Apple taking privacy seriously with new Health Records API

Company has new authorization flow to ensure users understand developers’ access to their healthcare data.


With Apple’s announcement last week about the availability of its Health Records API, the company is taking great pains to ensure that developers looking to create apps that leverage patients’ healthcare data are doing so in a manner that is responsible and respectful of their privacy.

“We are providing APIs to allow you to access this data and work with it in your apps,” Jason Morely, software engineer on the Apple health team, told a session at last week’s 2018 Worldwide Developers Conference in San Jose. “There’s a huge wealth of information in medical records, and we really believe that that is a fantastic opportunity for you to provide your users with truly empowering experiences around their health data.”

Apple announced the availability of the Health Records API in an effort to enable developers to create an ecosystem of apps that empower patients by communicating with Apple’s HealthKit—provided they have users’ permissions to access and share this data.

Also See: Apple to offer Health Records API to developers

At the same time, Morely emphasized that health records contain “incredibly sensitive information,” such as diagnosed diseases and medications they are taking. “This is information they may not be comfortable sharing with a close friend or family member, and it can change over time as a user interacts with their healthcare institution,” he said.

Currently, Apple’s Health Records feature enables patients at more than 500 hospitals and clinics to access medical information from various healthcare institutions and to organize it into a single aggregated view on their iOS devices, according to Morely. To help users better understand and manage access to that data, he noted that Apple has introduced a new authorization flow specific to Health Records.

“We inform users what it means to share that data with your app and just how sensitive it is,” Morely told the gathering of developers. “Whenever you request authorization, you should ensure that you time your authorization requests to make sure your user has sufficient context with which to understand this new dialogue.”

In addition, he said that when an app requests authorization, users will be presented with a new permission sheet specific to clinical types. “We allow users to select the types of data that they choose to share with your app,” Morely added. “We also present a new purpose string and your app’s privacy policy in the app explanation section. This is really your opportunity to explain to users why you need access to that data, what you’re going to do with it, and how you will protect that data.”

Morely also warned developers that they should “make sure that what you request is proportional to what you need—users are really going to be surprised and concerned if they see (data) types here that don’t pertain to the primary function of your app.”

Because data can change over time as a user interacts with their healthcare institutions, Morely said Apple is introducing a new way to control how new data is shared with developers’ apps. “We default to asking before sharing new data each and every time,” he told the audience. “This means we may need to present the new permission sheet whenever new data is available. So when you need to query for data, you should always request authorization prior to doing so.”

More for you

Loading data for hdm_tax_topic #better-outcomes...