Apple, Others Struggle with Data Use in Changing World

Register now

Apple Computer is trying to be sensitive to how consumer health data in apps using its HealthKit software development platform will be used, as evidenced by the vendor’s rules which include significant protections for consumers.

That’s the view of Jennifer Geetter and Julia Jacobson, both partners at the law firm McDermott, Will & Emery. For instance, one condition for use of consumer data on Apple’s developer website states: “Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research.”

This is a big limitation that Apple starts with as it rolls out HealthKit, its new iPhones and the Apple Watch, Geetter says. “That’s a policymaking step.”

Further conditions from Apple, among others, include:

* Apps that write false or inaccurate data into HealthKit will be rejected,

* Apps using the HealthKit framework that store users’ health information in iCloud will be rejected,

* Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected,

* Apps using the HealthKit framework must indicate integration with the Health app in their marketing text and must clearly identify the HealthKit functionality in the app’s user interface,

* Apps using the HealthKit framework must provide a privacy policy or they will be rejected, and

* Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.

These protections notwithstanding, we still live in an uncertain period of working out how consumer data will be used, Geetter notes. There will be consumer expectation gaps as privacy protections and societal views of privacy evolve. Once data goes through a smartphone, its reach is broad. Information technology at its core has a demand for data and to return the data to consumers and others, including businesses.

And that is getting the attention of regulatory agencies--such as the Federal Trade Commission, Federal Communications Commission, and Food and Drug Administration--as they wrestle with how to balance consumer data protection with ease of use of apps and interoperability, Geetter adds. “They want to move the data but also want privacy. I think it is evolving and we don’t have firm boundaries yet.”

Forgetting for a moment what some individuals may put on their Facebook and Twitter pages, consumers do care about data privacy, contends Julia Jacobson. However, they may not understand that their health information is being used by data marts just as their shopping data is being used--to create profiles of individuals. “The data ecosystem related to consumers is very complicated. What happens doesn’t match consumer expectations because they don’t understand how much data is moved and added to other data.” She adds a cautionary note that whatever happens may not necessarily be wrong and could result in tools consumers want or need.

HIPAA privacy and security rules for protected health information also can add to confusion. The law at its core identifies data that is identifiable or de-identifiable, but in the real world little points of data can be brought together to paint a picture of a consumer, Jacobson says.

That data doesn’t have to be health related to affect a health status portfolio of a consumer. A grocery receipt can include important health information, such as a diabetic buying unhealthy foods or drinks.

Consumers can use tools to exert control but the trade-off may be not having access to certain services. “The price for some services is agreeing to certain rules of the road on how the data will be used,” Jacobson explains. “It is not a consent document, but more of a notice.”

HIPAA’s protections are limited. The law covers protected health information in the hands of certain covered entities--it doesn’t necessarily cover the data itself. PHI may be protected under HIPAA in a physician’s office, but not in a consumer’s briefcase or computing device. “We’ve been living under HIPAA for a long time and people may think it has more powers than it does,” Geetter says.

Consequently, there a need to make consumers aware of their choices in how their information--health and otherwise--is used, the attorneys believe. Research from Pew Research Center shows that young consumers do care about their privacy, but what they consider to be sensitive is different from what older consumers may consider.

And it is just plain confusing to figure out what data could be used unexpectedly, according to Jacobson. He adds that consumers could experience what they believe to be infringements if public data is used but they don’t like how it is being used, or a consumer may have agreed to let private data be used but did not think the data would reach back to them.


For reprint and licensing requests for this article, click here.