In a study appearing in the March 8 issue of JAMA, Sarah R. Blenner, J.D., M.P.H., of the Illinois Institute of Technology Chicago-Kent College of Law, Chicago, and colleagues examined the privacy policies of Android diabetes apps and the sharing of health information.
One-fifth of smartphone owners had health apps in 2012. Health apps can transmit sensitive medical data, including disease status and medication compliance. Privacy risks and the relationship between privacy disclosures and practices of health apps are understudied. For this study, the researchers identified all Android diabetes apps by searching Google Play using the term diabetes, and collected and analyzed privacy policies and permissions. The authors installed a random subset of apps to determine whether data were transmitted to third parties, defined as any website not directly under the developer’s control, such as data aggregators or advertising networks.
Most of the 211 diabetes apps (81 percent) in the study did not have privacy policies. Only 4 policies said they would ask users for permission to share data. In the transmission analysis that included 65 apps, sensitive health information from diabetes apps (e.g., insulin and blood glucose levels) was routinely collected and shared with third parties, with 86 percent of apps placing tracking cookies and 76 percent without privacy policies. Of the 19 apps with privacy policies that shared data with third parties, 11 apps disclosed this fact, whereas 8 apps did not.
“This study demonstrated that diabetes apps shared information with third parties, posing privacy risks because there are no federal legal protections against the sale or disclosure of data from medical apps to third parties. The sharing of sensitive health information by apps is generally not prohibited by the Health Insurance Portability and Accountability Act,” the authors write.