By: Haris Z. Bajwa JD & Iltifat Husain MD

In my last article dealing with Apple’s HealthKit and related Health app, I explored some of the fundamental privacy related issues around data in mobile health. While Apple hasn’t articulated their complete intentions regarding health data ownership and privacy, for widespread adoption of these apps as functional medical tools, it is important medical professionals and patients understand the implications of aggregating user data using mobile health apps.

This is especially critical now that Apple is actively planning on pairing their HealthKit platform with electronic medical records that cover tens of millions of patients.

Can health apps sell patient information to insurance companies?

There are currently no regulations within U.S. laws (and none internationally to the knowledge of the author) which limit the sale of data captured by health apps. With regards to legal mechanisms, there may only be two possible scenarios in which legal limitations on the use of aggregated health data may be imposed

1) A Health apps’ own privacy policies and disclaimers prevent sale of this information — this is trusting that the market(consumer) cares enough, which in turn would make the health app want to have a robust privacy policy.

2) If mobile health apps share information with medical provider then HIPAA privacy guidelines may prevent the sharing of patient information with third parties. For example, if Apple’s Health Kit ends up being a widely adopted health platform where a patient’s primary care doctor is reviewing a patient’s aggregated blood pressure results and making decisions based upon the results, then that person’s diagnoses, medication adherence, etc., may be protected under the ambit of HIPAA guidelines.

Health apps are more susceptible to selling patient information 

Developing health apps, marketing, storing aggregated data, providing analytics of aggregated data, and even publishing an app for it to be available on Apple’s App Store all have significant costs. Apart from a few enthusiasts or academics who may have a desire to positively impact public health, numerous other companies that develop health apps rightfully have an underlying desire to profit from their efforts.

Analogously, in the instances that Google and Facebook do not charge users for their various services, these companies profit from advertising revenue among other things. Similarly, many free apps that are downloaded for smart phones generally contain advertisements in order to generate revenue.

There is already a widespread understanding that “free” apps have the most downloads. When it comes to health metric tracking apps, since such a large part of them are social in nature — think FitBit’s massive social communities — it’s essential for these apps to attain the highest number of downloads to expand their respective “health communities”.

So in order to monetize on “free” apps, these companies have to figure out methods to create a revenue stream — but need to do so by making their apps free to download. We are in the infancy of health app adoption — but you can easily speculate a health app trying to sell herbal blood pressure remedies to a user whose app is showing a high trending blood pressure.

Whereas you can argue how benign that act is or is not, what about a health app selling that information to insurance or other analytic based companies. As we mentioned above — there is nothing currently holding this back from happening.

What about the disclaimers? Don’t Health Apps say they won’t sell your information to third parties? Does that hold up?

Not Really.

The strongest disclosure that health apps currently are making available generally [have] is stating: “won’t sell your data to third parties.” The disclaimer that a health apps “won’t sell your information” is limited to just that-selling, that is, a direct financial profit will not be gained with exchanging your health metrics.

For example, LoseIt, a popular weight loss health app’s privacy policy states:

“We may disclose your personal information… [i]n the event Lose It! goes through a business transition, such as a merger, being acquired by another company, or selling a portion of its assets, users’ personal information and Personal Diet Data will, in most instances, be part of the assets transferred.”

As an example, if an insurance company seeks to acquire LoseIt or forms a partnership with Loseit to analyze aggregated data to determine general health trends, users’ personal information may be transferred.

RunKeeper, another popular health app contains a similar provision for “Business Transfers” of users’ data.

This is not to suggest that LoseIt or RunKeeper are seeking such a transaction which would lead to transfer of an individual’s aggregated data to insurance companies because most of their revenue may be generated by providing targeted advertising-but the privacy policies leaves room for such a possibility.

Further, both companies have amassed millions of users data, behaviors, health metrics — if a big insurance player or big data company offered tens of millions or hundreds of millions to buy them — why would they say no?

Unless there are limitations in the partnership agreement between the insurance company and the health app on how the insurance company may utilize the shared data, the insurance companies will have the capability to utilize this data in whatever capacity they desire.

Accordingly, disclaimers not to sell patient data are not an end-all be-all protective mechanism.

Can health apps go back on their commitments regarding health data?

It is possible that after widespread adoption by users, the health apps may provide updated user agreements changing the privacy terms. If the new terms are accepted, unless a user’s health data has HIPAA implications, it is unlikely that there will be any legal protections for users to protect this data. The issue with health apps that update their privacy policies is that many health apps store users’ health metrics, and are used daily. Someone who has become reliant on such a health app which has all their information stored on that app will feel compelled to continue to use it.

In short — think of Facebook and how they have changed their privacy policies several times. If you’re not happy with a privacy policy change Facebook undertook, and wanted to leave, you could — but since their power is in their reach and size, you are more likely to accept the terms.

What can prevent such a change of user terms for sharing of a user’s personal data?

The biggest impediment for a health app to change their user terms may be market dynamics and public perception making it unlikely that health apps will cross the red-lines of explicit selling patient information to insurance companies.

Specifically, such transactions would increase the likelihood that many current users will stop using the health apps or such disclaimers may initially dissuade potential users from adopting the health app-directly impacting the financial bottom line by reducing the health app’s monetization abilities.

However, as we mentioned before, the value of several health apps isn’t necessarily in their everyday use — but the metrics and data they have already collected. Unlike Facebook, Snapchat, or Instagram — health apps gain value every single time you input a health metric as historical data could be used for various health data sets from research to medical trends.

A ticking time bomb

This inherent difference in health apps makes them a ticking time bomb. Right now, the only protection of patient health data is on the benevolence of the companies collecting the data — and history has shown that can be a scary proposition.

Haris Z. Bajwa JD is an intellectual property lawyer who has a special focus in medical devices and mobile health technologies.  This article solely represents Haris Z. Bajwa’s opinions and should not be taken as legal advice, and it does not represent his law firm.  If you would like to contact him for interviews or speaking engagements related to mobile health please contact him via LinkedIn or use the iMedicalApps contact page.