Privacy Regulations Don't Cover Most Health Apps

There are apps that can help people with diabetes keep track of their blood sugar and apps that can attach to a blood pressure cuff and store blood pressure information. I use an app called ZocDoc to schedule and manage doctor's appointments. Every time I see a therapist or a primary care doctor or dentist, the data get stored in my personal account.

But we leave behind other trails of health data, too, from apps and activities that are sometimes only tangentially health related. When I walk down the street, an app on my phone logs steps as it bounces against my thigh. When I swipe a loyalty card at the pharmacy, the over-the-counter medications that I buy become bits of data attached to my name. Medical information can be gleaned from all this and more, says Nathan Cortez, a professor of law at the Southern Methodist University Dedman School of Law.

Those data aren't always protected. A recent report from the Department of Health and Human Services showed that the vast majority of mobile health apps on the marketplace aren't covered by the Health Information Portability and Accountability Act. "HIPAA is pretty narrow as far as these things go. It applies only to traditional entities [like hospitals, doctors and health insurance providers], and it's not surprising. HIPAA was written by Congress in 1996 before we had health apps," Cortez says.

Apps or devices used in conjunction with a doctor's office or a hospital can't share or sell your information. But there's no definitive federal law governing what happens to the data that an app developer, tech company or private individual collects. Cortez and I spoke about what that means and what people can do with individuals' data. This interview has been shortened for length and clarity.

So if you share your data with a physician or a hospital, then it's covered under HIPAA. If you share it with someone like Apple, then it's not?

Yeah, that's right. If your physician tells you to use an app and tells you to share that data with her, then for most purposes that data-sharing would be covered by HIPAA. And physicians have professional obligations to maintain confidentiality. So if you're sitting and show them data on your app but don't send it to their computer, they would have professional obligations under state law to keep that information confidential.

Now let's say there's an app made by a third-party developer. It's not covered under HIPAA. Then you take that data and send it to your physician, who puts it into your medical record. The data in your medical record would be covered by HIPAA. The data that the third-party app developer has would not.

It's literally that identical bits of data in different computers have different protections. The data the app developer has are not protected, while the very same bits of information in the doctor's computer are?

Yup. But the Federal Trade Commission has taken a few enforcement actions where mobile app developers made privacy promises but haven't kept those promises. If you're an app company you might not be governed by HIPAA, but you have to be careful to do what you're saying you're doing with that information. If you're engaging in any unfair or deceptive practices with regards to user data, the FTC could swoop in and take action.

What are the kinds of data that mobile app developers and tech companies have that people might be concerned about?

There's quite a few thoughtful researchers in this space who basically say that any data can be health data. Your online search terms, location, all of these are combined into a kind of profile of each of us. There's the famous case of Target sending mailers to a house because they accurately predicted the high-school-age daughter was pregnant. That was all predictive analytics based on shopping patterns and the like.

If you start shopping for certain goods and analytics online, it's not that hard for companies to figure out what medical conditions you might be dealing with.

Amazon has these shopping lists or wish lists that are public. I realized that somebody with my email address could probably learn a lot about me just based on what I have on that shopping list. Or if you're sending more texts than usual that could that mean you aren't feeling so great that day — that kind of thing?

Yeah, or what words are you using? Do you check into certain restaurants? Your gym patterns? Your travel patterns? There's a huge industry that's emerging around this data-gathering where you can predict a lot and ascertain a lot about people from data where on its face doesn't seem like health data. You can learn a lot about someone's health, even really intensely personal information, by analyzing this information.

Do you think an employer purchasing those data could use the information to figure out whether you have a certain medical condition that might give the company second thoughts about hiring you?

The discrimination question is really interesting and really scary, potentially. We have laws that inhibit medical insurance companies from discriminating based on your past medical history. But you can take a lot of data points and make inferences that get you to the same spot.

Legal scholars are wondering — is this a backdoor way to discriminate against insured populations based on their medical history? There's a company called Oscar based out of New York that has [become] really popular. They market themselves as a next-generation health insurance company where we're smart and we're data driven, we use modern technologies, we're not an old stodgy health insurance company. They give you an incentive to use [wearables] and use apps [to track exercise and give an opportunity to earn rewards].

But if you're using a Fitbit and you have a desk job and you sit around, will you be charged premiums for that or denied coverage in the future? Can we measure people's health risks in advance based on data points that individually seem innocuous but put together paint pretty detailed pictures?

Of course, some people would be happy to share those data, right? We do it all the time to get better traffic information. We could potentially be getting much better health care and health apps by freely sharing our information.

Of course! Not all consumers want their data to be locked up and in silos and kept confidential. I went to a conference at Stanford last month, and a bunch of patients there wanted their data to be open and free. One good thing about health going online is you have patient communities with chronic or difficult diseases where patients can find and help each other.

But there are certain egregious practices [from data brokers] that are predatory and abusive. It's very tricky to come up with a legal system that will work for everybody.

So, say I'm a consumer who wants to use these apps. How do I check and make sure that my data are protected to my satisfaction?

It depends on your level of concern. If it's very sensitive and you're very concerned, I wouldn't use an app unless it's from a traditional provider. If you're going to a hospital and they have an app that allows you to access records, which should be protected by definition.

If you're downloading ... fitness tracking, health, lifestyle apps or even apps for chronic disease that aren't being offered by traditional providers, there's a good chance it's not covered by HIPAA. If you are concerned, read the privacy policy. Unfortunately, they're written by lawyers and aren't always clear. That's a lot of work for a consumer. It's a very buyer-beware market.

This story is part of the bonus material for NPR's podcast and show Invisibilia, which this week tells the tale of a woman who used a blood-glucose monitoring app to track the health of her twin sister from afar.

Copyright 2016 NPR. To see more, visit http://www.npr.org/.