Newsletter

With Health Apps on the Rise, Consumer Privacy Remains a Central Priority

February 2021

Privacy In Focus®

During the COVID-19 pandemic, many Americans have increasingly relied on digital health apps to manage their personal health and wellness. These apps include traditional telehealth apps through which patients can complete virtual visits with their medical providers, but they also include other apps that provide consumers with non-clinical resources to manage their health and wellness journeys. The total number of apps that are available for download is in the hundreds of thousands. Searching terms like “glucose tracker,” “calorie counter,” “fertility,” or “fitness plan” yields a lengthy list of options from which consumers can choose, and new apps are constantly being developed.

While convenience and functionality likely heavily influence consumer decision-making around the use of health and wellness apps, consumer privacy is potentially an overlooked consideration. Significantly, many health apps are not required to be compliant with the privacy and security requirements enumerated under the federal Health Insurance Portability and Accountability Act (HIPAA), as the apps often do not contain medical records held by a doctor’s office or other health care providers and affiliates. (Wiley’s data protection team has a handy primer on the scope and applicability of HIPAA.) With that said, mobile health apps may be subject to the less widely known federal Health Breach Notification Rule, which requires vendors of unsecured health information, including mobile health apps, to notify users and the Federal Trade Commission (FTC) if there has been an unauthorized disclosure of health information.

Even where federal law may be inapplicable, some state privacy laws provide protections to consumers that go beyond the protections outlined in HIPAA. So health and wellness app developers will need to exercise considerable care in ensuring that their apps comply with applicable state law and also meet federal regulatory expectations concerning the handling of personal information. Under the privacy laws of various states, including, for example, Texas, New York, and Massachusetts, any person or entity that obtains or stores protected health information (even if that person or entity is not a health care provider or affiliate) is required to implement certain privacy and cybersecurity controls designed to prevent the inadvertent disclosure of personal health information. In addition, certain states have passed (e.g., California) or are close to passing (e.g., Virginia) broad privacy laws that protect a wide range of personal information, including health information. 

With the California Attorney General’s settlement with Glow, Inc., in September 2020, and the FTC’s settlement with Flo Health, Inc., in January 2021, mobile app developers find themselves navigating a challenging regulatory landscape. The developers of these fertility health apps allegedly failed to honor the privacy commitments that they made to their consumers, and the settlements involve a range of significant monetary and injunctive relief provisions. In a blog post relating to the Flo settlement, the FTC provided five compliance tips to health app developers, and those are worth repeating. 

  • When it comes to health information, wear kid gloves. Health-related apps can offer benefits to consumers, but only if companies clearly disclose how consumers’ personal information will be used and scrupulously substantiate the privacy claims they convey to consumers.”
  • “Your privacy representations must line up with how your app operates behind the scenes – and must stay in line over time.” 
  • “Consider third parties’ terms of service.”
  • “Live up to the standards you agree to when you choose to participate in a privacy program.” 
  • “Honor your privacy promises and exercise particular care when it comes to highly sensitive personal health information. Period.”

Health and wellness apps have substantially enhanced the ability of consumers to manage their health from their home, but app developers should avoid rushing an app into distribution before taking the steps necessary to implement strong controls to protect personal health information. To the extent that health information is shared with third parties, necessary disclosures should be clearly made to consumers and authorizations obtained, where required. 

© 2021 Wiley Rein LLP

Read Time: 3 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek