Abstract
Background:
Individuals with diabetes rely on medical equipment (eg, continuous glucose monitoring (CGM), hybrid closed-loop systems) and mobile applications to manage their condition, providing valuable data to health care providers. Data sharing from this equipment is regulated via Terms of Service (ToS) and Privacy Policy documents. The introduction of the Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR) in the European Union has established updated rules for medical devices, including software.
Objective:
This study examines how data sharing is regulated by the ToS and Privacy Policy documents of approved diabetes medical equipment and associated software. It focuses on the equipment approved by the Norwegian Regional Health Authorities.
Methods:
A document analysis was conducted on the ToS and Privacy Policy documents of diabetes medical equipment and software applications approved in Norway.
Results:
The analysis identified 11 medical equipment and 12 software applications used for diabetes data transfer and analysis in Norway. Only 3 medical equipment (OmniPod Dash, Accu-Chek Insight, and Accu-Chek Solo) were registered in the European Database on Medical Devices (EUDAMED) database, whereas none of their respective software applications were registered. Compliance with General Data Protection Regulation (GDPR) security requirements varied, with some software relying on adequacy decisions (8/12), whereas others did not (4/12).
Conclusions:
The study highlights the dominance of non-European Economic Area (EEA) companies in medical device technology development. It also identifies the lack of registration for medical equipment and software in the EUDAMED database, which is currently not mandatory. These findings underscore the need for further attention to ensure regulatory compliance and improve data-sharing practices in the context of diabetes management.
Keywords: security, privacy, software as medical device, GDPR, medical device
Introduction
People with type 1 and type 2 diabetes mellitus often have a wide range of devices and digital health applications (apps) available to help them manage their diabetes. 1 These can support lifestyle and pharmacological interventions, eg, devices such as blood glucose meters, continuous glucose monitoring (CGM) devices, insulin pumps, hybrid closed-loop systems, smart insulin pens, and associated apps.2,3
In Europe, medical equipment for chronic diseases like diabetes may be distributed to patients based on national agreements between health authorities and device producers. These agreements are valid for all citizens covered by national health insurance in most European Economic Area (EEA) countries. Data from diabetes devices and apps can provide crucial input to health care providers (HCPs) when they assess risk factors, review treatment plans, and assess patient well-being at periodic medical assessments.4-6
What is a Medical Device in Europe?
The definition of a medical device in the European market is outlined in the Medical Device Regulation (MDR), which became effective on May 26, 2021. 7 The MDR’s definition of “device” includes standalone software that meets certain criteria, such as being designed to diagnose, prevent, monitor, predict, prognosis, treat, or alleviate disease. Another regulation related to medical devices is the In Vitro Diagnostic Regulation (IVDR), established in 2017, 8 which governs medical devices related explicitly to tests performed outside of a living organism.
European Commission, in conjunction with the new regulations (MDR and IVDR), has also established a database called the European Database on Medical Devices (EUDAMED), aiming to enhance traceability, cooperation, and transparency within the medical device sector. 9 Participation in this database is currently voluntary and will become mandatory in all its components in 2026. 10
General Data Protection Regulation and Other Standards
The General Data Protection Regulation (GDPR) is the most prominent European regulation, established in 2016, that concerns data protection and privacy in EEA. 11 In addition to GDPR, individual countries may have their own national regulations for sensitive data, which are particularly relevant for the medical domain (GDPR—Article 9).
Thus, the global picture is exceptionally complex, with various international standards concerning technological aspects (see Figure 1). There are global standards on privacy and security management (ISO/IEC 27701, ISO 27799), privacy impact assessment (ISO/IEC 29134), pseudonymization and de-identification techniques (ISO 25237, ISO/IEC 20889), on secure health software development lifecycle (ISO/IEC 62304), or other standards such as data protection by design (prEN 17529) or more recent standards on the International Patient Summary and its implementation in Europe (EN ISO 27269 and CEN/TS 17288).
Figure 1.
Regulations and standards affecting medical devices in EEA.
Abbreviations: EEA, European Economic Area; GDPR, General Data Protection Regulation; IVDR, In Vitro Diagnostic Medical Devices Regulation; MDR, Medical Devices Regulation.
Controversies on Data Sharing Outside Europe: Schrems Cases
Although GDPR governs the data transfer between the EEA and external countries, significant doubt has arisen concerning the legitimacy of transferring personal data to countries outside the EEA area. One of the most known cases is the Schrems II case which highlighted some of these challenges and led to the invalidation of the Privacy Shield as a mechanism for transferring data from Europe to the United States on July 16, 2020. 12 The Privacy Shield was a self-sign certification in which US companies certify to the US Department of Commerce that they meet the data protection standards (eg, GDPR). In response to the court case, the European Commission has proposed the Standard Contractual Clauses to regulate data transfer from the EU/EEA (subject to the GDPR) to entities outside the EU/EEA that are not subject to the GDPR.
The information about data transfer in Europe must be available to the users (eg, patients). This information is often available via the Terms of Service (ToS) and Privacy Policy documents made by the processor of the data (eg, manufacturer).
Objective
This study aims to analyze the mandatory ToS and Privacy Policy documents for medical equipment used by individuals with diabetes, to existing regulations regarding data sharing. To guide our analysis, we formulated 2 research questions:
Research Question 1: How do ToS and Privacy Policy regulate the data flow from the patients’ medical equipment to the manufacturers, third parties, and countries outside EEA?
Research Question 2: How do HCPs access patient-gathered data?
Materials and Methods
We performed a Document Analysis 13 to summarize findings from the ToS and Privacy Policy documents.
Documents Sources and Search Strategy
We only considered the medical equipment devices available for individuals with diabetes in Norway that are listed in the purchasing agreement between the Norwegian Regional Health Authorities and the vendors from October 1, 2022 to September 30, 2023. 14 Based on the medical devices listed, we performed multiple data searches in October 2022 for the documents referencing the ToS and Privacy Policy. Then, we approached each medical supplier listed in the National Agreement for confirmation about the document identified.
Identification and Evaluation Key Elements
We investigated the documents provided by vendors/manufacturers (after searching contact via e-mails and phone calls) or those to which we were referred to online. Regrettably, some medical suppliers listed in the national agreement did not respond to our inquiries, and for those, we used the ones identified by online search. Afterwards, we identified and evaluated related software that regulates the data flow from all the eligible medical devices.
The authors (MP and DT) have extracted multiple items for the identified ToS and Privacy Policy documents. All the authors agreed upon the analysis of the elements reported in Figure 2 in line with the analysis objectives.
Figure 2.
Document analysis key elements.
Abbreviations: EEA, European Economic Area; EUDAMED, European Database on Medical Devices; GDPR, General Data Protection Regulation.
Results
Medical Equipment Identified
We identified 11 different medical equipment distributed by Norwegian Regional Health Authorities, 14 reported in Table 1.
Table 1.
Insulin Pumps, CGMs, and Hybrid Closed-Loop Systems Available for Patients in Norway.
| Medical equipment (n = 11) | Categories |
|---|---|
| MiniMed 780G + Guardian Connect G4 | Insulin pump with hybrid closed-loop technology |
| MiniMed 640G a + Guardian Connect G3 | Insulin pump with Predictive Low-Glucose Suspend (PLGS) |
| Tandem t:slim X2 Insulin pump Control-IQ technology + Dexcom G6 | Insulin pump with hybrid closed-loop technology |
| OmniPod Dash | Insulin patch pump |
| Accu-Chek Solo | Insulin patch pump |
| Accu-Chek Insight a | Insulin pump |
| Guardian Connect G4 | Stand-alone CGM |
| FreeStyle Libre 2 | Stand-alone CGM |
| FreeStyle Libre 3 | Stand-alone CGM |
| Dexcom G6 | Stand-alone CGM |
| Eversense E3 | Stand-alone CGM |
Abbreviation: CGM, continuous glucose monitoring.
Supported until April 2023.
Medical equipment registration in the European Database on Medical Devices database
Only 3 of the 11 diabetes devices studied have been registered in the EUDAMED database. The OmniPod Dash has been classified as a Class IIb risk under the MDR. In addition, both the Accu-Chek Insight and Accu-Chek Solo have been registered under Annex II List B of the IVDR.
Data Flow From Medical Equipment to Patients and Health Care Providers
Vendors of several medical devices require patients to use their smartphones to display measured health information. Patients who lack access to a smartphone or choose not to use one are referred to built-in monitoring systems, such as the FreeStyle Libre 2 and Dexcom G6 which have a dedicated data reading device. 14
Table 2, which supplements Table 1, illustrates potential software additions for the identified medical equipments in Europe. Notably, several of these software applications may be compatible with multiple devices, whereas the Privacy Policies and ToS documents may have joint applicability to more than one software application.
Table 2.
Software Applications for the Medical Equipment.
| Medical equipment (n = 11) | Software that regulate the data flow (users) (n = 12) | References |
|---|---|---|
| MiniMed 780G | CareLink Connect (HCP), MiniMed Mobile (P), Guardian Connect (P) | 15-18 |
| MiniMed 640G | ||
| Guardian Connect G4 | ||
| Tandem t:slim X2 Insulin pump Control-IQ technology | t:connect mobile (P, HCP), Glooko (P, HCP) | 19-22 |
| OmniPod Dash | Omnipod Display (P), Glooko (P, HCP) | 21-24 |
| Accu-Chek Solo | mySugr (P), RocheDiabetes Care Platform (HCP), Glooko (P, HCP) | 21,22,25-28 |
| Accu-Chek Insight | ||
| FreeStyle Libre 2 | LibreView Data Management System (HCP), FreeStyle App (P) | 29-32 |
| FreeStyle Libre 3 | ||
| Dexcom G6 | Dexcom Clarity (P, HCP), Glooko (P, HCP) | 21,22,33,34 |
| Eversense E3 | Contour Diabetes (P) | 35,36 |
Abbreviations: P, patient; HCP, health care provider.
Software registration for health care providers and European Database on Medical Devices database
At present, patient-gathered data from medical equipment and apps cannot be directly downloaded into the electronic health record (EHR) systems used in Norwegian hospital clinics. As a result, HCPs need to access patient data through other software. In Table 2, we analyzed the software that can be used to access patient data and identified 6 options for the clinics: CareLink Connect, LibreView Data Management System, RocheDiabetes Care Platform, t:connect mobile, Dexcom Clarity, and the only data aggregator Glooko is compatible with multiple devices. Furthermore, when examining the related software, we found that none (0/12) of these software applications are registered as medical devices in the EUDAMED database.
Overview of Data Processed by Software
The software that regulate the data flow (n = 12), previously identified in Table 2, collect and process different data. In Table 3, we present an overview of the software processing health-related data (GDPR Article 4.14). All software applications collect personal data (GDPR Article 4.1), whereas only Glooko12,13 and t: connect mobile8,9 collect biometric data.
Table 3.
Data Processed From Various Software.
| Software that regulate data flow (users) | Data concerning health | Specific security measures | Adequacy decisions a | Reference to documents (ToS, Privacy Policy) |
|---|---|---|---|---|
| Glooko (P, HCP) | X | GDPR-compliant anonymization, encryption | Standard contractual clauses, privacy shield, Binding Corporate Rules (BCRs) | 21,22 |
| MiniMed Mobile (P) Guardian Connect (P) |
X | GDPR compliance | Standard contractual clauses | 16,18 |
| CareLink Connect (HCP) | GDPR compliance, possibly pseudonymization, anonymization, and encryption | Adequacy decision or else, standard contractual clauses | 15,17 | |
| t:connect (P, HCP) | X | GDPR compliance, encryption, access control, event logging | None | 19,20 |
| OmniPod DISPLAY (P) OmniPod VIEW (HCP) |
X | GDPR compliance | None | 23,24 |
| mySugr (P) | X | Specific security measures such as Data transfer via HTTPS (hypertext transfer protocol secure), user can operate via pseudonym, and anonymization | Standard contractual clauses | 25,26 |
| RocheDiabetes Care Platform (HCP) | GDPR compliance, access control | Standard contractual clauses | 27,28 | |
| LibreView Data Management System (HCP) | GDPR compliance, access control, de-identifying, pseudonymizing, aggregating, and/or anonymizing the personal information | Compliance with laws of patient’s jurisdiction | 30,31 | |
| FreeStyle App (P) | X | De-identify, pseudonymize, aggregate and/or anonymize, encrypted Bluetooth connections for FreeStyle Libre sensors, 2-factor authentication for LibreView users | None | 29,32 |
| Dexcom Clarity (P, HCP) | X | GDPR compliance, transmission encrypted | Standard contractual clauses | 33,34 |
| Contour Diabetes (P) | X | GDPR compliance, encryption, anonymized, or de-identified/pseudonymized information | Standard contractual clauses | 35,36 |
Abbreviations: ToS, Terms of Service; P, patient; HCP, health care provider; GDPR, General Data Protection Regulation.
An “adequacy decision” is a decision made by the European Commission (EU) that recognizes that a non-EU country or organization provides the same level of protection for personal data as the EU does.
As follows, we provide an overview of the specific security measures identified. All software applications use third-party service providers to deliver their services, such as information technology and hosting services. Table 3 also presents the legal basis for data export to non-European jurisdictions under “Adequacy decisions.”
Discussion
Main Findings
We identified 11 types of medical equipment used by diabetes patients in Norway (Table 1). To analyze how HCPs access patient diabetes data (RQ2), we identified software that regulates data flow (n = 12) (Table 2). Some software applications can be used by both patients and HCPs (3/12), whereas others are used exclusively by 1 group (6/12 by patients, 3/12 by HCPs).
We analyzed compliance with GDPR security measures (RQ1) and found that some software relies on adequacy decisions (8/12). The remaining 4 software applications did not specify any adequacy decisions (4/12).
We also investigated the registration status of medical equipment and software in the EUDAMED database to comply with the new MDR and IVDR regulations. Only 3 devices (OmniPod Dash, Accu-Chek Insight, and Accu-Chek Solo) were registered in EUDAMED, but none of their respective software applications (RQ1).
Perceived Necessity vs Policy Overload: A Dilemma for Medical Equipment Users
While a smartphone is not strictly necessary for managing diabetes, it can be helpful due to the ability of mobile apps and software to facilitate glucose monitoring and automatic data recording and data transfer. Medical equipment used for diabetes management includes Bluetooth or Near-Field Communication (NFC) tags for wireless communication with smartphones. 37 Alternative devices can be provided for patients who choose not to use a mobile phone.
Patients who use vendor software applications are required to acknowledge and accept the ToS and Privacy policies.15-36 In addition, patients must provide informed consent for the processing of their data. 38 However, the documents governing the use of these software applications can often be intricate and broad, presenting, creating a dilemma for users who may simply decide that the benefits outweigh the challenges of navigating these lengthy documents.
Future studies should investigate the different sensitivity of users toward data sharing, the perceived need for this technology, and the impact on the acceptance of these terms.
Data-Sharing Challenges for Primary and Secondary Use of Data
The medical equipment outlined in Table 1 play a crucial role in health care, and many software applications are widely used for planning the treatment of patient (primary use of data). However, none of these applications are directly integrated into the EHR system, which creates a challenge for HCPs who must use multiple systems with different login processes and platforms. This can take up valuable time during consultations, potentially affecting the quality of patient care.5,39-41 Furthermore, it is important to note that these systems, in their current state, are not designed for integration with EHR. The systems do not intend to be an EHR, as exemplified by the LibreView data management system’s declaration: “THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT AN ELECTRONIC HEALTH RECORDS SYSTEM AND YOU MUST PRINT AND/OR DOWNLOAD PATIENT INFORMATION THAT YOU DEEM RELEVANT TO YOUR PROVISION OF MEDICAL CARE, TREATMENT OR ADVICE.”30,31 The manual process of transferring data from the data management systems into EHRs can increase the risk of errors and create inefficiencies in the data reporting process. 6
When it comes to sharing data for secondary use, the GDPR grants patients the right to receive personal data in a machine-readable format (ART.20 Rights to data portability). However, patients and informal caregivers often face difficulties when attempting to download diabetes data.42,43 These challenges bring into question the ownership of patient data, as it remains largely within the medical vendor ecosystem.
Thus, the diverse data structures used by medical equipment manufacturers make integrating or sharing data directly into EHR systems or for research studies challenging. To mitigate these issues, the adoption of a common data exchange standard like Fast Healthcare Interoperability Resources (FHIR) is essential.
The controversy about whether software applications should be considered as medical device
None of the software applications listed in Table 2 is registered as medical devices in the EUDAMED database. We have identified 2 different potential reasons. The first one could be due to the disclaimers presented to patients, such as “No medical advice: THE LIBREVIEW DATA MANAGEMENT SYSTEM IS NOT INTENDED FOR THE DIAGNOSIS OF OR SCREENING FOR DIABETES MELLITUS” 30 or “YOUR USE OF THE SERVICE IS SOLELY AT YOUR OWN RISK.” 21
While disclaimers might reduce the legal obligations of software providers, it is crucial to prioritize their intended use. Moreover, disparities in software registration as medical devices could give rise to issues. The absence of medical device registration might spark controversy, especially when these software applications are used or endorsed within hospital premises and can be perceived as medical devices.
Ultimately, the effectiveness of EUDAMED will need to be evaluated once it is fully implemented as it will become mandatory in 2026. 10 This database includes a module for reporting severe events related to devices and corrective safety measures. Besides the intended use of the software, including digital health applications in this module is challenging due to the constantly evolving nature of Information and Communications Technology (ICT) data security and managing multiple security risks. 44
Technical Overview and How Data Are Shared
Although the legal documents provide details about the data processed by the software, they often lack specific and detailed security measures. The documents primarily offer recommendations for password handling and highlight the responsibility of professional users to protect their accounts.30,31
Data sharing between software applications can complicate the understanding of how patient health information is processed. Patient software applications may collect and process health information, which is then accessed by HCPs software through a cloud solution without further processing. We could assume that as the software exclusive for HCPs, as indicated in Table 3, do not collect any health data. Furthermore, there is a lack of comprehensive information regarding the specific categories of data processed, the manner in which data flows, how long it is stored, techniques employed for de-identification, encryption protocols, and data formats.
Finally, it is important to understand the ToS and Privacy Policies for any third-party applications before opting in and consenting to sharing data with them. For example, once data are shared with a third-party application, the provider, or the patient, no longer controls its use, access, or disclosure.21,22 Abbott, for instance, uses cloud providers like Amazon Web Services and Microsoft Azure.
Limitations
The presented analysis has some limitations, such as restricting the devices to those available in Norway and that we did not receive adequate feedback from all the vendors. Nevertheless, the work is still relevant for the entire EEA/EU area because Norway is part of the EEA Board without a voting right for GDPR-related matters. General Data Protection Regulation and the security and privacy issues discussed are also highly relevant for those outside EEA/EU. It is important to note that the list of compatible apps (described in Table 2) may evolve over time, and this study only examines those available during the specified period.
Conclusions and Implications for the Future
The current state of medical device technology development is largely dominated by companies outside of the European Economic Area (EEA).
This study is the first to analyze the ToS and Privacy Policy documents for diabetes medical equipment that national authorities have approved. These documents are not easy to understand to end-users and require a high level of legal and digital literacy, as indicated by a previous study. 45 Due to complex or legalistic terminology, most users may consent without adequately understanding the terms and conditions presented online.46,47 Future research should explore users’ levels of sensitivity toward data sharing, their perceived necessity for this technology, and their acceptance of the related terms and conditions.
Future research should also investigate how to effectively educate and train health care professionals on data security and privacy to increase their awareness and understanding of these issues, 48 as HCPs prioritize functionalities over security and privacy concerns when recommending these tools to patients. 49 A standardized health care data-sharing approach (eg, FHIR) could integrate these tools into existing EHR systems. This would simplify the work of health care providers in their clinical practice as they would no longer need to interact with multiple systems and procedures to access and view patient data.
Acknowledgments
The authors thank the EU-project, HEIR—a secured Healthcare Environment for Informatics Resilience (grant agreement no. 883275) and Celia Nielsen for her initial assistance in the process of contacting each medical supplier listed in the Norwegian National Agreement.
Footnotes
Abbreviations: AIMD, Active Implantable Medical Devices; Apps, mobile applications; CGM, continuous glucose monitoring; EEA, European Economic Area; EULA, end-user license agreement; GDPR, General Data Protection Regulation; HCPs, health care providers; IVDR, In Vitro Design Regulation; MDD, Medical Device Directive; NFC, Near-Field Communication; SCCs, standard contractual clauses; ToS, Term of Service.
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding: The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: All authors were partially financed by the EU-project, HEIR—a secured Healthcare Environment for Informatics Resilience (grant agreement no. 883275).
ORCID iDs: Pietro Randine 
https://orcid.org/0000-0001-7188-0138
Matthias Pocs
https://orcid.org/0000-0001-5582-9869
Eirik Årsand
https://orcid.org/0000-0002-9520-1408
References
- 1. El-Gayar O, Timsina P, Nawar N, Eid W. Mobile applications for diabetes self-management: status and potential. J Diabetes Sci Technol. 2013;7(1):247-262. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2. Tanenbaum ML, Hanes SJ, Miller KM, Naranjo D, Bensen R, Hood KK. Diabetes device use in adults with type 1 diabetes: barriers to uptake and potential intervention targets. Diabetes Care. 2017;40(2):181-187. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3. Ramesh J, Aburukba R, Sagahyroon A. A remote healthcare monitoring framework for diabetes prediction using machine learning. Healthc Technol Lett. 2021;8(3):45-57. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4. Dwamena F, Holmes-Rovner M, Gaulden CM, et al. Interventions for providers to promote a patient-centred approach in clinical consultations. Cochrane Database Syst Rev. 2012;12:CD003267. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5. Irving G, Neves AL, Dambha-Miller H, et al. International variations in primary care physician consultation time: a systematic review of 67 countries. BMJ Open. 2017;7(10):e017902. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6. Randine P, Sharma A, Hartvigsen G, Johansen HD, Årsand E. Information and communication technology-based interventions for chronic diseases consultation: scoping review. Int J Med Inform. 2022;163:104784. [DOI] [PubMed] [Google Scholar]
- 7. European Parliament. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC. Off J Eur Union. 2017;60(L117):1-175. [Google Scholar]
- 8. European Union. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU. Off J Eur Union. 2017;117:176-332. [Google Scholar]
- 9. European Commission. EUDAMED: European Database on Medical Devices. Date unknown. https://ec.europa.eu/tools/eudamed. Accessed October 25, 2023.
- 10. European Commission. EUDAMED timeline. https://health.ec.europa.eu/system/files/2023-01/md_eudamed_timeline_en.pdf. Published 2022. Accessed October 25, 2023.
