Developing a Health App? Here’s How to Focus on Privacy

Here’s how app developers can prioritize privacy for health apps.

April 4, 2023

We’re living in the Age of Apps. These days, more people are using health apps for everything from symptom diagnosis to fitness tracking to mental health management. In an age where our health apps track our every move, William Bates, SVP of engineering at Ilumivu, discusses how app developers can keep privacy at the front and center for health apps. 

But even as the use of health apps increases, users are growing concerned about privacy and data risks. Health app developers may claim to have their users’ best interests at heart,   but many developers nonetheless focus on features – and monetization – over prioritizing their users’ data privacy.

Gone are the days when users were less concerned about privacy or when principles established in regulations such as HIPAA only applied to certain types of health apps. In today’s world, if you’re developing a health app, it is crucial to prioritize privacy and ensure that it is integrated into every aspect of the app’s development.

Health apps, more than any other kind of app, need special consideration in the app market since they deal with sensitive and personal information related to an individual’s well-being. Imagine your users finding out that their sensitive information is being shared with over 100 third parties—a real scenario that was reportedOpens a new window by The Washington Post. This list of third parties included advertisers. Naturally, that will lead to a loss of trust and business.

See More: Mobile App Localization and Internationalization

Privacy Should Be the First Thought

In the realm of health apps, privacy cannot be an afterthought. Even though HIPAA regulations do not extend to health apps like WebMD and Calm, personal health data is sensitive and should be protected from third-party advertisers. 

ResearchOpens a new window from the Pew Institute shows that privacy policies are still nearly impossible to parse. Fewer than one in ten consumers read privacy policies. This is not their fault – one Washington Post journalist found that if he were to read all the privacy policies in his life put together, it would take an estimatedOpens a new window 55 hours. 

However, the landscape is shifting. Awareness is rising. Today, when Meta gets caught receiving health data from hospitals, it makes the news. We’re seeing more legislation intended to protect and enforce user privacy. For example, one California lawOpens a new window now prevents apps from using “an inferred or diagnosed mental health or substance use disorder” for purposes other than providing care. Meaning, if your app collects data about mental health or addiction, you cannot sell it to advertisers. 

Most importantly for developers of health apps, users care more. They’re more aware of the value of online digital privacy, and they are actively choosing companies that safeguard it. 

Prioritizing Privacy

The default position of most mobile apps, including health apps, is to take liberties with the data of their users. These apps collect more data than they need, then the publishers sell it with no regard for their users and are not transparent with their users about how that data is being used or by whom. 

There is also the issue of data safety. Hackers value health data above almost any other kind because it is worth a lot more. For context, to a hacker, medical records sell for more than social security numbers on the black market. But a mediThis is because, for hackers, medical records are a one-stop shop. Medical records contain contact information, social security numbers, and sometimes even payment information. So, health app developers need to be especially vigilant regarding security. 

I know better than most that data is a double-edged sword. Without collecting data, your app may not provide much value to users. However, it is equally crucial to ensure the utmost protection of this data, as any slip-up can lead to a loss of user trust and regulatory scrutiny.

1. Adhere to regulations

Today’s legal landscape on the subject of data privacy is evolving quickly. Plus, there is no single blanket rule to follow. Our country has a patchwork of state and federal regulations that overlap. 

Luckily, the FTC seems aware that it is tricky to stay on top of all these laws and regulations. It has created a useful flowchart tool that helps you determine under which law’s jurisdiction you fall. We at Ilumivu used the flowchart tool to confirm that, as we suspected, some of the apps we helped produce were covered by a patchwork of the acts and rules mentioned above. 

Of course, this is not a one-and-done process. It is important to regularly check back with the tool to ensure that you stay up-to-date with your ever-evolving local, regional, and national legislation. And, if the value of risk reduction outweighs the cost of hiring, consider hiring a compliance officer to help keep you up to speed.

2. Be transparent with your users

“Transparency” is a pretty common buzzword these days. But some major companies do not seem to know what it means. I was disappointed, though not surprised, to learn that Facebook’s privacy policy, when measured with the reading comprehension tool Lexile, was only marginally easier to parse than philosopher Immanuel Kant’s infamously dense “Critique of Pure Reason.” 

