One would assume that health and fitness app privacy policies would be more important than many other types of app, given the types of data they collect. However, according to a recent study performed by Washington DC think tank, The Future of Privacy, health and fitness app privacy policies are often nowhere to be seen. Only 60% of the apps assessed for the study actually had privacy policies compared to 76% of general apps.
The results of the study are concerning. Many of the apps collect sensitive data – data that would be classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The apps can collect physiological data such as heart rate via sensors and users are required to enter detailed personal data into the apps. Information such as age, gender, date of birth, weight, height, and other personal data are often required. However, many apps fail to inform users how those data will be used and with whom those data will be shared.
Apps that users pay for fare the worst when it comes to privacy policies. The study revealed that free health and fitness apps were more likely to have privacy policies in place, although only marginally.
Even when health and fitness app privacy policies have been written, they are not always easily accessible. For instance, the survey showed that of the sleep tracking apps that had a privacy policy – only 66% did – just over half of those apps linked to their privacy policy in the app store. 63% of period trackers linked to privacy policies in the app store, although they fared better with 80% having privacy policies.
The situation is certainly improving. More apps now have privacy policies in place and in previous years, but the percentages are still concerning. Consumers are often not informed about how their data are used and shared, or the information is not readily accessible. Consumers have to search for a privacy policy in many cases and a visit to an app developer’s website is often necessary. In the case of paid apps, the consumer would likely have already purchased the app before they were aware how their data will be used.
Consumers are now more aware of HIPAA regulations than in years gone by, in part due to the efforts of the Department of Health and Human Services’ Office for Civil Rights. Since the types of data collected by wearable devices and fitness trackers is covered under HIPAA Rules, consumers may mistakenly assume that their data will be protected and kept private. However, HIPAA only applies to data that have been collected by a HIPAA-covered entity or a business associate of a HIPAA covered entity.
App developers are only classed as business associates of HIPAA covered entities when there is a business association with a healthcare provider, health insurer, or other covered entity and the developer. Oftentimes there is no such association, therefore any data collected will not be subject to HIPAA Rules. Many consumers may not realize there is a distinction and the personal data they enter into their apps, or is collected by them, may actually be far from private.