mHealth Apps: Popular, but a Privacy Concern

Despite their popularity, mHealth smartphone apps often lack the privacy policies that protect patient data from dissemination to other sources, new research has found.

According to a study published in the Journal of the American Medical Informatics Association, only 30% of the 600 most popular medical apps had a privacy policy—and most of those policies were either lengthy or hard to understand.

“There is an unmet expectation by app users that when using a health app, they are protected,” said Kenneth Mandl, MD, MPh, Harvard Medical School professor at the Boston Children’s Hospital Informatics Program, in an e-mail to Pharmacy Times. “The average citizen does not understand that mobile apps not managed by covered entities are not regulated in their use of protected health information.”

Apps examined included fitness trackers and other simple guides, first aid apps, medical calculators, chronic disease management tools, and health records, according to Ali Sunyaev, PhD, assistant professor in the Department of Information Systems at the University of Cologne in Germany (via e-mail to Pharmacy Times).

The apps examined are only a fraction of the more than 35,000 apps available for Android and/or Apple devices.

“The most serious problems with leakage of health data are stigma associated with disease conditions, and insurability for health, disability, and life insurance,” Dr. Mandl said. “Users may also be subjected to unwanted targeted marketing of products. Some users may object to the resale of their data without permission.”

A typical policy contained close to 2000 words and required a reading level above an eighth-grade level. In contrast, most newspapers and magazines are written on a fifth- to eighth-grade reading level.

Apps for Apple devices were more likely to have privacy polices than apps for Android devices, but app category and pricing did not influence whether an app had a privacy policy, the researchers wrote.

“The complexity is definitely an issue, and reading grade levels should be reduced,” Dr. Sunyaev said. “Length might actually suit the interested reader. It is, however, necessary to ease information retrieval, for example, through enhanced structuring or filtering mechanisms.”

Furthermore, the privacy policies that did exist tended to focus on topics that were not related to the app, such as the developer home page or other services the developer offers, the researchers found. Those statements do nothing to protect patient privacy, Dr. Sunyaev said.

The removed, legalistic tone of most privacy policies may be at odds with patients’ concerns regarding their personal health information, the researchers said. Despite this, patients continue to purchase the apps and rate them highly. That acceptance could relate to several potential factors, including trust in the overall legal system, a phenomenon known as the privacy paradox (choosing short-term benefits despite potential exposure to long-term harm), or not understanding the privacy risks.

There are several potential solutions for addressing the lack of privacy policies and the policies’ complexity, Dr. Sunyaev said. “Enforcement of readability tests might help,” Dr. Sunyaev said. “First of all, it is, however, necessary to sensitize developers, practitioners, and users to the issue. Little additional efforts, like writing privacy policies instead of copying them, offering an additional short version, or enriching them with links, could lead to an immense improvement over the current state. User-generated privacy polices (eg, through crowdsourcing) present another potential solution that doesn’t even require provider buy-in, and would by design lead to privacy polices offering the information users are looking for.”