The consulting director of privacy at the Stanford Center for Internet and Society, Albert Gidari, suspectsOpens a new window that this obfuscation is deliberate to ensure that “[users] are confused into thinking these are there to inform users, as opposed to protecting companies.” If you want to steer clear of such accusations, make it a point to develop a clear and readable explanation of how you collect, store, and use user data. 

Last but certainly not least, inform users about the data you collect from them when they download and use your app, as well as at the point when the data is collected. This is known as a “just in time” notice and is legally required by GDPR and CCPA, which is California’s Consumer Privacy Act. When publishing to the Google Play Store, you are required to provide this information and review it from time to time as your app changes.  Even if you do not fall under those regulations, I still recommend you adopt it as a best practice, as it can prepare you for future regulations in other regions and countries, especially as your business grows or your app gains attention from various covered entities.

3. Invest in security

It is often well worth the investment to hire the expertise necessary to implement security and safety into your code or spend the money to buy an off-the-shelf technology to do it for you. Remember, your users are trusting you with their precious and sensitive health data. The least you can do is reward that trust with security at every level of your code.

I probably do not need to tell you that it is a good idea to test your mHealth app’s security measures and controls before launching or releasing any updates. This type of testing requires specialized knowledge, but do not use that as an excuse not to do it. Instead, consider using an off-the-shelf encryption tool to secure the data.

Educational tools are also available to assist if you’re unsure how to start. For instance, a study Opens a new window that tested the security of mHealth apps found that 70% of the most popular ones had critical security issues. A checklist approach like the one they proposed is a great starting point.

4. De-identify data

De-identification is a legal requirement if your app falls under HIPAA regulations, but it is also simply good practice for any health app. Any data that discusses past, present, or possible future medical conditions, health care services received, and common individual identifiers are all items that need to be de-identified under the legal requirements.

De-identification means nobody would be able to look at data and be able to identify whose data it is. There are two well-regarded methods approved by the HHS to de-identify data: expert determination and safe harbor.

Expert determination involves having an expert evaluate your de-identification process and confirm that it meets the requirements of the HIPAA Privacy Rule. The expert must have appropriate knowledge and experience in statistical and scientific methods for de-identification. If the expert determines that your process is sufficient, you can safely use the data for research or other purposes without obtaining individual consent.

Safe harbor, on the other hand, is a method where you remove 18 specific identifiers from the data, such as name, address, and Social Security number, and confirm that there is no other information that could be used to identify the individual. If you follow the safe harbor method correctly, you are deemed to have met the HIPAA de-identification standard and can use the data for research or other purposes without obtaining individual consent.

While both methods can be used to achieve HIPAA de-identification, an expert determination may offer more flexibility as it allows for other identifiers to be removed beyond the 18 listed in safe harbor, while still meeting the HIPAA standard. However, an expert determination can also be more time-consuming and costly than the safe harbor method.

See More: Mobile Apps: A Great Customer Tool but a Poor Engagement Channel

5. Let users choose if and when to delete

If you want to comply with data privacy regulations such as GDPR and CCPA, you’ll need to do this anyway: allow users to opt for the complete deletion of their app data, without the need for justification, at any time of their choosing. 

This not only reflects good data privacy and security practices, but also promotes trust and confidence with your user base. Giving users choices about their data empowers them. As more governing bodies implement similar regulations, offering such an option will become increasingly essential.

Make Your App Best-in-class

Regulations and consumer expectations are constantly changing. And while it may be tempting to do the bare minimum, going above and beyond is how you will gain your users’ trust. If your app does not fall under HIPAA’s regulations, follow them anyway. If your app does fall under HIPAA regulations, do not just follow them to the letter. Rather, take additional security and privacy measures where possible. Think of how you would want any other app to protect your data.

Consumers deserve access to better privacy while legislation and regulations work to catch up. It is your job and your responsibility to give them just that.

How are you protecting the privacy of your app users? Share your learnings with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON APPLICATION PRIVACY

William Bates
William Bates leads and directs the Ilumivu Software Development teams. ilumivu provides healthcare decision-support applications using real-time data from smartphones and standard smartwatches.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.