Over half of Americans have a health-related mobile application on their phone. These apps can track vitals like weight and blood pressure, keep up with diet and exercise habits, and even offer medication reminders. Health and medical apps typically require users to register in order to create a personalized profile and to associate their logged information with their account. With pharmacy coupons at your fingertips and pill reminders in your pocket, these apps are marketed to mobile users as convenient, helpful, and even reliable or secure. Sounds like a dream come true for the plugged-in, health-conscious consumer! This in mind, I decided to take a closer look at some of the highest-rated medical apps’ privacy policies to find out what wasn’t being talked about in the app stores…
HIPAA very rarely covers user-reported health and medical information. The Health Insurance Portability and Accountability Act (HIPAA) only applies to “covered entities” (healthcare providers, health plans, and healthcare clearinghouses) and their “business associates”. Therefore HIPAA only protects information created by or received directly from a healthcare provider or your insurance company (the privacy policy may call this “Protected Health Information” or “PHI”). Privacy policies may also use the term “Additional Health Information” to designate the user-reported data that is not protected by HIPAA. This self-reported information can include past or present health conditions or medical treatments and prescriptions, as well as physician contact information and even Medicare or health insurance plan details.
Users may be marketed to based on information they provide, including prescriptions they take. Apps that provide daily medication reminders, drug encyclopedias, or pharmacy coupons may track a user’s activity in an effort to connect their prescriptions to common medical conditions. One app’s privacy policy even gives an example of receiving offers and advertisements for low-sodium cookbooks if a user is taking a drug typically associated with high blood pressure.
Health information can be considered a business asset to software companies. It is common for companies to sell or transfer customer data in business proceedings, such as mergers or bankruptcies. But for medical app software companies, the data can include sensitive health information collected from user accounts.
Many medical apps have vague security policies. Statements like “we cannot guarantee security” or “no transmission over the internet is 100% secure” sound much more like legal disclaimers than a protection policy. Also, third-party cloud service providers are often named responsible for ensuring the security of user data rather than the company itself.
Users may not have control over the deletion or retention of their collected information. Several medical app privacy policies stated that they retain all users’ collected information indefinitely. This could mean that simply closing the account or uninstalling the app would not result in deletion from their system. Additionally, when account history deletion is offered upon request, it is rarely backed by a guarantee.
If in doubt, just read the privacy policy! Users concerned about the disclosure of their personal information should look for the policy section on third party sharing. In this section, privacy-friendly apps state that they do not sell their user data. Also, the section on user access to data will tell if a full deletion option is offered in account settings.
Have a question about a privacy policy or privacy notice? Visit our Question Center - we're here to help!