Data Privacy and Security

Unlike most traditional consumer health websites on which information flow is unidirectional, from the page to the user, many apps collect personal information. This makes data privacy and security important considerations. While the concepts of privacy and security are related, they are not the same thing. Privacy is a legal term referring to how the data are collected, stored, and used and who is authorized to access data. For example, an apps privacy policy should state whether the data may be sold or transferred to third parties. Security is a technical term that describes how the data are protected from breach by unauthorized users (e.g., encryption).

The main US law that regulates how personally identifiable information should be protected in healthcare is the federal Health Insurance Portability and Accountability Act (HIPAA, 1996). As the law is decades old, interpreting its application to mobile health can be challenging. Moreover, HIPAA laws only apply when personally identifiable information is stored or managed by “HIPAA-covered entities,” such as healthcare organizations and insurance companies, and developers need to take care to determine whether their tool’s information operations are addressed by HIPAA or any other relevant laws.

Privacy and security of mobile health apps remain a concern. While the Federal Trade Commission recommends that mobile health apps have privacy policies that are easy for users to read and understand, the large majority of apps do not have such policies at all (Kao & Llebovitz, 2017). Moreover, not much attention is given to readability and comprehensibility of the policies, or whether users even read them, instead of scrolling through them and checking off the agreement box.

When it comes to personal health information, security considerations are of paramount importance. Data breaches may result in privacy loss and identity theft for consumers and significant reputation and financial losses for healthcare organizations behind the apps (Adu et al., 2018). While overall data breaches in healthcare records are going down significantly, apps represent new technology that may be more prone to hacking (Bitglass, 2018). Data hacking incidents are common in healthcare: while a review of technology for ensuring apps data security is beyond the scope of this chapter, security considerations should be part of the design process from the start. For a discussion of privacy as an ethical consideration in CHI work, review Part II: Chapter 11.