In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.
Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture.
On a slightly different note the final HealthKit guideline is as follows: “ Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.” If that language seems somewhat familiar it is because it tracks some of the wording of the FDA’s 2013 Guidance on Mobile Medical Applications as to apps that will be subject to medical device regulation.
It has not been a great privacy/security week for Apple. The ‘celebrity data’ brute force attack should lead us all to improve our passwords and adopt two-step verification, but the popular press narrative will continue to inaccurately suggest that Apple’s iCloud was hacked. Next week when the Apple faithful congregate in the big white box that has been constructed at the Flint Center, don’t be surprised if the rigor of Apple’s HealthKit guidelines receive particular emphasis.