FTC Wants to Know Apple’s Plans for Users’ Health Data
Earlier this year, Apple unveiled its HealthKit data platform as part of iOS 8. The platform allows separate iOS-based health apps to share data with each other in order to provide a more comprehensive portrait of a user’s overall health. One of the advantages of using apps that are plugged into HealthKit is that healthcare providers will be able to quickly and easily access patients’ latest medical data. However, HealthKit has also sparked concerns that the information it stores could be exploited by advertisers and other third parties who might use the sensitive health data for marketing purposes.
Now it appears that those concerns have reached the U.S. Federal Trade Commission. According to unnamed sources cited by Reuters, the FTC has reached out to Apple about making sure that the sensitive data collected by health apps and stored in the HealthKit data platform is not shared with third parties without the user’s consent. Per Reuters’ sources, representatives from the federal agency and Apple have had multiple meetings about this issue over the past several months. The FTC’s increased interest in Apple’s mobile health market plans appears to be related to the upcoming debut of the Apple Watch, a device that includes an accelerometer and a built-in heart rate sensor. While the Apple Watch has fewer health and fitness tracking sensors than many other fitness bands, Apple has already announced multiple apps for the wrist-worn device that will keep track of a user’s activity and exercise habits. The FTC wants to make sure that this data is only accessible to parties that are authorized by the user.
Earlier this year, FTC commissioner Julie Brill shared some of the agency’s concerns about the burgeoning mobile health market during a Tech in Policy event hosted by The Hill. “We did a study of about 12 devices and apps and it turned out about 76 entities were receiving information off these apps and devices,” said Brill, according to MobiHealthNews. “And it wasn’t just things like UDID [the iPhone’s unique identifier] and geolocation and whatnot. That was being collected, but it was also information about the consumer’s health. One was a pregnancy app and it was the time in which the woman was ovulating, and it was being collected by third parties.”
It should be noted that Apple is not the only tech company focused on the mobile health market. At the I/O conference earlier this year, Google announced Google Fit, a fitness and health tracking platform that is similar to Apple’s HealthKit. Samsung also recently launched its own health data platform called SAMI, or the Samsung Architecture Multimodal Interactions, that will serve as a repository for health data collected from its various wearable tech devices and health-tracking apps. In her comments made at the Tech in Policy event in July, it was not clear which platform the “12 devices and apps” cited by Brill originated from.
However, one of the issues with the health data collected by any platform’s mobile health apps is that although it may be sensitive data, not all of the data is necessarily covered by the Health Insurance Portability and Accountability Act (HIPPAA) privacy rules. As noted by Brill, the lack of privacy protections for health data that falls into this gray area could expose some consumers’ private data to other parties besides their healthcare providers.
“I think the concern is when it’s not just your clinician who’s seeing that information, because before it gets to your clinician, it gets outside of HIPAA, outside of that silo,” stated Brill via MobiHealthNews. “Instead what we’re seeing is information through a third party communicating that you have diabetes, you have high blood pressure, and this is some information that goes into a profile about you. I think that’s a critical distinction between when you’re in a trusted environment and when you’re outside one, and your example is precisely what I’m talking about. It’s very sensitive health information. That information is going to be highly sensitive and we need to be very cognizant of how that environment is structured.”
For its part, Apple has assured its users that their health data will only be shared with apps and parties that they authorize. “We designed HealthKit with privacy in mind,” Apple spokeswoman Trudy Muller told Reuters. According to Apple’s App Store review guidelines, “Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research.” Apple also promised to reject any apps that “share user data acquired via the HealthKit API with third parties without user consent” or “store users’ health information in iCloud.” The security of Apple’s iCloud was called into question earlier this year when hackers were able to obtain the private photos of various celebrities, which may be why Apple is refusing to allow health data to be stored there.
Finally, the Apple may also soon be implementing even more stringent privacy measures for its users’ health data. According to Reuters’ sources, Apple is considering hiring a “health privacy czar” who will ensure that all HealthKit-powered apps comply with its privacy policies. It should be noted that Apple’s regular apps already have a reputation for quality thanks to the company’s policy of vetting all apps that appear in its App Store. For these reasons, when it comes to safeguarding users’ health data, it appears that Apple may have already resolved many of the FTC’s concerns.
Follow Nathanael on Twitter @ArnoldEtan_WSCS