Abstract
Background:
Headache diaries are a mainstay of migraine management. While many commercial smartphone applications (apps) have been developed for people with migraine, little is known about how well these apps protect patient information and whether they are secure to use.
Objective:
We sought to assess whether there are privacy issues surrounding apps so that physicians and patients could better understand what medical information patients are providing to the app companies, and the potential privacy implications of how the app companies (and other third parties) might use that information.
Methods:
We conducted a systematic search of the most popular “headache” and “migraine” apps and developed a database of the types of data the apps requested for input by the user and whether the apps had clear privacy policies. We also examined the content of the privacy policies.
Results:
Twenty-nine apps were examined (14 diary apps, 15 relaxation apps). Of the diary applications, 79% (11/14) had visible privacy policies. Of the diary apps with privacy policies, all (11/11) stated whether or not the app collects and stores information remotely. 55% (6/11) stated that some user data was used to serve targeted advertisements. 11/15 (73%) of the relaxation apps had privacy policies.
Conclusions:
Headache apps shared information with third parties, posing privacy risks partly because there are few legal protections against the sale or disclosure of data from medical apps to third parties.
Keywords: mHealth, Privacy/risk, Electronic Diaries, Relaxation, HIPAA
Introduction:
Headache diaries are a mainstay of migraine management. 1–3 With the advent of technology, electronic headache diaries have been used in research studies, and such studies have shown that the apps may assist with patient management plans via daily tracking of headache days, headache intensity, and medication usage. Furthermore, research has shown that electronic headache diaries are a reliable method of data collection and their use is preferred by patients, particularly because they are more discreet than paper diaries. 4
Over the past several years, commercial companies have developed headache apps, and statistics show that these apps will likely be used by many headache patients. (In 2018, it is estimated that nearly half of 3.4 billion smartphone users will use health-related apps. 5 In the United States, 58% percent of adults report using one or more health tracking apps. 6 With the rapid growth of these monitoring and self-management tools, there is great potential for collecting and sharing personal and health-related information. However, along with this potential comes risk, especially regarding the privacy of patients’ health information.
Different countries have developed regulations to protect patient privacy. Table 1 is an example of various US laws and regulations regarding privacy. Interestingly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules only apply to “covered entities” (such as doctors, hospitals, and insurance providers) and their “business associates.” Third-party app companies do not generally fall under HIPAA’s rubric unless there is a direct relationship between the app company and the covered entity—for example, if a hospital contracts with the app provider for patient management services. 7 However, there are guidelines which state that apps should offer “clear and readable advice and avoid ‘legalese,’ and generally suggest that apps should limit data collection to what is needed and have clear and easy-to-find privacy policies. 8 However, these guidelines are not necessarily binding to the app developers unless the jurisdiction’s law specifically requires compliance. Of note, industry groups have also proposed voluntary privacy guidelines for wellness-related personal devices. 9
Table 1:
Name | Definition |
---|---|
Health Insurance Portability and Accountability Act (HIPAA) | Enforced by the Office for Civil Rights (OCR) within the U.S. Department of Health & Human Services (HHS), HIPAA protects the privacy and security of certain health information and requires certain entities to make aware health information breaches. HIPAA covered entities include: Health care providers who conduct certain electronic transactions, Health plans, and Health care clearinghouses |
Federal Food, Drug, and Cosmetic Act (FD&C Act) | Enforced by the FDA, the FD&C Act regulates the safety and effectiveness of medical devices, including some mobile medical apps. Mobile medical apps are defined as follows: 1. An accessory to a regulated medical device; 2. An app which transforms a mobile platform into a regulated medical device e.g. a mobile platform to measure blood glucose levels; 3. An app that conducts analyses or interprets data from another medical device e.g. an app that takes the user’s information and develops a dosage plan for radiation therapy. |
Federal Trade Commission Act (FTC Act) | Enforced by the FTC, the FTC Act prohibits deceptive or unfair acts/practices related to commerce, including those relating to privacy and data security, and those involving claims about apps’ safety or performance that are untrue or misleading. |
FTC’s Health Breach Notification Rule | The FTC’s Health Breach Notification Rule requires certain businesses to provide notifications following breaches of personal health record information. |
Despite these privacy recommendations, many app developers do not follow such guidelines. A study of diabetes-related apps revealed that the vast majority (81%) lack a privacy policy 10 and less than 50% of apps for dementia offered a privacy policy. 11 In fact, in 2015, the United Kingdom’s National Health Service (NHS) closed its app library because of evidence that many included apps did not protect patient data. 12 Following this, the NHS took the lessons learned and developed a beta version of its app library that launched in March 2017 to test app approval standards. 13 Currently, apps in the NHS beta library may include badges of “NHS Approved” and “Being Tested in the NHS.” 14 Along with evidence of improvement for clinical outcomes, one of the criteria for approval is “information safety (Information Governance, Privacy and Security).” 13 As of April 2018—over one year after launch—only one of the 43 available apps was listed as “NHS Approved” with two others in testing. 14 This shows the challenge of the app evaluation space even when tackled by large organizations like the NHS.
Additionally, patients themselves are concerned about privacy. In the Health Information National Trends Survey (HINTS 4), a cross sectional nationally representative US survey of adults, 65% expressed concern about a breach in the privacy of their personal health information (PHI) transferred electronically between health professionals. 15 Between 12–15% of US adults report withholding some of their patient health information because of concern about a security breach. 15–17 Trust is the foundation of healthcare and with breaches, there is a lack of trust. A lack of trust could cause people to not use new digital tools, which could be missed opportunities in healthcare. There are also financial risks as insurance premiums could go up, psychological risks if people are ‘outed’ for having a condition and risk of discrimination or stigma18. Therefore, we sought to assess privacy issues surrounding “headache” and “migraine” apps so that physicians and patients could better understand what information patients provide to the app companies (and other third party network or cloud providers) and the potential implications of providing this information to non-healthcare providers. For the purposes of this paper, “third party” is defined as anyone outside of the treatment and therapeutic relationship.
Methods:
App Selection
We conducted a search of “headache” and “migraine” apps using the following procedure: As there is no definitive source of healthcare apps, we selected a commonly used website called Healthline.com to find apps for this paper. Given this website claims over 40 million visitors per month, apps they list are clearly seen by many potential users. On July 5, 2017, one author (RS) located apps from the healthline.com article, “The Best Migraine Apps of the Year,” 19 outlining popular smartphone apps. On the same day, RS searched the top ten apps responding to the search term “headache” from Google Play and the Apple Play Store. Following this, another author (EJS) performed an additional search throughout July and August 2017 in the Google Play Store for “migraine” apps. If an app appeared in more than one of these searches, the app was only counted once. The apps were categorized into one of two types based on their functionality: “relaxation”-type apps or “diary”-type apps.
RS installed iTunes apps on a device to view the operation of Apple ecosystem apps and EJS installed Android apps on a device to view the operation of Google ecosystem apps.
Data Collection
Between July-October 2017, RS and EJS abstracted data from the apps themselves and from their websites and created a database. Data extracted included details on what personal information the app collected e.g. name, address, geolocation, voice as well as detailed information regarding how the information is stored and shared per the app’s privacy policy. In particular, we analyzed the app function, data storage, and statements in the app’s privacy policy, app store entry, or other documentation to determine whether an app collected various types of personal information from the user such as (a) whether the app requests user input regarding the user’s identity, (b) headache condition (e.g. medications, triggers, dates and times of headaches), or (c) data that might be collected based on a user’s actions rather than their data entries. We did not conduct any technical analysis of the apps’ actual operations nor did we attempt to verify the truth of any statements by the app providers. We purchased the “pay” version of one app 20 in order to ascertain how the app stored data remotely in the cloud.
The privacy policies were collected from app companies’ websites, links from within an app store, and/or from within the apps themselves, and EJS analyzed the privacy data. For our purposes, an app had a privacy policy even if the policy was a single sentence that the app did not collect or share information. Also, a priori, a decision was made to do a focused evaluation of the headache diary app policies, as those apps require users to input more of their personal data.