- 11. General Data Protection Regulation. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Off J Eur Union. 2016;59(1-88):294. [Google Scholar]
- 12. Court of Justice of the European Union. Judgment of the Court of Justice of 16 July 2020. https://e-justice.europa.eu/ecli/ECLI:EU:C:2020:559. Published 2020.
- 13. Randine P, Sharma A, Hartvigsen G, Johansen, Årsand E. Use of information and communication technology before, during, and after a consultation for chronic diseases: scoping review protocol. https://osf.io/725u6/metadata. Published 2020. Accessed October 25, 2023. [DOI] [PubMed]
- 14. Sykehusinnkjøp. Norwegian national contracts for insulin pumps, CGM, and consumables. https://sykehusinnkjop.no/nasjonale-avtaler/insulinpumper-cgm-og-forbruksmateriell-#produkter-pa-avtale. Published February 7, 2023. Accessed October 25, 2023.
- 15. Medtronic. Privacy policy. September 20, 2020. https://carelink.medtronic.eu/public/privacy-policy?language=en&country=gb. Accessed October 25, 2023.
- 16. Medtronic MiniMed. Privacy statement. October 19, 2022. https://carelink.minimed.eu/media/en/sg/privacy_statement.pdf. Accessed January 12, 2023.
- 17. Medtronic. Terms of use. December 15, 2021. https://carelink.medtronic.eu/public/terms-of-use?language=en&country=gb. Accessed January 12, 2023.
- 18. Medtronic MiniMed. Terms of use. Date unknown. https://carelink.minimed.eu/crs/ocl/14.06/media/en/gb/terms_of_use.pdf. Accessed January 12, 2023.
- 19. Tandem Diabetes Care. License agreement & privacy policy. Date unknown. https://www.tandemdiabetes.com/en-gb/legal/privacy/license-agreement. Accessed January 12, 2023.
- 20. Tandem Diabetes Care. Privacy policy. Date unknown. https://www.tandemdiabetes.com/en-gb/legal/privacy/privacy-policy. Accessed January 12, 2023.
- 21. Glooko. Term of use. Date unknown. https://glooko.com/terms-of-use/. Accessed January 12, 2023.
- 22. Glooko. Privacy policy. March 26, 2021. https://glooko.com/privacy/. Accessed January 12, 2023.
- 23. Insulet Corporation. Terms of use. June 20, 2018. https://www.omnipod.com/terms-of-use. Accessed January 12, 2023.
- 24. Insulet Corporation. Privacy policy. May 7, 2021. https://www.omnipod.com/en-no/privacy-policy. Accessed January 12, 2023.
- 25. mySugr GmbH. Terms and conditions. April 1, 2021. https://legal.mysugr.com/documents/bundle_terms_and_conditions_us_b2b/current.html. Accessed January 12, 2023.
- 26. mySugr GmbH. Privacy policy. November 3, 2020. https://legal.mysugr.com/documents/privacy_policy_us/current.html. Accessed January 12, 2023.
- 27. Roche Diabetes Care. Terms of use. Date unknown. https://hcp.stage.rochediabetes.com/gb/terms-use. Accessed January 12, 2023.
- 28. Roche Diabetes Care. Privacy notice. Date unknown. https://hcp.stage.rochediabetes.com/gb/privacy-notice. Accessed January 12, 2023.
- 29. Abbott Diabetes Care Inc. Patient terms of use. Date unknown. https://files.libreview.io/files/documents/en-GB/pat-TOU_2022-05-05.html. Accessed January 12, 2023.
- 30. Abbott Diabetes Care Inc. Professional terms of use. Date unknown. https://files.libreview.io/files/documents/en-GB/pro-TOU_2022-05-05.html. Accessed January 12, 2023.
- 31. Abbott Diabetes Care Inc. Professional privacy policy. Date unknown. https://files.libreview.io/files/documents/en-GB/pro-PP_2022-05-05.html. Accessed January 12, 2023.
