[Skip to Navigation]
Sign In
Table 1.  Privacy Policy Provisions for the 41 Apps With Privacy Policies (19% of the 211 Apps)a
Privacy Policy Provisions for the 41 Apps With Privacy Policies (19% of the 211 Apps)a
Table 2.  Permission Listings of 211 Android Diabetes Appsa
Permission Listings of 211 Android Diabetes Appsa
1.
Wang  J, Wang  Y, Wei  C,  et al.  Smartphone interventions for long-term health management of chronic diseases: an integrative review.  Telemed J E Health. 2014;20(6):570-583.PubMedGoogle ScholarCrossref
2.
Pew Internet and American Life Project.  Mobile Health 2012.http://www.pewinternet.org/files/old-media//Files/Reports/2012/PIP_MobileHealth2012_FINAL.pdf. Accessed December 10, 2015.
3.
Bauer  AM, Rue  T, Keppel  GA, Cole  AM, Baldwin  LM, Katon  W.  Use of mobile health (mHealth) tools by primary care patients in the WWAMI region Practice and Research Network (WPRN).  J Am Board Fam Med. 2014;27(6):780-788.PubMedGoogle ScholarCrossref
4.
US Food and Drug Administration (FDA).  Response to FDA feedback on 510(K) K 100066.http://www.accessdata.fda.gov/cdrh_docs/pdf10/K100066.pdf. Accessed December 10, 2015.
5.
International Data Corporation.  Smartphone OS Market Share, 2015 Q2.http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed December 10, 2015.
6.
Andrews  LB.  I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy 17-32. New York, NY: Free Press; 2013.
Research Letter
March 8, 2016

Privacy Policies of Android Diabetes Apps and Sharing of Health Information

Author Affiliations
  • 1Illinois Institute of Technology Chicago-Kent College of Law, Chicago, Illinois
  • 2now with Almirall Hermal GmbH, Reinbek, Germany
JAMA. 2016;315(10):1051-1052. doi:10.1001/jama.2015.19426

Mobile health apps can help individuals manage chronic health conditions.1 One-fifth of smartphone owners had health apps in 2012,2 and 7% of primary care physicians recommended a health app.3 The US Food and Drug Administration has approved the prescription of some apps.4 Health apps can transmit sensitive medical data, including disease status and medication compliance. Privacy risks and the relationship between privacy disclosures and practices of health apps are understudied.

Methods

On January 3, 2014, we identified all Android diabetes apps by searching Google Play using the term diabetes. Android is the most popular mobile operating system worldwide with 82.8% market share (compared with Apple iOS’s 13.9%).5 We collected and analyzed privacy policies and permissions (disclosures of what apps can access or control on the device) for apps that remained 6 months after our initial search. Because consumers may want to know about privacy protections before choosing an app, we determined which apps had policies available predownload and what the policies protected. Then we installed a random subset of apps to determine whether data were transmitted to third parties, defined as any website not directly under the developer’s control, such as data aggregators or advertising networks.

We performed χ2 tests of independence (Excel 2010, Microsoft) to determine whether apps with privacy policies were more likely to protect personal information than apps without privacy policies. A 2-sided P value less than .05 was considered significant.

Results

We identified 271 diabetes apps and chose a random sample of 75 for the transmission analysis. Within 6 months, 60 apps became unavailable, leaving 211 apps in the sample and 65 apps in the subset. Most of the 211 apps (81%) did not have privacy policies. Of the 41 apps (19%) with privacy policies, not all of the provisions actually protected privacy (eg, 80.5% collected user data and 48.8% shared data) (Table 1). Only 4 policies said they would ask users for permission to share data.

Permissions, which users must accept to download an app, authorized collection and modification of sensitive information, including tracking location (17.5%), activating the camera (11.4%), activating the microphone (3.8%), and modifying or deleting information (64.0%) (Table 2).

In the transmission analysis, sensitive health information from diabetes apps (eg, insulin and blood glucose levels) was routinely collected and shared with third parties, with 56 of 65 apps (86.2%) placing tracking cookies; 31 of the 41 apps (76%) without privacy policies, and 19 of 24 apps (79%) with privacy policies shared user information, which was not statistically significantly different (N = 65; χ21  = 0.11, P > .25). Of the 19 apps with privacy policies that shared data with third parties, 11 apps disclosed this fact, whereas 8 apps did not.

Discussion

This study demonstrated that diabetes apps shared information with third parties, posing privacy risks because there are no federal legal protections against the sale or disclosure of data from medical apps to third parties.6 The sharing of sensitive health information by apps is generally not prohibited by the Health Insurance Portability and Accountability Act.

This study is limited to Android apps and privacy policies available predownload in 2014, and the apps in the subset may not be a representative sample due to withdrawal of some apps. In November 2015, 143 of the 211 original apps, and 53 of the 65 apps in the subset (23 with and 30 without privacy policies) were still available. There were no major changes in the number of privacy policies (only 2 in the subset added policies), and policies had not been modified to protect consumer data from being shared with third parties.

Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case. Medical professionals should consider privacy implications prior to encouraging patients to use health apps.

Section Editor: Jody W. Zylke, MD, Deputy Editor.
Back to top
Article Information

Corresponding Author: Sarah R. Blenner, JD, MPH, Illinois Institute of Technology Chicago-Kent College of Law, 565 W Adams St, Ste 530, Chicago, IL 60661 (sblenner@gmail.com).

Author Contributions: Ms Blenner had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.

Study concept and design: Blenner, Köllmer, Williams, Andrews.

Acquisition, analysis, or interpretation of data: Blenner, Köllmer, Rouse, Daneshvar, Williams, Andrews.

Drafting of the manuscript: Blenner, Köllmer, Rouse, Daneshvar, Williams, Andrews.

Critical revision of the manuscript for important intellectual content: Blenner, Köllmer, Andrews.

Statistical analysis: Rouse, Daneshvar, Williams.

Administrative, technical, or material support: Blenner, Köllmer, Rouse, Williams, Andrews.

Study supervision: Blenner, Andrews.

Conflict of Interest Disclosures: All authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest and none were reported.

References
1.
Wang  J, Wang  Y, Wei  C,  et al.  Smartphone interventions for long-term health management of chronic diseases: an integrative review.  Telemed J E Health. 2014;20(6):570-583.PubMedGoogle ScholarCrossref
2.
Pew Internet and American Life Project.  Mobile Health 2012.http://www.pewinternet.org/files/old-media//Files/Reports/2012/PIP_MobileHealth2012_FINAL.pdf. Accessed December 10, 2015.
3.
Bauer  AM, Rue  T, Keppel  GA, Cole  AM, Baldwin  LM, Katon  W.  Use of mobile health (mHealth) tools by primary care patients in the WWAMI region Practice and Research Network (WPRN).  J Am Board Fam Med. 2014;27(6):780-788.PubMedGoogle ScholarCrossref
4.
US Food and Drug Administration (FDA).  Response to FDA feedback on 510(K) K 100066.http://www.accessdata.fda.gov/cdrh_docs/pdf10/K100066.pdf. Accessed December 10, 2015.
5.
International Data Corporation.  Smartphone OS Market Share, 2015 Q2.http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed December 10, 2015.
6.
Andrews  LB.  I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy 17-32. New York, NY: Free Press; 2013.
×