Health apps often lack privacy policies and share our data

Reuters Health - Just because a health app has a privacy policy doesn’t mean the data will remain private, an analysis of mobile tools for diabetes suggests.

In fact, privacy policies appear rare, and when they do exist, most state that user data will be collected and half warn that medical information will be shared with third parties.

“Simple privacy policies can help patients protect their personal information, but only 19 percent of the apps in our study had a privacy policy available pre-download,” said lead author Sarah Blenner, who did the study at ITT Chicago-Kent College of Law and is currently a public health researcher at the University of California, Los Angeles.

“App developers avoid privacy policies because they want to be able to share health information to advertisers without the knowledge of the users,” Blenner added by email.

One-fifth of smartphone owners had health apps in 2012, and 7 percent of primary care physicians recommended a health app to their patients, Blenner and colleagues write in their report in JAMA.

To get a sense of how well patient privacy is protected by apps for managing chronic disease, the research team focused on one common condition – diabetes.

They analyzed 211 apps available for download in Google Play, the online marketplace for the Android operating system that powers about 83 percent of smartphones worldwide.

For the subset of 41 apps with any privacy policy at all, only four said they would ask users for permission to share data, the study found.

Slightly more than half of the apps with privacy policies said they would collect data when the app was used or when people registered for an online account.

Just six of these apps, or 15 percent, explicitly stated that they would not collect personal information from children.

Sixteen, or 39 percent, said user data may be used for advertising purposes.

One limitation of the study is that the analysis focused on privacy policies available prior to downloads, not features available within the apps, the authors note. The study also excluded apps made for iPhones.

Even so, the findings likely apply to a wide variety of apps for different types of diseases, said George Annas, director of the Center for Health Law, Ethics and Human Rights at Boston University School of Public Health.

“Most apps want to sell medical information to marketers and are likely to think fewer people would use their app if they knew this,” Annas, who wasn’t involved in the study, said by email.

“Only patients who think it is OK for their physicians to sell all or parts of their medical records are likely to agree to this practice,” Annas added.

Generally, apps aren’t required to have clear privacy policies and there’s little incentive for them to provide specifics because it increases the odds that they could face liability for disclosing incorrect information, said Scott Kambler of KamblerLaw LLC in New York.

“Plus, we often see companies that just don’t know what’s happening with personal data,” Kambler, who wasn’t involved in the study, said by email. “They code apps and send data to third party affiliates or partners, but they don’t know what the third parties do with the data. In fact, the company offering the app may have hired a third party to develop the app and may not know what it does behind the scenes.”

SOURCE: JAMA, online March 8, 2016.