By: Haris Z. Bajwa JD [intellectual property lawyer with a focus on medical devices and mHealth]
While there is a lot of enthusiasm and buzz surrounding the release of Apple’s HealthKit and the Health app, there is no real conversation regarding the ownership of data related to users’ health metrics. Apple has highlighted the attractive features of this new platform along with stressing the involvement of the Mayo Clinic, a reputable medical institution, in this endeavor. While Apple loyalists and the general public are being lulled into a feeling of security based on these linkages and the availability of pseudo-privacy settings, such as a user’s ability to select aspects of data that may be shared with various applications interfacing with the HealthKit, Apple thus far neglects to clearly articulate any meaningful position on data ownership related to users’ health metrics.
Lack of clarity from Apple about use of health metrics data
It is pertinent to note that while Apple has released a few basic details about HealthKit and the related Health app, Apple has not yet addressed or released any details regarding privacy or health data but may do so by the time the Health app is released in full-fledged form. However, Apple’s lack of clarity on data ownership and controversy regarding their previous dealings with customers leave room for concern regarding a user’s ability to continually and meaningfully access their own health data. For example, the current information released about the Health app indicates that a user’s health metrics will be available to the user via only their iPhones — initial reports suggest that even iPads cannot be used. This raises the question of what happens if a user stops using their iPhones, perhaps switching to other platforms such as Android, or wants to use a computer to access such information.
Apple’s prior history of user’s “personal information” is muddied
Concerningly, based on Apple’s previous behavior with its former mobile customers, there is no reason to believe that the company will be any more accommodating of former customers with respect to their health data. For example, it has been well documented that when numerous iPhone users switched to Android devices, they were not able to receive texts from other iPhone users. Instead of addressing the underlying technical issues, Apple provided various run-around solutions, including suggesting disabling iMessaging if a user still had an active iPhone account, clearly a tough ask for former customers since they no longer had an active account. The iMessaging situation has led to lawsuits against Apple, pushing them to fix the bugs so that former iPhones users are able to receive texts from current users. With all the unknowns related to the Health app and the HealthKit platform, it certainly would be more reassuring if Apple’s previous behavior indicated a concern for ensuring continued access to personal data by their former customers.
Where does this leave potential users of iOS 8.0 and the HealthKit?
Users should be aware that while this platform may aid in enhancing their health management, unless Apple clearly articulates or provides avenues for transferring or downloading their health data, they may be stuck in a scenario similar to the iMessages situation. While lawsuits, public pressure, and some aspects of HIPPA regulations may force Apple to allow for the transfer of data in the future, users should be aware that there are no clear mechanisms available to access any aggregated health data at this time. In simpler terms, if Apple’s Health app is merely a repository for health metrics, there are currently no clear applicable laws that may be utilized to force Apple to transfer any aggregated health data to various platforms — Apple can create their own silo using your health metrics.
Who owns your health data? The bigger picture
Unless Apples explicitly states or advertises that health data collected by means of the Health app or the HealthKit platform will be owned by users, it appears that Apple (or developers of the mHealth or fitness applications using the HealthKit platform) will own the data or at least reserve a license to use such data. Data ownership or data licensing terms are likely to be spelt out in disclaimers presented on the first launch of the Health app. The ability to analyze, use, or possibly even sell user data is extremely valuable to data aggregators.
Data aggregators may use the captured data to build user profiles which indicate, among other things, user habits and user behaviors. For example, captured data related to users browsing history is used by Amazon to provide targeted advertising. The detailed health data collected by the Health app will provide Apple with a unique ability to build an individual’s exhaustive health profile — a profile which may provide numerous monetization opportunities. Therefore, due to the possible gold mine presented in the form of a person’s health data, it is likely that even if Apple does not explicitly preserve ownership of the health data, the disclaimer terms that will be presented will likely dictate that they they will at least have a license to use the collected data.
Will the disclaimers and the privacy policies protect users in accessing their data?
While certain limitations may exist regarding how this collected user data may be used by way of Apple’s privacy policies, application of HIPPA guidelines, public pressures, or impact of medical institutes such as the Mayo Clinic in this endeavor — there appears to be no general legal compulsions or limitations restricting Apple’s data ownership or data licensing rights. In fact, if Apple uses standard disclaimers and privacy policies used in current health and fitness apps, it is likely that the Apple or the developers will at least be licensed to use the data with minimal restrictions, if not outright owning the data.
What about other “health apps”?
General disclaimers and privacy policies associated with various popular fitness applications tend not to address any on-going rights to access such data. These disclaimers and privacy policies generally deal with data sharing, control of data, and privacy. For example, RunKeeper, a wildly popular health app, describes the data that it collects, restrictions on how it may be shared, Runkeeper ownership of certain data, etc. However, with respect to access to a user’s fitness information, RunKeeper merely promises access “[t]hrough the Services.” Inherently, accessing the fitness data using “Services” implies that access to data may not be gleaned by any other means other than using the RunKeeper app and, therefore, a user must continue to use this app to maintain access to this data. Another popular fitness app Lose It is a weight monitoring and calorie watching application. Similar to RunKeeper, Lose It’s disclaimers and privacy policies deal with collecting data and its integrity, but do not deal with a right to access it.
RunKeeper and Lose It’s disclaimers and privacy policies do not exclude the sharing of a user’s data. Even if Apple’s disclaimers and privacy policies are more stringent, providing protection against data sharing (for business decision or applicability of HIPPA guidelines — to be discussed in a subsequent article), users should be careful not to confuse such disclaimers or privacy policies that deal with privacy settings, users’ ability to control what data may be gathered, or users’ ability to control sharing of health data, in any way or form, providing them with a right or ability to access it.