The study is exempt from IRB approval.
Results:
Abstracted data can be found in Tables e1 and e2. Our search resulted in twenty nine smartphone apps. Of the twenty-nine apps assessed, 11 were available for both iPhone and Android, 5 were available solely for iPhone, and 13 were available solely for Android. Fourteen apps were diary apps and 15 were relaxation apps. Generally, diary apps asked users to enter their headache data and some stated that they could identify specific headache triggers. 21,22 Relaxation apps stated that they provided a visual display 23 or audio files, e.g. guided breathing exercises 24 or calming music. 25
Table e1:
App Name, Android (A), Iphone (I) or Android and Iphone (A+I), version date, App Company, # of users in Android, Country of Origin | Privacy Policy (Y/N) [Right of Access (A), Correctior (C), Deletion (D)] | Registration/Log In available (Y/N/Required) | Local (L) Vs. Remote (R) Data Storage for diary data? | Policy states if any data is stored remotely (Y/N)? Policy states if diary data stored remotely(D/unclear)? |
Policy says whether headache/medication/pain data storage is local (L)/ remote (R)? | Policy details type of info collected? (Y/N-generic) | Policy details whether info shared? (Y/N) With whom it is shared and what is shared. | Policy details purpose of sharing? What is the purpose? | Explicit promise not to share identifiable diary entries w/o individual permission | Any data used for ads/marketing/promotions? | Under age 13 allowed? Y/N |
---|---|---|---|---|---|---|---|---|---|---|---|
Curelator22 I, 7/15/17 Curelator, Inc N/A USA / Spain |
Y [A,C,D] Not explicit, but “Subscribers to Curelator retain ownership of their personal, medical and behavioral information.” |
Required | R | Y [D] “All identifiable subscriber information is maintained in a secure database….” |
Y | No-generic | Y-PHI to physician w/permission only; shares anonymized aggregated info with researchers, sponsors, other business partners. | Y- PHI at subscriber’s request; anonymized aggregated data for research. | Y | N | Not stated |
iHeadache27 I, 1/6/17, BetterQOL, LLC N/A USA |
Y [?,?,?] No statements about A/C/D. |
Required | R | Y [D] | Y | Y | Y- PHI to med provider w/permission only; shares anonymized info with 3rd party researchers. | Y- PHI at user’s request; anonymized data for research. | ? Policy details how data will be used but does not say how it will not be used. |
Y “Cookies are generally used to track users who have clicked on an advertisement.” |
Not allowed |
Headache Diary53 A, 10/6/13, Benjamin Gerfelder 10k-50k ?Germany? |
N [-] | N | L | - | - | - | - | - | - | - | - |
Headache Diary Lite/Pro20 A, 6/27/13, Froggyware 100k-500k (lite) 10k-50k (pro) Germany |
Y [not collected] | N | L - with Dropbox option |
Y [D] “We do not collect personal information from users of our app.” |
Y | Y | Y – “We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information.” | N/A because no sharing, although unclear how interactions with FB, Google, and Twitter work. | Y | ? Difficult-to-understand explanation of data interactions with FB, Google, and Twitter. |
Not stated |
Headache Log31 A, 6/16/17, AR Productions Inc. 10k-50k Canada |
Y [not collected] | N | L - with Dropbox option |
Y [D] “We do not collect personal information from users of our app.” |
Y | Y | Y – “We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information” but does “allow third-party behavioral tracking” | N/A because no sharing, although unclear how behavioral tracking works. | Y | N | Unclear – “we do not specifically market to children under the age of 13” |
Headache Wizard54 A, 5/19/17, Mountain Owl Software 100–500 (free) 10–50 (pay) USA |
N [-] | N | ? | - | - | - | - | - | - | - | |
iMigraine30 A + I, 3/9/17, Softarch Technologies, AS 1k-5k Norway |
Y [?,?, D] A/C not mentioned, but may email customer support to request deletion. |
