Privacy policies are a sore point for Internet users. At least once a year the pitchforks and torches come out when a company like Facebook or Twitter changes its policies around how it uses, sells or secures users’ data—things like browsing habits, phone numbers, relationships and email addresses.
You don’t hear as much hue and cry over the privacy of mobile health apps, where people store and track what are literally their most intimate details. But perhaps you should.
Because in fact, a recent survey of mobile health apps led by Boston Children’s Hospital’s Kenneth Mandl, MD, MPH, finds that only about 30 percent of mobile health apps have any kind of policy covering the privacy of users’ data.
Mandl, who chairs biomedical informatics and population health in Boston Children’s Informatics Program, points out that most health app developers aren’t familiar with health care’s unusually intense focus on privacy and information security. That’s because these apps aren’t considered medical services or devices and aren’t bound by the Health Insurance Portability and Accountability Act (HIPAA) privacy rules or regulated by the FDA (at least, within limits).
“The developers aren’t really connected to the health care industry. They aren’t aware of the industry’s standards,” he says. “But patients probably have some expectation that the protections found in the health care system will be there when they use a health app.”
“Currently, app providers face a trade-off between business as usual or tailoring their communication and privacy practices to users’ needs,” adds Ali Sunyaev, PhD, an assistant professor in the department of information systems at the University of Cologne, Germany and lead author on the policy study.
What privacy policy?
To understand the extent of the issue, Mandl, Sunyaev and their collaborators tallied all of the English-language mobile health apps in the Apple iTunes and Google Play stores. They then selected the 600 most frequently rated apps (300 from each store) from the 24,405 apps they found and asked:
- Does the app have a privacy policy?
- What is the scope of the policy?
- Is the policy readable or understandable?
Their findings, published in the Journal of the American Medical Informatics Association, would give a privacy expert pause. For starters, only 183—less than a third—of the 600 apps had any kind of privacy policy.
The policies the team did find ranged widely in scope, covering data collection and use by either the one app, multiple apps by the same developer, the developer’s homepage or all services provided by the developer. Two-thirds of the apps’ policies did not actually cover the app at all.
The policies were not very user-friendly, either. On average, they were written at a 16th grade reading level. (Mandl believes a sixth grade reading level would be ideal.) They also averaged more than 1,750 words; the word count for one policy topped out at 6,424.
Nor were they particularly transparent. Take the 62 policies that covered a single app, multiple apps or the databases and services of a single developer. Nearly 10 percent didn’t disclose what kinds of information the app collected. And 13 percent didn’t explain whether or how users could control their data once they entered them into the app.
What we need: More transparency, more standardization
This lack of privacy protections could have serious consequences, such as medical identity theft, sale of data to employers and denial of insurance coverage.
Mandl thinks the findings highlight an urgent need for developers to standardize their apps’ privacy policies and make them more useful to users. “We had some idea there was non-uniformity, but it was still stunning to see how widespread it was to find either no or inadequate privacy policies.”
“Current privacy policies are not of much use, so users do not perceive them as beneficial,” says Sunyaev. “To be truly effective, developers should design privacy policies to meet users’ needs and preferences, and create an environment where privacy practices are expected to be transparent to users.”
He and Mandl list some items health apps’ privacy policies should state up front:
- where users’ data are stored
- whether the developer will use data for anything and what that use would be
- whether the developer will make users’ data available to outside parties in an identifiable way or in aggregate form
- whether the app transmits users’ data securely
- how users can have their data deleted from the developer’s servers
Apple, for one, seems to be stepping up, announcing last week that it’s establishing new privacy rules for apps that tie into its upcoming HealthKit platform.
“App developers should make it clear to users that they’re outside the health system and that the privacy protections associated with the health system aren’t there,” Mandl says. “And users need to understand that they may be giving up some element of privacy in exchange for using their service.”
Sunyaev points out that developers could, with some outside-the-box thinking, turn their privacy policies into selling points. “If app developers and app marketplaces realized the value in offering information on their privacy practices, they could compete based on whether their practices are privacy-friendly, which could help win users over.”
If you’re interested in mobile health, check out “Mobile & Digital Health: Health care everywhere,” one of five panels being held during Boston Children’s Hospital’s Global Pediatric Innovation Summit + Awards, taking place October 30-31, 2014. Learn more about the summit’s agenda here.