- 32. Abbott Diabetes Care Inc. Patient privacy policy. Date unknown. https://files.libreview.io/files/documents/en-GB/pat-PP_2022-08-02.html. Accessed January 12, 2023.
- 33. Dexcom I. Terms of use. Date unknown. https://www.dexcom.com/en-GB/linked/documentservice/TermsOfUse. Accessed January 12, 2023.
- 34. Dexcom I. Privacy policy. Date unknown. https://www.dexcom.com/en-GB/linked/documentservice/PrivacyPolicy. Accessed January 12, 2023.
- 35. Ascensia Diabetes Care Holdings AG. End user license agreement. Date unknown. https://contourcloudeu.ascensia.com/Privacy/Pages/EN_OR2/EULA.pdf. Accessed January 12, 2023.
- 36. Ascensia Diabetes Care Holdings AG. Privacy policy. Date unknown. https://contourcloudeu.ascensia.com/Privacy/Pages/EN/PrivacyPolicy.pdf. Accessed January 12, 2023.
- 37. Brooke SM, An HS, Kang SK, Noble JM, Berg KE, Lee JM. Concurrent validity of wearable activity trackers under free-living conditions. J Strength Cond Res. 2017;31(4):1097-1106. [DOI] [PubMed] [Google Scholar]
- 38. World Health Organization. General Principles of Good Chronic Care: Integrated Management of Adolescent and Adult Illness. Geneva: World Health Organization; 2003. [Google Scholar]
- 39. Gask L, Usherwood T. The consultation. BMJ. 2002;324(7353):1567-1569. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 40. Ancker JS, Witteman HO, Hafeez B, Provencher T, Van de Graaf M, Wei E. The invisible work of personal health information management among people with multiple chronic conditions: qualitative interview study among patients and providers. J Med Int Res. 2015;17(6):e137. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 41. Lynch EA, Jones TM, Simpson DB, et al. Activity monitors for increasing physical activity in adult stroke survivors. Cochrane Database Syst Rev. 2018;7:CD012543. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 42. Wong JC, Neinstein AB, Spindler M, Adi S. A minority of patients with type 1 diabetes routinely downloads and retrospectively reviews device data. Diabetes Technol Ther. 2015;17(8):555-562. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 43. Beck RW. Downloading diabetes device data: empowering patients to download at home to achieve better outcomes. Diabetes Technol Ther. 2015;17(8):536-537. [DOI] [PubMed] [Google Scholar]
- 44. US Food & Drug Administration. Cybersecurity. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity. Published 2023. Accessed October 25, 2023.
- 45. O’Loughlin K, Neary M, Adkins EC, Schueller SM. Reviewing the data security and privacy policies of mobile apps for depression. Internet Interv. 2019;15:110-115. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 46. Böhme R, Köpsell S. Trained to accept? A field experiment on consent dialogs. Paper presented at the Proceedings of the SIGCHI Conference on Human Factors in Computing Systems; April 2010; Atlanta, GA. [Google Scholar]
- 47. Obar JA, Oeldorf-Hirsch A. The biggest lie on the internet: ignoring the privacy policies and terms of service policies of social networking services. Inf Commun Soc. 2020;23(1):128-147. [Google Scholar]
- 48. Jensen MT, Treskes RW, Caiani EG, et al. ESC working group on e-cardiology position paper: use of commercially available wearable technology for heart rate and activity tracking in primary and secondary cardiovascular prevention—in collaboration with the European Heart Rhythm Association, European Association of Preventive Cardiology, Association of Cardiovascular Nursing and Allied Professionals, Patient Forum, and the Digital Health Committee. Eur Heart J Digit Health. 2021;2(1):49-59. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 49. Larbi D, Randine P, Årsand E, et al. Criteria for assessing and recommending digital diabetes tools: a Delphi study. Stud Health Technol Inform. 2021;281:850-854. [DOI] [PubMed] [Google Scholar]