Required | R | Y [unclear] Some data is collected and stored remotely, but policy uses generic terms such as “information you enter into our system.” |
N | No-generic “name, email address, age”; “transaction-related information”; “information you enter into our system … such as contact information and project management information”; “Automatically Collected Information”; etc. |
Y - Low detail “with our trusted service providers who work on our behalf, do not have an independent use of the information we disclose to them”, etc. | N | ? – Policy states how data will be shared but does not explain how diary entries will be used. | Y “We may use the information you provided us to contact your [sic] from time to time to provide you with … marketing promotions.” |
Not allowed |
Manage My Pain Lite/Pro26 A, 6/14/17, Managing Life 50K-100K (lite) 5K-10K (pro) Canada |
Y [A,C,?] Explicit promises to provide access and correction. “We retain information according to retention schedules….” |
Y | R | Y [D] | Y | Y | Y – PHI to med provider w/permission only; very detailed explanation that personal info is not shared for marketing purposes, and that aggregated non-personal diary info may be shared with healthcare providers, insurance cos, pharma cos, pain researchers, affiliated companies, vendors, business partners. | Y – improvements to products and services, how software is used | Y | N | Not stated |
Migraine Buddy,29 A+I, 3/7/17, Healint 100K-500K Singapore |
Y [A,C,D] When account is deactivated, “data that can identify you will be removed….Backup copies of this data will be removed from our server based upon an automated schedule….” |
Required | R | Y [D] | Y | Y | Y – “anonymous aggregated reports, analysis, charts, tables, infographics” to external researchers or other third parties, subject to user de-selecting an “opt-in for research” button. | Y – improve./develop Crowdsourced Search Engines, algorithms to improve user experience; compare different migraine populations; academic research. | Y | Y | Allowed with parent’s permission and supervision |
Migraine Coach21 I, 4/7/17, Welltodo LLC N/A USA |
Y [?,?,?] May delete info on app company’s own servers, but “we will not be able to remove your [personal information] from the databases of our affiliates or unaffiliated third parties with which we have already shared such information….” |
Y | R | Y [D] Does not refer to diary data explicitly but provides broad rights for app to collect Protected Health Information and Additional Health Information. |
Y | Y | Y – 3rd party advertisers that “may use information about your use of the Applications,”; 3rd party service providers, healthcare professionals, insurers, affiliates, researchers, etc.; some info may not be disclosed if subject to HIPAA or user opt-out. | Y – provide healthcare services; marketing purposes; scientific research; some info may be disclosed “for any purpose.”; very long, detailed list of how data can be disclosed and to whom. | N - unless (a) user opts out or (b) HIPAA applies, in which case user can opt-in. | Y | Not allowed |
Migraine Diary 34 A, 3/2/17. SR Media 1K-5K Netherlands |
N [-] | N | ? | - | - | - | - | - | - | - | |
Migraine eDiary28 I, 9/25/16, Pfizer Inc N/A USA |
Y [?,?,?] No remote collection of diary data or other personal data (other than email address for password reset only). |
Required – however diary data only stored locally on user device. | L - with Dropbox option |
Y [D] Privacy policy and pop-up window both state that diary data is on local device only, although app may collect anonymous Analytics Data. |
Y | Y | Y – 3rd parties may receive non-personally identifiable and/or aggregated Analytics Data “such as information relating to your operating system and device, App features used, content viewed and downloaded, and the dates and times of your interactions with the App.” | Y – “We may disclose non-personally identifiable and/or aggregated data, including Analytics Data, to third parties for any purpose.” | Y | ? – Privacy policy in app does not discuss advertising; privacy policy on website permits online behavioral advertising. | Not allowed |
