Skip to content

Healthcare App Data Sharing – Do’s and Don’ts

healthcare appBy: Steven Boyne

I recently wrote an article titled The Top Five Legal Concerns When Developing a Healthcare App, and I received some follow up questions, including technical queries about encryption and data sharing.  To answer these questions, it is important to understand the current Healthcare App state of affairs.  Various reporters, governmental agencies and privacy watchdogs have installed and monitored the flow of data from Healthcare Apps installed on smart phones.  These journals, articles and enforcement actions taken together provide a roadmap for Do’s and Don’ts for the sharing of data.

Almost all Healthcare Apps are free and have some disclosures about how they share your data, and both iOS and Android require the user to give permission to the newly installed App, but who really pays attention to that?  Almost no one.  However, this doesn’t mean that an App developer shouldn’t embrace best practices to avoid liability and bad press.

Do’s:

  • Minimize the amount of data you are gathering. For example, does the App really need geolocation data, or access to the owner’s contact list?  In short, don’t be lazy and just get access to everything on someone’s phone, you should target the type of data that you really need.  That way you don’t open yourself up to answering difficult questions from a regulator or reporter as to why you need to know if a person just visited a gas station.
  • Embrace encryption. Any data that is stored on a phone should be encrypted and make sure that any data transmitted from the App is encrypted.  A recent study indicated that 94% of data transmitted from Healthcare Apps is encrypted – so make sure that you are not the 6% that communicates to the world clear text.
  • If your App is sharing data with third-parties make sure that you have adequate protections built into your contracts to minimize your liability if the third-party has a breach, or fails to secure a person’s data. You should also consider further sharing of App data.
  • Think about hiring a third-party security company to audit your App and its actions.These types of audits can prove to be very useful if a regulator starts to ask some tough questions, especially if there has been a data breach.
  • Keep your App up to date. It is common for a company to spend a lot of time and effort to develop a state of the art App and then forget about it.  Today’s expectations for privacy and transparency maybe very different tomorrow.
  • Make sure that your privacy disclosure documentation matches what your App actually does, and when in doubt disclosure more information about your App than less.A well informed consumer is your best protection.

Don’t

  • Don’t share the data you capture unless you really have to. The more entities that have access to the user’s data, the greater the chances of some data breach or just losing control of a person’s private information.  When a person downloads an App there is an implicit level of trust, so don’t violate it.
  • Don’t initially develop an App that covers or offers a myriad of solutions to the user.Walk before you run.  There are many nuances and issues that you will face when you start an App project, so it is important to start small to limit the problems.  You can always add functionality as you build and understand what needs to be done on the backend of the App development.
  • Don’t develop an App without a thorough plan that includes where you are gathering the data from, where the data is going, what regulations might be impacted, and include people who have experience in the Healthcare App field.
  • Don’t roll out a newly developed App to the general public without a detailed and lengthy period of testing. Even giant companies like Apple make mistakes, and you want to make sure that you have thoroughly vetted the App before publishing it to the world.

Healthcare Apps are the future for transmitting healthcare related data and helping improve our lives, but they can also get you in trouble if you don’t design it correctly and develop appropriate corresponding disclosures.