Friday, August 9, 2013

Privacy Rights and On Line Health and Fitness Apps

(Pix (c) Larry Catá Backer 2013)

I have been writing about important shifts in corporate approaches to the management of their employees, focusing on the use of eugenics programs as a means of achieving cost reduction and employee productivity objectives. Penn State University's efforts--announced in mid summer, the "“Take Care of your Health” Wellness Rewards Initiative" is particularly interesting.  In a move that is notable for an institution with a well earned reputation for administration by benchmarking, this program presents a number of innovations in terms of formulation, scope and implementation that will likely prove influential if successfully imposed. Indeed, given the failure in 2010 of similar approaches at the University of Indiana, where the health survey portion of their eugenics program was dropped (see HERE), this new program is likely to be quite influential if successful and therefore worth careful study.

One of the more interesting feature of this program, and one that has generated substantial concern among the objects of this "cost savings through social engineering" program is the use of Internet based third party providers both as a medical record keeper and as the instrument through which medical data on employees is mined for the benefit of the employer's financial objectives (grounded of course in a concern for the useful health of its employees). (Penn State, Frequently Asked Questions for the “Take Care of Your Health” Initiative, last updated Aug. 5, 2013).  

This post considers both Penn State's official position that such an innovation poses little or at least manageable (as the University understands that term) risk for employees (whose damages, of course, the University may contribute which which the university will not bear) and the recent Report from Privacy Clearinghouse,  Privacy Rights Clearinghouse Releases Study:Mobile Health and Fitness Apps: What Are the Privacy Risks? (July 13, 2013).

(Pix (c) Larry Catá Backer 2013)

The  University has taken the position that such innovative structural changes pose no risk to their employees.  
WebMD and ICH are both contracted Highmark vendors and are bound to HIPAA and Privacy rules. Both projects were vetted with Highmark's Privacy, Security and Legal prior to implementation. Highmark has appropriate, direct contractual relationships with both parties, including executed Business Associate Agreements. Thus, both WebMD and ICH are required  to comply with HIPAA, as well as the additional detailed privacy and security provisions contained in their vendor contracts with Highmark, when dealing with protected health information. View more information about WebMD’s security and privacy policies at
The referenced link leads to a 3 page assurance statement provided by Highmark Health Services, a third party provider engaged by the University to help manage its benefits programs. "Important Information About Highmark Health Services and WebMD Health Services as of August 1, 2013.  It assures its readers that it has included in its contract with WebMD one or more provisions requiring "strict compliance with federal laws and regulations applicable to Privacy and Information Security". (Ibid., p. 1).  One assumes that in the absence of this provision WebMD's legal obligations would not be diminished but that contractual provisions might provide employees some comfort and Highmark some assurance of the ability to make a claim against WebMD for any losses suffered for failure to comply with the  --federal-- law specified. The additional protection for employees of suchj a provision remains unclear, at best. 

The Privacy Rights Clearinghouse Study might provide some perspective, not for employers, whose rights are well protected by contract (to the extent of the bargaining power of the enterprise at least), but for the risks to employees.  Some of the focus of the study might prove useful in evaluating the new arrangements between the University-Highmark-WebMD joint venture. The press release nicely summarizes the results of their study:

After studying 43 popular health and fitness apps (both free and paid) from both a consumer and technical perspective, it is clear that there are considerable privacy risks for users – and that the privacy policies for those apps that have policies do not describe those risks. However, these apps appeal to a wide range of consumers because they can be beneficial, convenient, and are often free to use.

Consumers should not assume any of their data is private in the mobile app environment—even health data that they consider sensitive. Users must weigh the benefits of the service with the realistic possibility that they are revealing information about their health not only to the app developer or publisher but also to third parties.

Of the free apps we reviewed, just under half (43%) provided a link to a website privacy policy. Of the sites that posted a privacy policy, only about half were accurate in describing the app's technical processes.

We performed a technical risk assessment to determine what data the apps collected, stored, and transmitted over the network. In other words, we “looked under the hood” to view the actual flow of personal information back to the app developer and to third parties.

Our findings:
-Many apps send data in the clear – unencrypted -- without user knowledge.
-Many apps connect to several third-party sites without user knowledge.
-Unencrypted connections potentially expose sensitive and embarrassing data to everyone on a network.
-Nearly three-fourths, or 72%, of the apps we assessed presented medium (32%) to high (40%) risk regarding personal privacy.
-The apps which presented the lowest privacy risk to users were paid apps. This is primarily due to the fact that they don't rely solely on advertising to make money, which means the data is less likely to be available to other parties.

Our tips for consumers:
-Research the app before you download it.
-Consider using paid apps over free apps if they offer better privacy protections.
-Make your own assessment of the app's intrusiveness based on the personal information it asks for in order to use the app.
-Assume any information you provide to an app may be distributed to the developer, third-party sites the developer uses for functionality, and unidentified third-party marketers and advertisers.
-Try to limit the personal information you provide, and exercise caution when you share it. If the app allows it, try the features first without entering personal information.
-Ask a tech savvy friend to help you determine what information an app is asking for, help you navigate settings, and potentially help you restrict the information an app gathers.
-If you stop using an app, delete it. If you have the option, also delete your personal profile and any data archive you've created while using the app.

We encourage mobile app developers to create products with privacy in mind and implement responsible information privacy and security practices. Most consumers lack the tools and knowledge to analyze data flows and security, so they have no way of knowing what is happening behind the scenes. Even if privacy and security practices are accurately detailed in a privacy policy, the average user has no way to decipher them. (Report from Privacy Clearinghouse,  Privacy Rights Clearinghouse Releases Study:Mobile Health and Fitness Apps: What Are the Privacy Risks? (July 13, 2013)).

Also useful might be Privacy Rights Clearinghouse,  Fact Sheet 39: Mobile Health and Fitness Apps: What Are the Privacy Risks? (July 2013). This might be the most useful information:

The table summarizes the highlights of our consumer-level findings about the quality of notice in the privacy policies of free and paid health and fitness applications, along with the availability of some user controls of information.
The acronym PII stands for “personally identifiable information.”

Free apps
Paid apps
App has link to website privacy policy
Notifies user that privacy policy does not apply to 3rd party links
Notifies user that personal information made public is not protected
Shares user-generated PII data with advertisers
Shares aggregate (non-PII) data with marketers
Uses anonymized (non-PII) data for analytics
Contact info: developer’s email address listed in policy
Can opt out of developer/vendor sharing data with 3rd parties
Can opt in to data sharing with 3rd parties
Most recent date of analysis: May 7, 2013

The most interesting findings was the use of aggregated data as a commodity that is then sold.  The individuals whose data contributes to this product neither have the right to opt out of this aggregation, nor are they compensated for its use and exploitation.  The use of aggregated employee information for university or university-partner money making ventures might well be a subject of discussion among the members of the university community whose rights to personal autonomy appeared waived for them by the institution for commercial purposes.  Also relevant is the authority of employees to opt out of vendor sharing. But these discussions appear unlikely to occur.

For more information about the PRC’s mobile medical apps study:
Consumer Guide, Mobile Health and Fitness Apps: What are the Privacy Risks?
Mobile Health and Fitness Applications and Information Privacy: Report to California Consumer Protection Foundation (the consumer-level report)
Technical Analysis of the Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications
HOW TO: Privacy-Aware Checklist for Mobile Application Developers
Evaluation of the mobile apps: data elements examined and questions asked of each app
Webinar summarizing the project methodology, findings, and tips (one hour)

No comments:

Post a Comment