Migraine, Headache Diary HeadApp Lite/Pro33 A + I, 6/1/17, M3 Technology Srl 10k-50k (lite) 100–500 (pro) Italy |
Y [A,C.D] | Y | L without user login, R if user logs in | Y [unclear] Policy states that data is collected, but only in generic terms. |
N | No-generic | Unclear - generic statements about sharing and use, difficult to understand - FB, Google, etc. listed but might be for collection and not sharing for other purposes | N – generic statements, e.g. “The Data concerning the User is collected to allow the Owner to provide its services….”; personal data shared for access to FB, advertising, analytics, etc. | N | Y “AdMob and Mobfox: Personal Data: Cookies and Usage Data” |
Not allowed |
Migraine Monitor32 A + I, 7/17/17, Health Monitor 500–1K USA |
Y [?,?,?] | Required | R | Y [D] Users “consent to the compilation, processing, analyzing” of data input by users, and “The main objective of data collection is to assist and further migraine research….” |
Y | Y | Y – third parties may receive “aggregated statistical reports.” | Y – “to assist and further migraine research as well as improve and quantify our services” | Y | Y “We may use your Personal Information … To send to you marketing communications….” |
Not allowed |
Table e2:
App Name, # of users, Country of Origin, Android (A), Iphone (I) or Android and Iphone (A+I) | Privacy Policy (Y/N)* [Right of Access (A), Correction (C), Deletion (D)] |
---|---|
Acupressure against migraine37 A, 10/29/14, Dr. Jakob Bargak 5K–10K Germany |
Y – single sentence. |
Acupressure: Heal Yourself (In Google Play: Acupressure: Headache Relief) 10K–50K Russia A + I |
N |
Blue Light Filter23 A, 7/18/17, Leap Fitness Group / North Park App 5M–10M China |
Y – Google Play link that does not clearly apply to this app because the policy has a different company name (North Park App) than the company name in Google Play (Leap Fitness Group or abishkking)). |
BrainWave Tuner35 A + I, 10/30/16, PPL Development Company LLC 1M–5M USA |
Y |
5-Minute Headache Relief LITE24 A, 8/2/2011, Audiojoy 10K–50K USA |
Y |
Headache Migraine Therapy55 A, 12/1/15, clover 8488 1K-5K Indonesia |
N |
Migraine Headache Protocols56 A, 4/17/17, Dr. Isaac’s Holistic Wellness 1K–5K India |
N |
Migraine Relief Hypnosis41 A+I, 5/12/17, Surf City Apps 10k–50k (free) 50–100 (pro) USA |
Y |
Music to Beat Migraines25 A, 3/6/16, Times Music 10K–50K India |
Y – Google Play link that does not clearly apply to this app because the linked policy only refers to a website, not an app. |
Nature Soundscapes - Relax & Sleep to White Noise40 I, 1/7/16, Nick Culbertson N/A USA |
Y |
Pain Killer 2.0 / Pain Relief 2.0 38 A + I, 1/10/17, Brian Zeleniak 500–1000 USA |
Y – single sentence. |
Relax Lite: Stress and Anxiety Relief39 100K-500K (lite) 5K – 10K (pay) USA A + I |
Y |
Relax Melodies42 A + I, 6/5/17, iLBsoft / Ipnos 100K–500K Canada |
Y |
The Headache Stopper57 A, 1/10/14, The Headache Stopper 5K-10K USA |
N |
Vital Tones Migraine36 A + I, 11/29/16, Vital Tones Ltd 500–1000 Indonesia |
Y |
Some of the websites for the relaxation apps linked to privacy policies that lacked enough detail to understand the full scope of whether and how the app collected data about the user. For example, some of the relaxation apps’ policies referred to a “website” rather than an app 25, contained only a single sentence about privacy 37,38, or had a Google Play Store link for a privacy policy that was on a different website from the app manufacturer and did not clearly refer to the app. 23 Thus, slightly less than half (47%) of the policies for relaxation apps both clearly applied to the app in question and had at least some substantive content.
As seen in Table 2, 79% (11/14) 20–22,26–33 of the diary apps had visible privacy policies and 21% (3/14) did not. None of the diary apps’ privacy policies stated that they did not share data with third parties, although some disclaimed sharing of personally identifiable information. Thirty six percent (4/11) 21,22,26,27 of the applications permitted sharing of headache diary information directly with medical providers, with 75% (3/4) 22,26,27 of these stating that specific user authorization was necessary before a medical provider could view the headache data and 25% (1/4) only making general statements about HIPAA compliance in regards to the data. 21 Sixty four percent (7/11) 21,22,26–29,32 of the policies (including those for apps without remote headache diary functionality) stated why they shared data with third parties, 18% (2/11) 30,33,34 did not clearly explain the purpose of data sharing, and 18% (2/11) 20,31had policies with identical statements that “We do not collect personal information from users of our app,” “Anynymous usages data is collected...” (sic), and “We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information.” Fifty five percent (6/11) of diary applications with privacy policies stated that data could be shared for medical research purposes. 21,22,26,27,29,32 55% (6/11) of those policies explicitly stated that data could be shared for purposes of marketing, promotions, and/or advertising. 21,27,29,30,32,33
Table 2:
Functionality for an online account | 9/14 21,22,26–30,32,33) (6 required creation of a remote account 22,27–30,32) |
---|---|
Data Storage Stored locally on the user’s device Stored on remote servers Stored locally but provided optional Dropbox remote backups Stored locally but provided a paid option to store the diary data on the app provider’s servers Unclear whether stored locally or remotely |
1/14 53 7/14 21,22,26,27,29,30,32 3/14 20,28,31 1/14 33 2/14 34,54 |
Had a Privacy Policy Of those with a Privacy Policy*: • Contained some description regarding the type of information collected from users • Stated whether or not the app collects and stores any information (not only including diary data) remotely. • Stated whether or not the app could store diary entries on a remote server (or only locally) • Contained 30,33 only vague statements about data collection • Stated that data could be shared for medical research (including in anonymized format) • Permitted sharing of headache diary information directly with medical providers • Stated that data could be shared for marketing, promotions, and/or advertising • If there was an option to store data remotely (not including Dropbox-only functionality), stated they only shared anonymized data with 3rd parties in an aggregated manner unless users specifically requested disclosure, e.g. to health providers • Policies (including those for apps without remote headache diary functionality) stated why they shared data with third parties. • Discussed the use of children: Specifically prohibited children under the age of 13 Allowed children to use the application with a parent’s supervision Stated “we do not specifically market to children under the age of 13,” but did not explicitly prohibit children from using the application. • Explicitly granted a right of Access to a user’s data Correct user’s data Delete user’s data Claims no personal data collected |
79% 11/1420–22,26–33 100% 11/11 100% 11/11 82% (9/11)20–22,26–29,31,32 18% (2/11)30,33 55% (6/11) 21,22,26,27,29,32 36% (4/11)21,22,26,27 [75% (3/4)22,26,27 stated that specific user authorization was necessary before a medical provider could view the headache data] 55% (6/11)21,27,29,30,32,33 75% (6/8)22,26–29,32 64% (7/11) 21,22,26–29,32 55% (6/11)21,27,28,30,32,33 9% (1/11)29 9% (1/11)29 36% (4/11)22,26,29,33 36% (4/11)22,26,29,33 36% (4/11)22,29,30,33 18% (2/11)20,31 |
The language used to describe the data collection policies of the apps varied greatly.
For example, the privacy policy of one app 30 contained a broad statement about collecting data including “information you enter into our system” and that the data collection is “not limited to” the examples in the policy itself. In contrast, another app’s 29 privacy policy detailed the specific categories of information collected by the app (and how the app used the data in these different categories), including data input to create an account, profile data, migraine data entered by the user, IP address and battery level, location features, and social networking activities. Other policies contained difficult-to-understand or incomprehensible statements (e.g. “We point out that we as providers of the sites no knowledge of the contents of the transmitted data and use them through Twitter.”) 20.
The privacy policies of 55% (6/11) 21,27,28,30,32,33 of diary applications specifically prohibited children under the age of 13 from using the application.
In contrast to the diary apps, the relaxation apps requested little or no direct input from users in comparison to the diary apps. All but one 35 of the relaxation apps did not require user input of data for functionality (although many free relaxation apps were “teasers” that required a purchase for additional functionality); the one 35 exception requested user input of personal information in order to create an account to pay for full app functionality. Additionally, one 36 of the apps requested, but did not require, user input of personal information (e.g. name, email, age). For the relaxation apps, 73% (11/15) had a privacy policy. 23–25,35–42 Forty seven percent (7/15) had actual privacy policies, 24,35,36,39–42 13% (2/15) had a single sentence (e.g. “products do not collect or store any personal or private information”), 37,38 and 13% (2/15) had links to privacy policies via the app’s Google Play page that did not clearly apply to the app in question. 23,25
Discussion:
The apps generally fell into one of two categories - “relaxation” apps and “diary” apps.° The relaxation apps generally required little or no input from the user and, according to available privacy policies, collected less data from the user.° In contrast, the diary apps all collected medical information from the user with 57% (8/14) offering the capability to store patient diary data on the app providers’ servers, 14% (2/14) not providing clear statements as to whether patient data would be stored locally or remotely, and others storing data locally on the user’s device and/or in Dropbox’s “cloud.”
Diary applications generally allowed users to input patient health information, including the dates and time for pain, body location of pain, intensity of pain, suspected triggers for headaches, and medication taken. If this type of data were revealed directly to a doctor in the United States, it would clearly be regulated as PHI under HIPAA.
Of concern, there were several areas where information may not be transparent to migraine users or to the physicians recommending use of the apps. These include: 1. Whether apps have privacy policies and whether the apps’ policies provide “plain English” explanations about how user’s data is stored and how it is used. 2. Whether a user understands that data may be stored outside the United States, and therefore subject to different privacy rules. 3. Whether any user data (including the very fact that a user downloaded a headache app) could be used for advertising or marketing purposes.
Privacy Policy or Lack thereof
Compared to a prior study examining diabetes apps which found that 81% of the diabetes apps did not have privacy policies, we found that the majority (79% (11/14)) of diary apps had privacy policies and 73% of relaxation apps had privacy policies, even if that policy was limited to a single sentence. A prior study showed that not all apps clearly disclosed their privacy policies to users. 10 While we were able to locate many of the policies, some apps had more than one visible policy, e.g. one policy visible within the app and another policy on the developer’s website, making it confusing to understand which was the most applicable to the app in question. 28,29
The results for the diary app privacy policies were somewhat more promising, compared to the relaxation app privacy policies. All of the diary apps’ privacy policies clearly applied to the apps in question (although there could also be mention of “websites” 31), even though some of the policies were less than forthcoming about how user data might be used. All of the diary apps’ policies (11/11) appeared to provide some notice and explanation of the information collection from the user, though the level of detail varied. Some policies provided easy-to-understand, plain English explanations about what data was collected, how it would be used, how it would be shared, and user’s rights. 26 Other policies contained “legalese” that many patients and doctors would not be able to understand easily.
Ninty-one percent of diary apps with privacy policies provided some disclosure about data sharing policies with third parties. However, the quality of this disclosure varied greatly between apps. One policy provided a detailed list of the types of partners who could receive sharing data, e.g. healthcare providers, insurance companies, pharmaceutical companies, pain researchers, vendors, companies providing promotional and marketing offers, and other affiliates. 26 Others referred vaguely to “trusted service providers [who] do not have an independent use of the information” or “third parties.” 30 One allowed for broad sharing so long as the app provider was not subject to HIPAA. 21 In this age of machine learning, big data from data sharing can be a powerful source of data, if collected properly, analyzed, and preserved for the greater benefit of the patient. For example, research has been done using machine learning to try to enhance medication treatment efficacy by matching patients to interventions 43. In the case of headache medicine, currently, there are two main sources of big data for sharing and collecting information about headache. There are both the American Academy of Neurology Axon Registry 44 and the American Registry of Migraine Research 45. Thus, it is hoped that in the future, by sharing and using big data, headache patients can also be matched to treatment and can be monitored to improve adherence.
