Mobile app privacy practices scarce, lack transparency

Mobile healthcare application privacy policies are hard to find, and those in place are not providing transparency on privacy practices and more than half aren't focused software, according to a new study.

The research, published in the Journal of the American Medical Informatics Association, states that of the 600 most common apps, just 183 boasted a privacy policy. Of those policies, about two thirds, or 66.1 percent, did not address the software and sharing practices.

"Only a few privacy policies actually pertained to the app. The remaining privacy policies refer to Web pages unrelated to the app, state general privacy practices or even reference privacy practices of an entity entirely unrelated to the app," study author Ali Sunyaev, an assistant professor in the department of information systems at the University of Cologne, Germany, wrote in an email to FierceMobileHealthcare.

"Our findings show that currently mHealth developers often fail to provide app privacy policies. The privacy policies that are available do not make information privacy practices transparent to users, require college-level literacy, and are often not focused on the app itself," the study's authors said.

The research comes as data collection and sharing by mHealth device vendors is under scrutiny by lawmakers, regulatory agencies and privacy advocate organizations. A New York senator recently called out wearable fitness band maker Fitbit for allegedly sharing data without users' knowledge. In addition, a recent FTC study reported mobile health and fitness application are sharing user data with third-party vendors, including device use and personal fitness information.

The Patient Privacy Rights group and the Center for Digital Democracy claim privacy protection has not kept pace with the mHealth devices that are collecting confidential data, as reported by The Washington Post

The study's authors say the key finding is that mobile apps are being highly rated and sold in market while privacy policies are either missing, are too complex to understand or just plain irrelevant. It notes that a community standard of not collecting personal data that isn't necessary for the app's central function would go a long way toward eliminating issues.

"For apps running outside of HIPAA covered entities, I doubt a regulatory body is necessary. Industry standards would go a long way toward ensuring robust privacy policies," Kenneth Mandl, a Harvard professor in the Boston Children's Hospital Informatics Program, told FierceMobileHealthcare in an email interview.

To learn more:
- read the abstract at JAMIA

Related Articles:
FTC chief urges bigger focus on mHealth data collection
Little privacy protection for personal health data culled from fitness-tracking apps
Debate on mobile app regulatory oversight heats up
FTC: Health, fitness apps share user info with vendors