Health Care Apps Often Offer Little Privacy Protection: Study

If you’re relying on your smartphone to share medical information with your doctor, you may be risking the privacy of your health records, a new study warns.

The new research finds that privacy policies for health programs — or “apps” — designed for smartphones that share highly sensitive medical information between patients and doctors are lacking, and often are completely missing.

The study looked specifically at diabetes-related apps marketed to Android-phone users. But, the problem doesn’t stop there, the researchers said.

“Our findings apply not just to ‘Google Play’ or diabetes apps specifically, but all health apps and potentially apps in general,” said study lead author and lawyer Sarah Blenner. She’s with the Illinois Institute of Technology Chicago-Kent College of Law in Chicago.

“And the issue is that people in general are probably not aware that their private medical information is being collected and regularly leaked from these apps, forwarded to data aggregators and marketing companies,” she said.

“We don’t know exactly what the ultimate end point is,” Blenner acknowledged. “But in the past this kind of information has ultimately been shared with employers and insurance companies,” who, she said, stand to collect large sums of money for the dissemination of information most patients falsely believe is only being seen by their caregivers.

The study was published in the March 8 issue of the Journal of the American Medical Association.

As of 2012, about 7 percent of American primary care doctors recommended health apps to their patients. Such apps address a wide range of health concerns, such as providing simple medication reminders, monitoring a patient’s health in real-time, and transmitting information to caregivers.

“There are no federal legal protections currently protecting the disclosure of health information from most medical apps,” Blenner said. Yet, one-fifth of American smartphone users already have such apps on their device, the study found.

The researchers focused on 211 diabetes-specific apps available for download in mid-2014 on Google Play. This is the official store for phones and tablets using Android operating systems. The study didn’t include Apple-based apps available through Apple’s iTunes store.

Blenner and her associates noted that Google Play mandates that all apps post a point-of-sale list of information-handling “permissions” that consumers must agree to before downloading, whether or not they’re actually read.

Among the apps studied, these permissions included: tracking patient location (nearly 18 percent); remotely activating a user’s microphone or camera (about 4 percent and 11 percent, respectively); and modifying or deleting stored information (64 percent).

The study authors also found that about 80 percent of the apps actually had no declared privacy policy of any kind. And of the roughly 20 percent that did have a privacy policy, patient privacy protection was very often not the main focus, the researchers said.

For example, among apps that did have some privacy policy in place, about 80 percent collected user data, and nearly half indicated they shared that data, the study revealed. Only four apps declared that patient permission would be requested before sharing took place.

Among 65 apps randomly selected by the research team, more than 86 percent placed tracking “cookies” on users’ phones to monitor sensitive health information (such as insulin levels) that could be easily shared with third parties. More than three-quarters shared such information, whether or not they had a privacy policy in place, the investigators found.

“Consumers really need to understand what an app developer’s privacy practice is before downloading and using these apps,” Blenner cautioned. “Because once their medical information is leaked, they can’t ever regain control over it.”

Alejandro Lleras, an associate professor in the department of psychology at the University of Illinois at Urbana-Champaign, said that while such apps can be helpful, they also raise “very delicate privacy issues.”

“There’s a lot of potential for these apps to have a positive impact, in the area of both physical and mental health,” he said. “But the uncontrolled use of private information can lead to stigmatization and discrimination, which means there’s also the potential for great social harm.”

Lleras said the threshold for privacy and identity protection should be as high for medical apps as it is for financial information.

“Nobody would use TurboTax if they didn’t think it was safe. We should set the bar just as high for health information,” he said.

More information

There’s more on health privacy on mobile devices from

Source: HealthDay

Leave a Reply