Data protection and the problem with health apps

Personal medical information is protected, but things are slowly starting to change…

I’d be the first to tell you I love my Fitbit.

I love the easy convenience of it; the reminders it gives me to get up and move around when I’ve been squinting at a monitor for too long, looking at spreadsheets. I like the way it lets me know if I got a good night’s sleep, and I enjoy the smug little thrill of completing my set steps for the day. It’s a useful, enjoyable tool, that makes me more aware of what I’m doing with my health and exercise.

Fitbit is, of course, one of a number of health-related trackers and apps. The market is huge: in the US alone, it is worth an estimated $1.3 billion, and still growing.[i]?Companies are trying to vie with one another in a busy environment, to provide the most useful, convenient and accurate service they can for users.

However, following the American Supreme Court’s decision to overturn Roe v Wade, I started to think about how, exactly, these apps deal with our data.

Period tracking apps, for example, are now in danger of being used in prosecutions by states that are cracking down on abortion. A recent bill introduced by Democrats had tried to negate this risk[ii], but it was swiftly thwarted by Republicans.[iii]?Medical data in the US is protected by HIPAA, but health data on apps isn’t. The bill that was introduced would have addressed the sharing and selling of sensitive data collected by apps, protecting users with greater privacy laws.

In contrast to HIPAA and the US, things in the EU are a bit better[iv]. Under the governances of GDPR, health apps do have an obligation to process data fairly and transparently. Apps are also required to delete user data at the point consent to process information is withdrawn.[v]?But the issue is, although GDPR calls for a fair and transparent privacy policy and processing of data, often users won’t bother to read the information provided before signing up. Sometimes, people don’t worry about what they have agreed to.

But is it just apps we should worry about?

Not really, no.

Under EU law, medical records are strictly protected under the GDPR. In the UK, similar provisions are in place through the Data Protection Act (2018)[vi]. Both outline very specific criteria that must be met, in order to disclose confidential patient information from records, even to police[vii].

However, recently in the UK things have started to change. Firstly, wider sharing of patient information across the NHS and local care services has been introduced[viii]. As long as there are proper safeguards in place, I’m actually of the opinion this is a good thing. It affords patients proper care, with accurate records and vital information in place.

Unfortunately, that’s where the good news ends.

The NHS has also introduced sharing data from personal records for planning and research. While the data is anonymised for outside organisations, patients can still be identified via decryption from the NHS in specific circumstances. The NHS outlines that this wouldn’t happen ‘unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form’[ix]. They don’t mention what this may be. Interestingly, they also note that although they do not sell patient data, they do apply charges for delivering the data.

There are, of course, safeguards in place, and NHS Digital is transparent in which organisations it releases information to.?

But all this aside, NHS Digital has effectively introduced a system that – much like health apps – is collecting your personal health records and providing it to third parties, for research or other purposes.?

And patients have to opt?out?of this, otherwise consent is implied.

In the end, does it matter?

The truth is, yes. It does matter. Apps collecting sensitive health information – which could be used to prosecute you – and the release of records within the NHS are a worry. In terms of releasing collected medical records – anonymised or no – it runs the risk of patients not being honest with healthcare providers. This can delay treatment or misinform diagnoses.?

With apps it’s more difficult – users voluntarily sign up to services that may have different levels of data protection. Although guidelines are clear in Europe, the lines are still blurred when it comes to where your data can end up and why. Further afield – most notably at the moment in America – your information has the more ominous possibility of being used against you. Perhaps particularly, right now, if you’re a woman using a period tracking app.

Nobody is wrong to use a health app. I’m certainly not giving up my Fitbit any time soon. But I think we do all need to be careful. There isn’t a ‘one size fits all’ outcome here. Everyone should use apps in whatever way they feel best.?

But on the back of medical records slowly becoming more readily available to outside agencies too, we are moving toward a world where the personal status of your health is not as private as it once was.

And it’s up to you to decide how comfortable you are with that.?

[i]?Straits Research,?Fitness App Market, 23.02.23

[ii]?Mizelle, S.,?Washington state bill would make period tracking apps follow privacy laws…, 18.01.23

[iii]?Luscombe, R.,?Virginia governor blocks bill banning police from seeking menstrual histories, 16.02.23

[iv]?Extra Horizon,?GDPR and HIPAA for digital health apps…, 01.06.21

[v]?European Commission,?Privacy code of conduct on mobile health apps, 07.06.22

[vi]?ICO,?Health Data, 27.03.23

[vii]?NCA,?Police information requests to NHS organisations…, 01.03.23

[viii]?NHS England,?Joining up health and care data, 26.02.23

[ix]?Healthwatch,?Is the NHS sharing your data? What you need to know, 31.08.21