Where Do Our Data Go?

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Mobile applications in the health and wellness field represent an ever growing segment of the mobile application market. Interest in such apps is high as individuals seek to improve their own health and the availability of consumer wearable devices also becomes more common. In all of these instances, ever growing amounts of data are being generated. What is happening to all of that data? The response may surprise some, but really should not be all that unexpected.

What is Collected?

The data collected by a particular app will depend upon the permissions sought by each app or the nature of the device. The expectation though should be that the data include personal details and new health-related data generated through use of the app. The details about each individual user will be collected, stored, and potentially transmitted by the app. Since the apps being discussed are targeted to health and wellness, it is fully expected that relatively private and sensitive information about each individual is being collected.

Diving a little deeper, the data could be weight, blood pressure, biometric readings, health tracking, or any other varieties of information. The scope of data can easily be used to create a number of predictive models or assumptions about the individual. As is implied, the breadth of the data can cover all aspects of an individual’s life. Since those details can be quite intimate, the expectation may exist that the data will be protected. How are the data collected though?

What About Privacy?

As noted, the details about an individual can be quite broad and in-depth, but what the privacy of that data? The specific nature of the app will generally help determine what statutory and/or regulatory protections apply beyond the privacy policy set out by the app developer. Considering the privacy policy in isolation, the terms of such policies are usually relatively common and consistent across all platforms. The terms allow collection of data for purposes of running the app or that may be needed by the developer. The scope of data may not necessarily align with what is thought to be needed, but then again the terms of the privacy policy are also not negotiable.

While it may appear there are no restrictions on what can be collected, the different app stores run by Apple, Google, and others are starting to impose restrictions. The stores try to limit the data to what is absolutely needed for running of the app and not allowing everything to be collected. However, when it comes to a health and wellness app, the data to be collected is likely to be quite broad. So long as the data to be collected are identified and the uses set out in the privacy policy, the app developer will often avoid concerns around allegedly unfair and/or deceptive business practices that could be subject to enforcement by the Federal Trade Commission.

In addition to personal details, privacy policies typically permit collection of data phrased as non-personal information. Non-personal information may include general information about a device or cookie related information. That data can accumulate to create a picture about safe of the particular app. Again, the privacy policy will identify what data are collected and at least theoretically how it will be used.

Privacy Regulations

Do privacy regulations offer protection beyond the privacy policy? The answer to that question is driven by the nature of the app and the target audience.

HIPAA?
HIPAA the often cited law and regulation that sets out privacy expectations in healthcare does not regulate all healthcare data. The growth of many consumer directed tools revealed the limits of what HIPAA can address. HIPAA only applies to data that are held by covered entities, business associates of covered entities, and subcontractors of business associates. App developers and wearable companies will often fit the role of a business associate, if and when HIPAA is applicable. From a very high level perspective, becoming a business associate requires the performance of activities on behalf of a covered entity. If the developer acts for itself, then it most likely does not fit into this role. While that is a very slim glimpse of the picture, it can help to set expectations. For example, Apple when selling an Apple Watch direct to a consumer or an application in the App Store going directly to a consumer with no interaction with a healthcare organization will not be a business associate and HIPAA will not apply.

Contrast that outcome with a remote patient monitoring application that a physician has a patient install to collect data. In that instance the app developer of the RPM solution will be working with the physician and all data collected from the patient will be sent to the physician to help with delivery of healthcare services. In this relatively clear cut example, the RPM app developer is subject to HIPAA and the attendant privacy protections.

Reality is often less clear and contains a lot of blurry edges. The blurry edges necessitate taking a step back to consider the situation before jumping ahead.

State Privacy Laws?
A more nuanced discussion is being generated by the increasing number of broad-based state privacy laws. The newer state privacy laws, exemplified by California and Virginia, are designed to reflect the presumptively comprehensive privacy scheme that Europe adopted with the General Data Protection Regulation. The aim of the laws is to impose privacy obligations across use cases, including vesting more rights in individuals. The laws are purposefully designed to be industry agnostic and want to restore what is perceived to be lost privacy rights.

Despite the lofty aims of the new laws, coverage is still not automatic. The laws often include thresholds to be passed before an entity will be subject to the requirements. Additionally, there can be carve outs from compliance if compliance with another privacy law or regulation is required (HIPAA is the primary example, which may help the situation). The new laws may generate additional language into the privacy policy, but the follow on is how easy organizations make it for individuals to exercise the rights afforded to them. The answer to that question is likely not as easy as would be preferred or expected.

What Does It All Mean?

With the swirling forces in play, understanding the privacy associated with every application and device is left up to the individual. Reading the privacy policy, teasing out what regulatory schemes apply, and thinking through the consequences are part of the issues to consider. The list can be fairly comprehensive and difficult to work through. Further, the only available response to a concern is likely to not use the app or device. It is really sharp contrast of options and one that may not leave individuals feeling very happy.

Movement is seemingly occurring to bring privacy as a fundamental back into systems with new policies from companies running app stores and operating systems. However, those solutions require trust in another company and that its intentions remain consistent over time, which cannot reasonably be a solid foundation. More public concern and comment may be able to help as user behavior is an important influencing factor.

For the time being, the most important step is for individuals to go into situations with eyes wide open. That may call for taking the time to slow down and not just click through agreements, but look at what is happening. When something feels off or suspicious, go with that feeling and ask questions. If data continue to be freely given away, no change will happen.

This article was originally published on The Pulse blog and is republished here with permission.