Healthcare Information Security

Mobile News

Mobile Health App Privacy Policies Not Easily Accessible

A recent study found that mobile fitness and health app privacy policies are not always provided upfront on the app platform listing page.

By Elizabeth Snell

With more individuals entering their personal health information into various apps and trackers, mobile health app privacy and security is increasingly important. Without understanding a specific app’s privacy policies, an individual may be unknowingly exposing his or her information.

Mobile health app privacy policies not always easily found

A recent Future of Privacy Forum (FPF) Mobile Apps Study found that only 70 percent of top health and fitness apps had a privacy policy, which is 6 percent lower than overall top apps. Furthermore, 61 percent of top health and fitness apps linked to the privacy policy from the app platform listing page. This is 10 percent lower than overall top apps.

“Even though a privacy policy is not the be all and end all for building consumer trust, there is no excuse for failing to provide one – doing so is the baseline standard,” FPF’s Vice President of Policy John Verdi said in a statement. “App platforms have made it easier for developers to provide access to privacy policies. Consumers expect direct access to privacy policies, and users can review them before downloading an app.”

However, there has been an increase in health and fitness apps having a privacy policy. The previous FPF mobile study showed that 68 percent of top overall apps had a privacy policy. In 2016, that number has risen to 76 percent across both the platforms.

The study also found that 86 percent of free apps in 2016 provided privacy policies, while only 66 percent of paid apps did the same.

“Although perhaps counter-intuitive, this result is easily explained: free, ad-supported apps are likely to be required to disclose their tracking practices to comply with industry behavioral advertising self-regulatory standard,” the report’s authors wrote.

Many health and fitness apps have access to sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, according to the report. It is therefore quite concerning that users may not be aware of how their personal data could be used.

“While most apps do provide consumers with the most basic notices about how their personal data will be collected, used, and shared, it’s also clear that a significant number do not,” the authors explained. “Although a privacy policy is only a starting point for protecting individuals’ privacy, it is an important baseline standard all around the world.”

Failing to disclose how health information will be used can be especially damaging for companies. For example, a lawsuit was filed earlier this year against Facebook and other organizations for allegedly violating patient privacy through data sharing.  

The class action lawsuit was filed against Facebook and several medical institutes, such as the American Cancer Society, Adventist Health System, and the Cleveland Clinic.

Plaintiffs stated that their private medical information communications with the organizations, including data related to cancer, was given to Facebook without their knowledge.

“In addition, Facebook acquired, tracked, and used the Plaintiffs’ sensitive medical information collected through medical websites and the Facebook website for purposes of direct marketing,” the suit said. “The disclosures, tracking, and use of their sensitive medical information for direct marketing were all done without Plaintiffs’ knowledge or consent in violation of their privacy rights under federal and state law.”

Facebook was also accused of not disclosing that it tracks, intercepts, and acquires user communications with medical websites. Several of these websites belong to medical providers that are subject to medical privacy laws such as HIPAA regulations.

The lawsuit also claimed that Facebook failed to notify individuals that “it uses the personal information it gathers from its users, including sensitive medical information, to place its users into medical categories for purposes of direct marketing.”

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks