By Sara Gerke and Chloe Reichel
Direct-to-consumer (DTC) health apps, such as apps that manage our diet, fitness, and sleep, are becoming ubiquitous in our digital world.
These apps provide a window into some of the key issues in the world of digital health — including data privacy, data access, data ownership, bias, and the regulation of health technology.
To better understand these issues, and ways forward, we contacted key stakeholders representing a range of perspectives in the field of digital health for their brief answers to five questions about DTC health apps.
- Ariel Dora Stern is the Poronui Associate Professor of Business Administration at Harvard Business School. She is also a faculty member of the Harvard-MIT Center for Regulatory Science and currently a visiting Professor at the Hasso Plattner Institute’s Digital Health Center. Since 2020 she has advised the German Federal Ministry of Health on topics related to digital innovation.
- Deborah DiSanzo is president of Best Buy Health for Best Buy Co. Inc. In this role, she is responsible for the company’s health strategy, with a particular focus on bringing health technology into the home to help people live better, safer and more independent lives.
- Peter R Chai MD, MMS is an emergency medicine physician and medical toxicology at Brigham and Women’s Hospital/Harvard Medical School. His research focuses on the application of technologies to detect changes in human health and behavioral interventions that mitigate exacerbations of disease before they occur.
- Sara Gerke (series editor) is an Assistant Professor of Law at Penn State Dickinson Law. She previously served as a Research Fellow in Medicine, Artificial Intelligence, and Law at the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School for the Project on Precision Medicine, Artificial Intelligence, and the Law (PMAIL).
This first installment of responses looks at data privacy concerns. With DTC health apps, the collection of health-related data is no longer confined to the clinic — our phones and wearable devices now collect this data as we go about our daily lives. We asked our respondents: Do you believe that the data collected by such apps are adequately protected in the U.S.? If not, what are potential solutions to change this — how can we protect the privacy of individuals in the big data world?
I do not believe that the data collected by apps are adequately protected in the U.S. This could change in two ways. On one hand, public policy could hold manufacturers to higher standards with respect to protecting individual data – this is what legislation like the General Data Protection Regulation (GDPR) does for personal data and data concerning health. On the other hand, consumer literacy can be encouraged, and consumers can “vote with their feet” about which products to use. Some new tools like “nutrition labels” for digital health products may help individuals make better decisions. I fear, however, that putting the burden entirely on consumers to make fully informed decisions is unlikely to be sufficient in the absence of manufacturer requirements to protect data. In the long run, I actually believe this will be bad for innovation and technology adoption because of lingering uncertainty regarding data protection.
When I ask my classes if they believe the health data in their apps are protected by the Health Insurance Portability and Accountability Act (HIPAA), many students believe it to be true. In fact, much of the health data we collect on our phones and apps have few privacy laws protecting it. Laws in California, Virginia, and the European Union may provide some personal privacy protection, but mostly, when I step on my scale in the morning and send my weight to my phone, I might as well be putting it on a billboard outside my house. It would help app developers to have unified privacy laws protecting consumer personal data. Navigating various state laws will be difficult, especially for smaller companies.
I think DTC health apps are a new territory and may open up a new space surrounding health data and data privacy in the U.S. Many of the companies developing DTC apps, likely in part of their commercialization, may consider the storage and application of data — even deidentified data — as an important asset to the continued development of the technology. Individuals who utilize these apps may not understand the extent to which their data may be used — either as a training dataset or as experimental data to develop next generation DTC apps. Multi-page data use agreements and complex terms can be confusing for the average consumer, preventing them from understanding the extent and scope to which data may be retained or used for other reasons. Transparent, concise information regarding the use of data, the extent to which data is kept, and the types of data obtained should be made clear to consumers.
I believe that we can do a better job in protecting the privacy of individuals in the big data world. In particular, HIPAA (the Health Insurance Portability and Accountability Act of 1996) has reached its expiration date. It does not cover much of the health-related data collected by technology companies such as Google or Apple. So, health-related data collected through DTC health apps do usually not fall under HIPAA. California and Virginia passed comprehensive privacy laws to partially close legal loopholes. However, such state laws only protect residents that live in those specific states. The U.S. would benefit from a federal law that adequately protects the privacy of all consumers.