Health, fitness apps pose HIPAA risks for doctors

Physicians should check apps’ privacy protections before suggesting them to patients. A new report says most apps — especially free ones — don’t offer much privacy.

By — Posted Aug. 5, 2013

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act.

“Even suggesting an app to patients — that’s a gray area,” said Marion Neal, owner of, a HIPAA consulting firm for physicians in private practice. “Doctors should avoid recommending apps unless they are well-established to be secure.”

Privacy Rights Clearinghouse, a nonprofit advocacy organization in San Francisco, sponsored a study of 43 popular free and paid apps that were made for consumer use. Apps used by health professionals were not part of the study.

The technical evaluation of these apps included an analysis of mobile application privacy policies. Researchers installed and used the apps to see what data were stored on the apps. They also looked at the communication between the apps and the Internet.

Many of the apps sent unencrypted data to advertisers, probably without users’ knowledge. Seventy-two percent of the apps exposed personal information that could include dates of birth, personal location, ZIP codes, medical information, email addresses, first names, friends, interests and weights. Some apps sent information to as many as 10 third parties.

Data were sent to app developers’ websites and third-party sites for analytic and advertising purposes.

More than 75% of free apps and 45% of paid apps used behavioral tracking, usually through third parties, according to the study.

Only about 50% of the free and paid apps had links to a privacy policy. Of these, about half accurately described the technical processes of the apps.

Paid apps, which ranged from less than $1.50 to more than $10, posed less risk to users’ privacy. That’s probably because they don’t rely only on advertisers to make money, according to the study.

“A worrying finding was that many of these apps sent personal information to third parties” without customers’ knowledge, said Beth Givens, founder and director of Privacy Rights Clearinghouse. “Consumers should assume that their information is being sent to third parties if they use these apps. If they feel the least bit uncomfortable with that, they should not use it.”

Hazards widespread

Neal said social media can be a privacy minefield for doctors regarding HIPAA rights. Recommending a social app may seem like a way to encourage patients to engage in their health that doesn’t pose any risks. But the law might not see it that way, he said.

By recommending apps that compromise patients’ privacy, doctors could be seen as complicit if there is any breach, although there is no apparent legal precedent for that.

It’s not just physicians; app developers could be at legal risk. The report recommended three ways app developers could avoid privacy violations. Developers should use encrypted network connections between the app and any Internet server, not use third-party advertiser or analytics services, and be careful how they send privacy-sensitive information.

HIPAA rulings generally are favoring patients’ privacy rights, Neal said. In a recent court case, a physician group was found to be in violation of HIPAA because doctors used public e-mail to discuss patients’ health. If they had used secure e-mail through their business, they could have avoided the violation, he said.

Back to top

External links

“Technical Analysis of Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications,” Privacy Rights Clearinghouse, July (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn