AMA Encourages Health App Developers to Implement “Privacy by Design”

The American Medical Association (AMA) released a guide on data governance and equitable digital health data collection for health app developers to reference as they navigate the new age of health data sharing. The guide supplements AMA’s “Privacy Principles,” released in 2020 to help health app developers understand their role and responsibility when it comes to patient privacy.

Health app developers often fall into a regulatory grey area for data collection and use. Certain health apps may collect sensitive information as traditional healthcare providers, but they are not bound to HIPAA.

In September 2021, the Federal Trade Commission (FTC) aimed to tackle this problem by releasing a policy statement affirming that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule.
The policy statement raised new considerations as to what entities can be defined as healthcare providers under the rule and what the FTC considers a data breach.

With its Privacy Principles, AMA sought to strengthen physician and patient trust in health apps by providing ethical health data governance and collection guidelines. AMA encouraged health app developers to incorporate “privacy by design” when creating apps in its latest guidance.

“Our ability to collect and track health and wellness data in recent years has had positive benefits for a growing population of users across the United States,” 

the guidance stated.

Physicians have gained a window into their patients’ daily health and wellness, and mobile applications have allowed patients to monitor their weight and blood sugar. In addition, health apps have provided researchers with troves of data that can be used to build predictive models and improve care access.

However, AMA observed, there has been a lack of discussion around ensuring that patients understand who is collecting their data, who they are sharing it with, and whose responsibility is to safeguard it.

“Unfortunately, society is learning that greater access to digital health information can have harmful consequences, whether intended or not,” 

the guide continued.

“While none of us is safe from these risks, the impact can be particularly problematic when data is used to exclude or provide substandard care for those in historically marginalized communities. Examples abound. Health insurers have used information from wearable devices to deny claims for reimbursement. Employers have used access to health information that employees may not be aware of to make employment decisions. Data brokers seek to collect more and more of this information to create in-depth profiles of individuals that serve as gatekeepers to opportunities for housing and more.”

AMA emphasized to developers that consumer consent should be at the forefront of health app development. A growing number of apps collect health information without being subject to HIPAA. As a result, health app developers have an ethical obligation to be transparent with customers about collecting health data and where that information goes once it is collected.

Many consumers scroll past the “Terms of Service” when they download any app, meaning they might not know what they consented to.

“Often, the consent controls and privacy policies are not clear or specific enough to be meaningful to consumers,” 

AMA pointed out.

“By providing clear consent controls and easy-to-understand terms of service, these companies can take proactive steps toward becoming responsible stewards of health and wellness information while promoting equity by ensuring all users can understand the app’s data practices and take advantage of its privacy controls.”

The guide also noted the importance of balancing consumer wants with ethical privacy practices. It benefits both patients, providers, and app developers in the long run. Physicians may be more likely to recommend a health app that has been adequately vetted from a privacy standpoint. Therefore, health apps that follow a standardized set of privacy guidelines have an advantage, with providers making recommendations and consumers concerned about digital privacy practices.

Lastly, AMA provided a checklist for health app developers outlining its Privacy Principles and specific actions developers can take to ensure data privacy and protection.

“As it becomes clearer how much of a consumer’s personal information, including health information, is being shared with companies like Facebook and Google, apps with a reputation for privacy-by-design will find themselves in a strong position with consumers and physicians—and, potentially, regulators,” 

the guide emphasized.

“Businesses that deal in personal information have choices to make in terms of privacy debt; is it easier to implement good data privacy now or scramble to meet privacy regulation and data clean up later?”