American Medical News
By — Posted Aug. 5, 2013
Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act.
“Even suggesting an app to patients — that’s a gray area,” said Marion Neal, owner of HIPAASimple.com, a HIPAA consulting firm for physicians in private practice. “Doctors should avoid recommending apps unless they are well-established to be secure.”
Privacy Rights Clearinghouse, a nonprofit advocacy organization in San Francisco, sponsored a study of 43 popular free and paid apps that were made for consumer use. Apps used by health professionals were not part of the study.
The technical evaluation of these apps included an analysis of mobile application privacy policies. Researchers installed and used the apps to see what data were stored on the apps. They also looked at the communication between the apps and the Internet.
Many of the apps sent unencrypted data to advertisers, probably without users’ knowledge. Seventy-two percent of the apps exposed personal information that could include dates of birth, personal location, ZIP codes, medical information, email addresses, first names, friends, interests and weights. Some apps sent information to as many as 10 third parties.
Data were sent to app developers’ websites and third-party sites for analytic and advertising purposes.
More than 75% of free apps and 45% of paid apps used behavioral tracking, usually through third parties, according to the study.
Paid apps, which ranged from less than $1.50 to more than $10, posed less risk to users’ privacy. That’s probably because they don’t rely only on advertisers to make money, according to the study.
“A worrying finding was that many of these apps sent personal information to third parties” without customers’ knowledge, said Beth Givens, founder and director of Privacy Rights Clearinghouse. “Consumers should assume that their information is being sent to third parties if they use these apps. If they feel the least bit uncomfortable with that, they should not use it.”
Neal said social media can be a privacy minefield for doctors regarding HIPAA rights. Recommending a social app may seem like a way to encourage patients to engage in their health that doesn’t pose any risks. But the law might not see it that way, he said.
By recommending apps that compromise patients’ privacy, doctors could be seen as complicit if there is any breach, although there is no apparent legal precedent for that.
It’s not just physicians; app developers could be at legal risk. The report recommended three ways app developers could avoid privacy violations. Developers should use encrypted network connections between the app and any Internet server, not use third-party advertiser or analytics services, and be careful how they send privacy-sensitive information.
HIPAA rulings generally are favoring patients’ privacy rights, Neal said. In a recent court case, a physician group was found to be in violation of HIPAA because doctors used public e-mail to discuss patients’ health. If they had used secure e-mail through their business, they could have avoided the violation, he said.