The Federal Trade Commission (FTC) is taking action against an app that lets users track their ovulation after it disclosed sensitive health data to third parties and deceived them about how it shared data.
The FTC charged the developer of the fertility app Premom with violating the Health Breach Notification Rule, claiming that the company shared users’ information with two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of the unauthorized disclosures.
“Premom broke its promises and compromised consumers’ privacy,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
It is encouraging that the FTC is taking action to hold app developers accountable for wrongly sharing patients’ personal information or sensitive health data, and the AMA is advocating that Congress give the FTC even greater power to regulate and enforce rules that safeguard patient privacy in this space.
Patient data in health apps often does not fall under the protections that health consumers have grown accustomed to under HIPAA, which was enacted before these tools were developed.
Protecting a cornerstone of care
“The AMA is very supportive of patients having access to their information and using apps, but there are few guardrails to protect patient privacy,” said Matt Reid, the AMA’s senior strategic health IT policy consultant. “Congress needs to take data privacy seriously and enact legislation to protect individuals from the misuse of all their information—not just what’s generally considered health information.”
It is important to protect all personal information because a person’s data may be linkable to something that makes sensitive information identifiable. Depending on the context, typically nonclinical data such as geolocation could be used to deny or obstruct medical care.
Privacy is the cornerstone of the patient-physician relationship and the AMA is working to ensure that privacy is strengthened when online health care tools are used to improve patient care.
The “AMA Privacy Principles” (PDF), derived primarily from AMA policy, guide the organization in its advocacy efforts.
The AMA also has developed a resource, “Privacy is Good Business” (PDF), for app developers to use to help incorporate privacy from the very beginning of their design process. The guide outlines AMA’s privacy principles and pairs them with actions companies can take to give patients and physicians more confidence when using or recommending their products.
FTC: App didn’t get users’ consent
Illinois-based Easy Healthcare Corp. operates the Premom app, which is free to download and used by hundreds of thousands of users.
The FTC’s proposed order, which a federal court must approve to take effect, would bar Easy Healthcare from sharing users’ personal health data with third parties for advertising, require the app to obtain users’ consent before sharing health data for any other purpose, and require it to tell consumers how their personal data will be used. The company also would pay a $100,000 civil penalty for violating the Health Breach Notification Rule.
The FTC complaint, among other things, says that Easy Healthcare’s privacy policies repeatedly and deceptively promised users that the company would not share their health information with third parties without users’ consent and that any data collected was nonidentifiable and only used for the company’s own analytics or advertising.
Easy Healthcare, the FTC further says, didn’t take reasonable measures to address privacy and data-security risks created when it used third-party automated tracking tools known as software development kits and shared health information for advertising purposes without getting users’ express consent.
Premom is the second entity the FTC has taken action again under the Health Reach Notification Rule. In February, the FTC charged that GoodRx Holdings Inc., a telehealth and prescription-drug discount provider, violated the rule by failing to notify users about the company’s unauthorized disclosure of their personally identifiable health information to Facebook, Google and others.
Learn more about the AMA health data privacy framework.
