One would assume that health and fitness app privacy policies would be more important than many other types of app, given the types of data they collect. However, according to a recent study performed by Washington DC think tank, The Future of Privacy, health and fitness app privacy policies are often nowhere to be seen. Only 60% of the apps assessed for the study actually had privacy policies compared to 76% of general apps.
The results of the study are concerning. Many of the apps collect sensitive data – data that would be classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The apps can collect physiological data such as heart rate via sensors and users are required to enter detailed personal data into the apps. Information such as age, gender, date of birth, weight, height, and other personal data are often required. However, many apps fail to inform users how those data will be used and with whom those data will be shared.
Apps that users pay for fare the worst when it comes to privacy policies. The study revealed that free health and fitness apps were more likely to have privacy policies in place, although only marginally.
Consumers are now more aware of HIPAA regulations than in years gone by, in part due to the efforts of the Department of Health and Human Services’ Office for Civil Rights. Since the types of data collected by wearable devices and fitness trackers is covered under HIPAA Rules, consumers may mistakenly assume that their data will be protected and kept private. However, HIPAA only applies to data that have been collected by a HIPAA-covered entity or a business associate of a HIPAA covered entity.
App developers are only classed as business associates of HIPAA covered entities when there is a business association with a healthcare provider, health insurer, or other covered entity and the developer. Oftentimes there is no such association, therefore any data collected will not be subject to HIPAA Rules. Many consumers may not realize there is a distinction and the personal data they enter into their apps, or is collected by them, may actually be far from private.