Health Apps Sharing Sensitive Information With Many Third Parties, Says FTC Research
Health apps are collecting and sharing sensitive information with a variety of third parties, said the FTC’s initial contribution to the limited study of health app data sharing practices. The information shared ranged from a smartphone’s screen size and model type to a phone’s unique device identifier (UDID) to individuals’ names and email addresses to keywords such as “ovulation,” “pregnancy” and “baby,” said Jared Ho, an attorney in the FTC Mobile Technology Unit. Ho presented the findings Wednesday during the commission’s seminar on consumer-generated and controlled health data.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Prior research on the topic has revealed ubiquitous health-data sharing, inadequate security protections and a lack of public understanding about the subject, said industry, government and privacy advocates during a later panel. Consumer habits reveal a proclivity that is not going away for generating and sharing health data electronically, said Sally Okun, vice president-advocacy, policy and patient safety at PatientsLikeMe, an online forum for individuals with chronic illnesses to share health information. Three-quarters of adults are online “looking for information” and 60 percent of those are looking for health information, she said.
And the rollout of the Affordable Care Act (ACA) means patients “are really being put at the center of their care,” said Joy Pritts, chief privacy officer for the Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology. The ACA increases people’s ability to “view, download and transmit their information,” Pritts said. This hopefully enables more holistic healthcare, but it also proliferates opportunities for people to move their health information outside of the jurisdiction of the Health Insurance Portability and Accountability Act (HIPAA) and its privacy protections, she said.
Of the 12 free health apps the FTC examined, all transmitted information to their developer websites and 76 additional third-party companies, Ho said. The apps ranged from those that synced with wearable devices, to daily activity diaries, to symptom input apps, to pregnancy and diabetes apps. Of those 76 third parties receiving data, 18 got device identifiers such as UDID, MAC address or International Mobile Equipment Identity; 14 received a specific consumer identifier like a user name, actual name or email address; and 22 got less-sensitive consumer information such as medical symptoms, geolocation data or ZIP code information. The FTC’s review was limited in scope, Ho said. It did not comment on any of the apps’ privacy policies or follow data beyond its first transition from the app to a third party, he said.
The research built on two 2013 studies, Ho said -- a July study by Privacy Rights Clearinghouse, which found many health apps had no privacy policies and used poor encryption methods (http://bit.ly/1bJSxON), and a study from analytics company Evidon showing the top-20 health apps shared data with as many as 70 third-party companies (http://bit.ly/1oqVAxb).
Much of this sharing falls outside of HIPAA, said FTC Chief Technologist Latanya Sweeney. Even 33 states are selling or sharing personal health data, said Sweeney, and only three of those states adhere to HIPAA. Sweeney’s research has shown de-identified data shared by the states can often be re-identified using basic information any employer or bank would have, raising concerns about hiring and credit discrimination based on health information, she said. Christopher Burrow, executive vice president-medical affairs for health IT company Humetrix, said the HIPAA guidance advises that given information on gender, ZIP code and date of birth, one could identify 50 percent of Americans.
Sweeney has told us previously she thinks the FTC could provide a leading role in health data privacy -- either through providing states and industry with effective de-identification guidelines or through building technology to help de-identify data or locate exposed sensitive data. Privacy advocates have also pushed for the FTC to get more authority to regulate health data privacy, a job it currently shares with HHS.
Center for Democracy & Technology Chief Technologist Joe Hall is a privacy advocate pushing for a bigger FTC role. But it “could be really difficult” for the commission to create one “standard” guideline for de-identification, he said during Wednesday’s panel. “Some of these things are case-by-case considerations,” he said. De-identifying data is walking the fine line between protecting individuals while retaining the utility of the data for research and other legitimate purposes, said Hall. “You can’t really do that in a generic way,” he said. PatientsLikeMe’s Okun agreed. “What constitutes” health data “might look very different if you're a payer or a clinician” than for a patient, she said. Okun did say there should be uniform rule requiring businesses to have “some inherent responsibility for acknowledging the ability to re-identify information."
"There’s not a single rule that governs everybody,” said HHS’s Pritts. “Government has a role” in writing regulations to protect privacy, but “vendors and app developers and device vendors, they're also responsible for building in security into their products,” she said. “It’s really a cultural change we're trying to make here.”