Health and fitness apps may potentially reveal data-enabled insights into the daily lives of those who use them, but what they sometimes fail to reveal are the ways they use the data collected on users. A recent study from the Future of Privacy Forum, a Washington, DC-based think tank that works to advance responsible data practices, found that — compared with other apps in the iOS and Android marketplaces — health and fitness apps lag in privacy policies, with about 60 percent offering such information compared to 76 percent of general apps.
“While consumers might reasonably expect that any app that collects health and fitness information would be more than likely than general purpose apps to describe its privacy policies and practices, that is not always the case,” the authors write. “Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, their below-average performance is both unexpected and troubling.”
The report was undertaken as a follow up to similar studies conducted in 2011 and 2012 examining the prevalence of privacy polices in the most popular mobile, with this report building on previous findings to explore the privacy policies of the “most sensitive categories” of apps.
But whether the consumer has access to privacy policies for their apps is just the tip of the privacy spear. A study by the Department of Health and Human Services was much more concerned with the fact that wearable fitness trackers, social media sties where individual health information through specific social networks and other technologies of today did not exist when Congress enacted HIPAA. If an app is not offered by a HIPAA covered entity or a business association (as is the case with most wearables fitness trackers) it is outside the scope of HIPAA protections.
“Sharing information electronically can offer real benefits, such as saving time, improving services and increasing engagement,” the HHS study states. “However, it also exposes the shared information to additional risks.”
Pointing to the 2015 Federal Trade Commission’s report on the Internet of Things, the HHS report mentions the widespread nature of data sharing and collection have outpaced the ability to keep up with security protections of health information.
A major concern was social media, where consumers often share information without the awareness of possible future uses of health information. The report referenced one study examining social network sites targeting people living with diabetes and found less than half of the sites offered safeguards for protecting the individuals’ personal health information. It also found conflicts of interest, such as ties to the pharmaceutical industry, which were not disclosed to the people using these sites.