diabetes medical appsA recent study published in the Journal of the American Medical Association has found that a majority of diabetes medical apps are sharing personal data without disclosure or explanation.

Privacy & data security are not new issues when it comes to medical apps. Prior studies have raised concerns that personal information isn’t being adequately protected. And most medical apps aren’t subject to HIPAA, avoiding more stringent oversight and requirements.

In this study, researchers from the Illinois Institute of Technology looked at a total of 211 diabetes apps. For 65 apps they did a more detailed analysis of data transmission while for the remainder they looked at the privacy policies of the diabetes app.

Consistent with other studies, privacy policies were rare – only 19% actually had privacy policies. And of those 41 apps, only 4 stated explicitly that they would ask for permission before sharing data. And yet, many apps could access sensitive data on the smartphone – for example, 17.5% of apps collected location data, 11% could access the camera, 6% could read user contacts, and 4% could record audio.

In the more detailed analysis of the 65 app subset, the majority (86%) placed tracking cookies. The majority (~75%) also shared data with third parties; of note, among the apps that had privacy policies (19), nearly half didn’t disclose that fact either. The remainder of the apps that share personal data didn’t even have a privacy policy to explain why.

Privacy & data security are a growing concern with apps in general but medical apps in particular given the potential sensitive nature of the data being collected. Many clinicians and consumers mistakenly believe that the same protections that apply to their medical records apply here.

Privacy policies are often the only way to know what is being collected & how its used. However, this study highlights the fact that a privacy policy is only as good as the developer is honest. And while third-party confirmation of the privacy policy terms as well as general data security would be nice, the experiences of Happtique and the National Health Service in the UK showed us how hard that can be do do.

For now, this study highlights the importance of consumer due diligence which is easier said than done. Absence of a privacy policy in an app, particularly one that collects health data, should be a big red flag. Visiting the app’s website can also be useful – its surprising how many of those links in the app store go to random webpages or are simply broken.