Digital

What do mHealth apps share about users? Guidelines demand clarity

Mobile health (mHealth) apps need to clearly state what their privacy policies are, give people a chance to deliberately opt in or out of the app sharing their personal information, and be in full compliance with all applicable laws, rules and regulations, according to recently released guidelines. 

HIT trends in health care

Earn CME from AMA Ed Hub™: Explore the benefits and challenges of existing health information technology and get insight into developing innovations.

Learn More

The guidelines were developed by Xcertia, an independent nonprofit that the AMA and other major health and technology organizations founded. When developers comply with the Xcertia mHealth App Guidelines—which include sections that address privacy, clinical content, security, design and operability—it helps provide a level of assurance that an mHealth app delivers value to patients, physicians and other users. 

The guidelines are as much for developers as they are for consumers and physicians, said Michael Hodgkins, MD, Xcertia chair and AMA chief medical information officer.

For developers, the guidelines are a roadmap to develop apps that are compliant with the strictest privacy guidelines and consistent with what consumers expect when it comes to privacy. For consumers, the guidelines help ensure they can see how the app will use their information and gives them a chance to decide whether they are OK with that policy. 

Related Coverage

Doctors get new way to voice medical technology development needs

Today, it is not uncommon for apps to not completely address their privacy policy. And, if an app does address privacy, it often may not be in a way that is easy for users to see or does not give users control of how the information is used. The guidelines set out to change that, Dr. Hodgkins said. 

“Personal health information can be very sensitive. There is always an issue of what use, if any, will be made of your personal data,” he said. “Do you have a right to consent or not? Can you change your consent? Are they telling you if the data is being sold or shared with a third party? If they are saying that the data is going to be sold, do you have a clear opportunity to opt out or in of that sharing?” 

And Dr. Hodgkins pointed out that even if data is deidentified, it can often be reidentified especially with the use of augmented intelligence (AI), often called artificial intelligence. In the most extreme case, that could be used against someone. For example, being denied health insurance. More commonly, though, is the question of why a third party should profit off the use of someone’s personal data without their consent. 

“Developers need to clearly state what their privacy policies are and clearly state whether they are sharing or selling the information they are gathering,” Dr. Hodgkins said. “And you can’t default that someone approves. You need to make it a deliberate choice in the app.”

Related Coverage

5 things you didn’t know about health care cybersecurity

5 keys for mHealth app developers 

In addition to guiding developers to clearly describe how the organization collects, uses and retains data, the guidelines outline five other areas that developers need to consider when it comes to privacy. 

Retention. The app must tell users how long it retains data. 

Access mechanisms. The app must tell users whether it accesses local resources -- such as the address book, camera, photos, SMS or MMS messaging, GPS or other information on the device --  or if it accesses resources from and/or for social networking platforms. The app must explain how and why the information is used and must get opt-in consent from users. 

Health Insurance Portability and Accountability Act (HIPAA) entity of business associate. If the app, on behalf of a covered entity or business associate, collects, stores or transmits HIPAA-defined protected health information, it must fully comply with HIPAA and all applicable state and international laws, rules and regulations.  

Children’s Online Privacy Protection Act. The app needs to follow applicable laws and regulation designed to protect children. 

General Data Protection Regulation (GDPR). If intended for use in the European Union, the app must comply with applicable laws and regulations related to the European Union GDPR. 

The AMA involvement in Xcertia stems from a 2016 policy recommended in an AMA Council on Medical Service report.