In January 2013, US Rep Henry C. “Hank” Johnson (D-Ga) proposed legislation to protect personal privacy as related to mobile apps. This issue is especially important to those of us in health care, since the data included can be protected health information. Johnson calls his draft proposal the Application Privacy, Protection and Security Act of 2013, or APPS. In it, he calls for more security for the personally identifiable information that mobile apps currently collect and store.

If introduced to the House and enacted into law, APPS would require developers to disclose how they collect personal data, what information is collected, how long it could be stored, and what other parties would have access to the data. APPS would also allow end users to forbid developers from sharing or collecting their personal data.

Probably the most succinct definition comes straight from the proposal introduction that states its purpose this way: “To provide for greater transparency in and user control over the treatment of data collected by mobile applications and to enhance the security of such data.” You can find a full version (and discussion) of the proposal at Johnson’s site: http://apprights-hankjohnson.house.gov.

What the Legislation Would Cover
What’s covered under the new proposed legislation? It stipulates that you must be notified and subsequently agree that your personal information can be collected. You must also be informed of other individuals and organizations that get to share the information. The problem is more common than you might think. Joe Santilli, CEO of SafeApp Mobility Inc, Coconut Grove, Fla, said his company analyzed a popular video game app and found that there were more than 50 third parties sharing the captured personal information. Unfortunately, the draft Act only specifies that the category or type of third party should be transparent. No mention is made of disclosing specific third-party names.

APPS would require that before collecting any personal data, the application must “provide the user with notice of the terms and conditions governing collection, use, and storage of personal data” and obtain consent from the user.

For apps developers, it would be mandatory to divulge the following:

  • The data types or categories of personal data to be collected;
  • The purposes for which the data will be used;
  • The kinds of third parties that can access and use the data; and
  • The length of time the data will be stored and the terms and conditions of the storage.

In addition to knowing how and how long their data will be stored, the app purchaser would also have the right to opt out at a later time. The app vendor would then be required to delete the data and confirm that the deletion took place.

The APPS Act also states that the Federal Trade Commission (FTC) would be able to enforce the law and assess penalties. All cases are civil action, not criminal—in other words, no jail terms. More often, violations in the health care industry are related to HIPAA breaches via mobile devices.

When it comes to health care mobile apps, privacy practices and policies become more sensitive and complicated due to the protected health information involved. In addition to Johnson’s proposed rules, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) also applies. HIPAA got a little more teeth when the Health Information Technology for Economic and Clinical Health Act was enacted under the American Recovery and Reinvestment Act of 2009.

We’re hearing more about large HIPAA fines and penalties than ever before. Probably the biggest is a $4.9 billion class action lawsuit filed in 2011 against the Department of Defense after the protected health information for 4.9 million people was compromised by the loss of data backup. In this case, the protected health records for 9 years of record keeping were snatched from the trunk of an employee-owned car. (Such theft is a frequent cause of HIPAA breaches.) Although the motivation behind this breach was good—to keep a “fire copy” off-site, the employee involved was moving backup tapes to a remote location—reasonable precautions were not taken.

Growth of Mobility and Mobile Apps
A Jackson & Coker report from 2011 showed that four out five physicians use smartphones or tablet PCs in their daily routine of collecting and viewing patient health data. Another estimate from 2 years ago showed that 81% of health care organizations use mobile devices to collect, store, and transmit patient data, but that 49% of those don’t use any security safeguards. This means that only 24% use any kind of data encryption—a huge security risk. In such an environment, the loss of data through a security breach is almost guaranteed to happen.

Will APPS Kill the Apps?
SafeApp’s Santilli has stated that APPS would create a hardship for many app developers. The developer would need to have some kind of technology to hunt for all third parties, and would also need to remove all traces of personal data should the user decide to opt out at a later date.
Many developers are funded by marketers who are after personally identifiable information in order to profile end users and target advertising to them. Thus, if Johnson’s proposal becomes law, the days of the free app might be over.

Conclusion
The APPS Act has three key tenets that will help to influence how personally identifiable information and protected health information are collected, stored, and distributed.
The first is that app developers must have a comprehensive privacy policy that states what personal information is collected, and lists the reasons why it’s being collected and the types of third parties that could share the collected data.
Second, the policy must also specify a user rights clause and how the user can exercise those rights. In theory, end users will also be able to exercise control over their data. They should also be able to access and review the user rights prior to downloading the app, and will need to consent to them before downloading.
Third, developers will be obliged to protect personal data from unauthorized retrieval, and allow users to opt out and delete any data collected by the app.
If Johnson’s proposal moves forward and becomes law, it will be the first time the US government has targeted mobile apps in protecting citizens. Whatever becomes of it, at the very least Johnson’s proposal should start alerting app users to be more careful with their own personally identifiable information and protected health information. 24×7 Networking May 2013

Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. He is the director of technical development for Aramark Healthcare Technologies in Charlotte, NC.

For more information, contact [email protected]