disease Advisor take:

The Health Insurance Portability and Accountability Act (HIPAA) established national standards for the protection of patient privacy and healthcare information.  However, it was initially enacted before the development and widespread adoption of phone applications to transmit and manage data. Because of this, it is sometimes difficult to determine which apps must be HIPAA-compliant and which are exempt.  

Challenges in protecting patient information include the fact that phones and tablets can be stolen, and information stored on them may be compromised. Mobile phone users also may intentionally or unintentionally share personally identifiable information, even if the original intention of the app was not to gain that information.  Additionally, the advent of social media makes it easier for users, including healthcare practitioners, to post information that inadvertently breaches HIPAA privacy laws. 

Among 65 apps randomly selected by the research team, more than 86% placed tracking "cookies" on users' phones to monitor sensitive health information that could be shared.
Among 65 apps randomly selected by the research team, more than 86% placed tracking "cookies" on users' phones to monitor sensitive health information that could be shared.

HealthDay News -- Privacy policies for health programs -- or "apps" -- designed for smartphones that share highly sensitive medical information between patients and doctors are lacking, and often are completely missing, according to a study published in the Journal of the American Medical Association.

Sarah Blenner, JD, MPH, of the Illinois Institute of Technology Chicago-Kent College of Law in Chicago, and colleagues focused on 211 diabetes-specific apps available for download in mid-2014 on Google Play. Blenner and her associates noted that Google Play mandates that all apps post a point-of-sale list of information-handling "permissions" that consumers must agree to before downloading, whether or not they're actually read.

Among the apps studied, these permissions included: tracking patient location (nearly 18%); remotely activating a user's microphone or camera (about 4 and 11%, respectively); and modifying or deleting stored information (64%). The study authors also found that about 80% of the apps actually had no declared privacy policy of any kind. And of the roughly 20 percent that did have a privacy policy, patient privacy protection was very often not the main focus, the researchers said.

Among 65 apps randomly selected by the research team, more than 86% placed tracking "cookies" on users' phones to monitor sensitive health information (such as insulin levels) that could be easily shared with third parties. More than three-quarters shared such information, whether or not they had a privacy policy in place, the investigators found. "Consumers really need to understand what an app developer's privacy practice is before downloading and using these apps," Blenner told HealthDay. "Because once their medical information is leaked, they can't ever regain control over it."

Reference

1. Blenner S, Köllmer M, Rouse A, Daneshvar N, Williams C, Andrews L. Privacy Policies of Android Diabetes Apps and Sharing of Health Information. JAMA. 2016;315(10):1051-1052. doi:10.1001/jama.2015.19426.

You must be a registered member of Infectious Disease Advisor to post a comment.

Sign Up for Free e-newsletters