Steven Chan MD, MBA and Iltifat Husain MD contributed to this article

There are a lot of great free medical apps out there.

Epocrates gives us a free comprehensive drug reference. Medscape summarizes an incredibly wide range of disease. The list goes on and on.

Many free apps aren’t really free, though. We talked about the hidden price of free medical apps about two years ago, an issue that was later highlighted in the New York Times as well. In essence, the price of these apps is that we share enough personal information to enable targeted advertising, surveys, and so on.

What may come as a surprise to many healthcare professionals is that many apps they frequently use like Medscape and Epocrates share users’ names, NPI numbers, and other identifying information with pharmaceutical advertisers. As it turns out, Facebook and Twitter have stricter privacy policies than some of your favorite free medical apps.

According to the Epocrates’ privacy policy, identifying information, including a user’s name, may be shared with an advertiser if the user “engage[s] with such clients’ promotional content.”



According to Medscape’s privacy policy, user’s that click on promotional content within the app can have their name, specialty, and country of practice shared with the advertiser.



Medscape and Epocrates are not alone here. You can find similar statements in the Doximity privacy policy as well. It is, however, not a totally universal practice. While Skyscape’s privacy policy is somewhat ambiguous, Skyscape’s support team told us very specifically that they do not share customer information with outside sources, including advertisers.

A recent study published in JAMA highlights that this practice is not limited to the app world. In their evaluation of privacy policies, the investigators found that the majority of medical communication companies–groups that create educational content like online CME activities–explicitly stated that they shared personal identifying information and other details with third parties like advertisers and sponsors.

To be fair, we do live in a society where people trade privacy for free services. Facebook and Twitter are both classic examples of that. However, unlike the examples we cited above, neither Facebook nor Twitter share identifying information with their advertisers

For example, according to Facebook’s privacy policy,

“When we deliver ads, we do not share your information (information that personally identifies you, such as your name or contact information) with advertisers unless you give us permission.

Your trust is important to us, which is why we don’t share information we receive about you with others unless we have: received your permission; given you notice, such as by telling you about it in this policy; or removed your name and any other personally identifying information from it.”

We had the opportunity to talk to Heather Gervais, Senior Vice President at Epocrates, who described a market shift that preceded Epocrates’ update to their privacy policy in Spring, 2013. As Ms. Gervais described to us, sharing of personally identifiable information had become critical for the efforts of pharmaceutical companies that were shifting to marketing strategies based on highly specific targeting and “engagement” tracking. The basic idea is that pharmaceutical companies track their interactions with healthcare professionals (HCPs) targeting how many times they “engage” with a HCP about a particular topic. To do that, you need identifying information.

According to Ms. Gervais, Epocrates conducted user surveys, consulted with their physician advisory board, and discussed it with others in the industry before making the change. Ultimately, Epocrates determined that such focused marketing would help deliver relevant and meaningful information to the appropriate HCPs that could actually use it and also limit “shotgun” advertising that bombards many clinicians. By March 2013, she also notes that pretty much all of Epocrates’ peers had long since made this change. Since that time, Ms. Gervais notes that this type of information sharing has been pretty standard in the industry.

Both Epocrates and Medscape note that they do not share users’ contact information with advertisers. I’d be surprised, however, if some part of the billions of dollars that pharmaceutical companies spend on advertising doesn’t include creation of databases that could readily match the name of a physician who clicked on an Epocrates DocAlert or Medscape sponsored section to their contact information, closest rep, prescribing data, and more.

The personal information that we share with everyone from Epocrates and Medscape to Facebook and Twitter is used for targeted advertising – that’s pretty well known. That’s a tradeoff clearly a majority of people are willing to make. When it comes to medical apps, there is often another level of disclosure – your personal identifying information being shared with advertisers to enable a very sophisticated marketing strategy.

As we recently highlighted, it is important users develop an app literacy so they know what questions to ask about apps they are using. Some users may opt for paid versions of apps that have more stringent limits of personal information sharing (incidentally, there is no such difference for Epocrates apps). Others will prefer the free version and accept the hidden “price” of the app. At the end of the day, it is important that the end user – in this case healthcare professionals – ask the right questions of apps they are using and make their own informed decisions.

One question for healthcare professionals to ask of medical apps they are considering using, particularly those that obtain detailed personal information, is how personal information is used. Here, the answer is readily available in the privacy policy of these apps. It is ultimately up to the end-user (the healthcare professional) to decide if they are willing to make this trade for a free resource.