Amid growing concerns about data privacy and security in the healthcare app sector, the Federal Trade Commission (FTC) and the US Department of Health and Human Services’ Office for Civil Rights (OCR) have taken a proactive step to address potential risks. In a joint letter, they have reached out to nearly 130 hospitals and health-app developers to caution them about the use of online tracking technologies.
The potential safety risks of health apps
One of the main issues with health apps raised by the FTC and OCR is the issue surrounding tracking technologies like Meta Pixel and Google Analytics, which have the capability to collect personally identifiable information from users as they interact with healthcare websites or mobile apps.
What’s worrisome is that users may not always be aware of this data collection, and in many cases, they may have limited or no means of avoiding it.
A study published in 2021 by the BMJ revealed serious privacy issues in over 20,000 health-related mobile apps (mHealth apps).
Of the estimated 99,366 medical and health apps on Google Play and Apple Store, researchers found that 88% of mHealth apps could access and potentially share personal data.
Data collection operations in mobile health (mHealth) apps files and code
Source: BMJ
Data transmissions occurred on insecure channels, with top third parties responsible for most data collection operations, including tech giants like Google and Facebook.
Shockingly, 28% of mHealth apps had no privacy policy, and at least 25% of user data transmissions violated stated policies. Experts have long emphasised the need for greater regulation and accountability in the industry to protect user privacy.
Consistency of data collection disclosure in privacy policy with user data transmissions in apps traffic
Source: BMJ
Raising awareness
The letter states:
‘’Impermissible disclosures of an individual’s personal health information to third parties may result in a wide range of harms to an individual or others. Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment, and more,‘’ the agencies wrote.
‘’In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others,’’ they added.
The aim of the communication is to raise awareness among healthcare providers and app developers about the potential privacy implications of these tracking tools. By doing so, the FTC and OCR hope to encourage better data protection practices and ensure that users’ personal information is handled responsibly and transparently within the healthcare ecosystem.
After all, disclosure of such information could violate Health Insurance Portability and Accountability Act, as well as the FTC Act.
Key takeaways
- FTC and OCR caution health-app developers on privacy risks from online tracking technologies
- Privacy issues affect over 20,000 health-related mobile apps
- Data breaches in health apps could lead to identity theft and other serious negative consequences
