FTC and OCR warn about privacy risks with health apps

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) are sounding the alarm over privacy risks posed by health and fitness apps.

In a joint bulletin issued this month, the OCR and FTC cited research showing many health apps leak sensitive patient information like medical conditions, prescription purchases, and mental health status to third parties without consent.

The agencies warn that this “impermissible disclosure of personal health information” can have damaging consequences for individuals and public health systems. The data collected by apps often lacks the protections required for the information shared directly with doctors under laws like HIPAA.

Regulators are particularly concerned about apps transmitting patient data via “online tracking technologies” embedded in the software. An investigation by The Markup found that 49 out of 50 telehealth apps sent at least some user information to tech company data trackers like Meta Platforms’ Pixel and Google Analytics.

The data leaked spanned the gamut from responses to intake forms detailing drug use and sexual history to exact names of prescribed medications. In some cases, patients’ names, email addresses, and phone numbers were transmitted alongside health details.

Apps are Mislabeling their Software as HIPAA-Compliant

OCR’s Andrew Mahler called it troubling that there are “ethical and moral gray areas” around health app data privacy. With laws lagging, responsibilities fall on both regulators and consumers to safeguard sensitive health information.

For HIPAA-regulated groups like providers and their business partners, OCR and the FTC note that any patient information transmitted via apps must comply with HIPAA Privacy and Security Rules. Non-covered entities also have obligations under the FTC Act to avoid “unfair or deceptive” practices like needlessly exposing consumers’ health data.

The agencies urge all health and fitness app developers to closely monitor data flows, remove unnecessary tracking technologies, and review privacy policies for compliance. In addition, they are prompting consumers to read the fine print carefully, limit what they share, and be wary of privacy claims that sound too good to be true.

Problems abound even with apps labeled “HIPAA compliant”. One company sent responses on drug use and mental health to Meta Platforms (META) despite claiming that its record-keeping systems were “100% confidential, secure, and HIPAA compliant”.

Experts warn that health data leaked from apps poses a myriad of risks to users going from discrimination and stigma to identity theft, targeted ads, and financial harm. Data brokers can also aggregate and resell users’ information ad infinitum without their consent or knowledge.

Consumers Should Avoid Health Apps Until They Are Appropriately Regulated

health apps statistics

According to data compiled by Insider Intelligence, over two-thirds of US adults are using health apps. The study indicates that in 2020 alone, more than 90,000 health apps were released on mobile marketplaces.

The most popular category in this segment is fitness and workout apps. In January 2023, data from Statista shows that these apps were downloaded nearly 21 million times resulting in a 24% year-on-year increase.

As health apps proliferate, the OCR and the FTC bulletin marks a critical first step toward regulating the space. Until comprehensive rules are in place, however, the responsibility lies with technology companies to voluntarily police the use of patient data and consumers to remain vigilant about what they share.

Given health information’s sensitivity, experts say the default approach for now should be extreme caution. As one researcher put it, using health and wellness apps requires “exposing a lot of the same information that would reveal within a protected health care relationship – but without the same protections”. For consumers worried about data privacy, avoiding health apps altogether may be the safest bet.