Getting Granular with Apple’s mHealth Guidelines

By Nicolas Terry

In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.

Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture.

Fourth, and more positively, “Apps using the HealthKit framework must provide a privacy policy.” What Apple doesn’t tell us is whether they will police the content of such policies. For example, will they require an explicit restatement of the guidelines’ provisions as to use limitations? If so, developers’ privacy policies will be of real value and can be indirectly enforced by the FTC.

On a slightly different note the final HealthKit guideline is as follows: “ Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.” If that language seems somewhat familiar it is because it tracks some of the wording of the FDA’s 2013 Guidance on Mobile Medical Applications as to apps that will be subject to medical device regulation.

It has not been a great privacy/security week for Apple. The ‘celebrity data’ brute force attack should lead us all to improve our passwords and adopt two-step verification, but the popular press narrative will continue to inaccurately suggest that Apple’s iCloud was hacked. Next week when the Apple faithful congregate in the big white box that has been constructed at the Flint Center, don’t be surprised if the rigor of Apple’s HealthKit guidelines receive particular emphasis.

The Petrie-Flom Center Staff

The Petrie-Flom Center staff often posts updates, announcements, and guests posts on behalf of others.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.