Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act (HIPAA).
Privacy Rights Clearinghouse, a nonprofit advocacy organization in San Francisco, sponsored a study of 43 popular free and paid apps that were made for consumer use. Apps used by health professionals were not part of the study.
The technical evaluation of these apps included an analysis of mobile application privacy policies. Researchers installed and used the apps to see what data were stored on the apps. They also looked at the communication between the apps and the Internet.
Many of the apps sent unencrypted data to advertisers, probably without users’ knowledge. 72% of the apps exposed personal information that could include dates of birth, personal location, ZIP codes, medical information, email addresses, first names, friends, interests and weights. Some apps sent information to as many as 10 third parties.
More than 75% of free apps and 45% of paid apps used behavioral tracking, usually through third parties, according to the study.
“A worrying finding was that many of these apps sent personal information to third parties” without customers’ knowledge, said Beth Givens, founder and director of Privacy Rights Clearinghouse. “Consumers should assume that their information is being sent to third parties if they use these apps. If they feel the least bit uncomfortable with that, they should not use it.”
Social media can be a privacy minefield for doctors regarding HIPAA rights. By recommending apps that compromise patients’ privacy, doctors could be seen as complicit if there is any breach, although there is no apparent legal precedent for that.
It’s not just physicians; app developers could be at legal risk. The report recommended three ways app developers could avoid privacy violations. Developers should use encrypted network connections between the app and any Internet server, not use third-party advertiser or analytics services, and be careful how they send privacy-sensitive information.
Source: American Medical News, August 5, 2013.