Written and medically reviewed by Dorcas Morak, Pharm.D
According to a new study, medical apps share your sensitive health information with a third party without your consent exposing you to Facebook-targeted Ads. Your concern may be why the HIPAA Law and Privacy Rule does not cover the medical apps and checkmate these privacy breaches. Unfortunately, HIPAA does not cover all medical apps, though they have privacy rules that guide their operation. However, research demonstrates that many of them breach the privacy rule and share the data without seeking the owner's consent.
Read on to understand how this privacy violation occurs and other outcomes of the study.
What is the HIPAA Law and Privacy Rule?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule is a federal law that set standards to safeguard protected health information and maintain patient confidentiality. The rule forbids health plans, healthcare clearinghouses, or healthcare providers from disclosing or sharing individuals' identifiable health data without the owners' consent.
Are Medical Apps Covered by HIPAA?
Medical apps are not covered by the HIPAA rules since they are not qualified as patient care organizations. Only medical apps that are business associate of patient care organization is covered under HIPAA. However, your health data is protected by the medical app's privacy policies which you must accept before using the app.
Do The Medical Apps Keep To their Privacy Policies?
All five medical apps selected for the study were found guilty of sharing patients' data with a third party. Three out of the apps stated in their privacy policies that they will not share data with the third party, but they shared it. Only two: Ciitizen and Invitae, make it clear that the health data might be shared with advertisers.
How Do Facebook Ads Draw On Sensitive Data?
Color Genomics, one of the medical apps under examination, operates a CLIA-certified lab and is directly governed by HIPAA standards. The app's privacy policy states that it neither shares nor sells health information and will only divulge health record information with users' consent. 'Nevertheless, the investigation found that the app communicates with three cross-site trackers, one of which (Nanigans) shares information with Facebook advertisements. Furthermore, two applications maintained by Myriad Genetics, which also operates a CLIA-certified lab, were found to be exchanging information with Facebook advertisers. Invitae and Ciitizen however use cookies which help the advertiser to know users' information if they click on the Ads.
What are the Reasons for Data Policy Violations?
According to research, some medical apps monetize patients' health data and sell it to advertisers. There are instances of digital health applications like Flo being detected selling users' health information to an advertiser. Another basis for data policy violations is the dangers associated with unsupervised third-party code, such as ad trackers, content recommendation algorithms, shopping cart plugins, and more. Even privacy-conscious businesses are frequently ignorant of their operations, which can result in data breaches and phishing attempts.
Our Commitment
At rxless, your privacy is our priority! We are just as committed to safeguarding your confidential information as we are to protecting your health. If we do save your personal information from online chats, phone calls, web interactions, faxes, or other means, we will NEVER share, sell, or otherwise disclose it other than to assist you with RxLess. Period.