Another potential concern is whether the users have a right to access, correct, and/or delete the data they have entered into the app. These rights, intended to protect users’ control of their own data, varies by country. For example, in the United States, HIPAA provides patients with rights of access and correction for their PHI shared with covered entities and their business associates. These rights do not necessarily apply to patient data shared with third-party app companies, but HIPAA provides a baseline for what patients might expect with regards to their data. Under the Children’s Online Privacy Protection Act (COPPA), parents have the right to request deletion of data regarding any child under the age of 13. Additionally, as of May 2018, Europeans have rights of access, correction, and deletion to their data under Europe’s General Data Protection Regulation (GDPR). Only 45% (5/11) of diary apps with privacy policies provided at least some rights of access, correction, and/or deletion.
Finally, even if an app displays a privacy policy with strict limits on the use of patients’ personal data, there is no guarantee that the developer actually follows their own privacy policy. trust 46 Many health apps are susceptible to code tampering and reverse-engineering, common hacking techniques.” 47 There may not be much self-policing- in one study of app developers, it was found that several app developers “believed that complying with the app stores’ policies would provide sufficient legal protection, or that the app store would be monitoring them for compliance.” 8
The location of the app company and potential discrepancies in transparency of the reported location of the company
Another issue is the location of the app provider and whether the privacy policy is written based on the law of a country different from the user of the app. The apps evaluated for this article originated from at least the United States, Canada, Russia, Singapore, Netherlands, Norway, Italy, India, Germany, Spain, and China. The location of the developer and their data servers is important because the user’s ability to enforce privacy rights may depend on law and regulations different from the user’s home country.
Marketing and Advertising
Many of the migraine apps’ privacy policies explicitly permit the use of user information for marketing and advertising other products to the users. For some apps, the policies make clear that personally identifiable diary entries will never be used for advertising or marketing purposes. However, policies for other apps do not contain this restriction on the use of diary data. Even if diary data is not shared with advertisers, other user data may be used to make advertising decisions. For example, one app’s privacy policy states that “we may use GPS technology … to determine your current location” in order to serve the user with “relevant advertisements.” 30
Special consideration for pediatrics
Previous studies have proven feasibility for children ages 8–16 using electronic apps to track their headaches. 48 However, while children may want to use these apps, and pediatric providers may want to recommend them, privacy implications may prevent them from doing so. Some of the apps’ terms and conditions require parent approval for children under the age of 13, or prohibit use of the app by children under the age of 13. Furthermore, in the United States, children under 13 have more extensive privacy rights under the Children’s Online Privacy Protection Act (COPPA) than almost any other class of person. For example, as stated above, unlike many other privacy laws and regulations in the United States, COPPA requires service providers to delete children’s data upon request. The special requirements regarding processing of children’s data may explain why 64% (7/11) of diary applications had privacy policies limiting or prohibiting the use of the app by children.
Future Directions and Study Limitations
This study is limited to Android and iPhone apps and privacy policies available in the summer of 2017. As noted above, in conducting this research, we did not attempt to reverse engineer any app, and it was not always clear which apps stored user data locally on the device rather than on the app company’s own servers. We only relied on the public statements of the app providers (via the privacy policies and statements on their web sites and app stores) and a review of data explicitly collected within the app itself. While we tried to assess the company that created the app, we did not identify the “funders” of the app. Given concerns about conflicts of interest and funding disclosures, we believe that in the future, information regarding the funding e.g. private, philanthropic, healthcare organization, for the apps should be readily accessible. Further, while we assessed whether the apps were paid or free, we did not examine revenue models for the app (paid vs. advertisement based vs. dual model). Often revenue models are not offered to the public (or us as researchers). A review of 39 mhealth papers/studies concluded it is impossible today to draw strong conclusions on the economic value of the mHealth apps given the “heterogeneity in terms of settings, costing strategies, length of follow up periods” reporting metrics, etc. 49 In the future when more data on the business models of apps is available, it will be important to understand how that may influence decisions around app privacy and security.
This paper is focused on privacy issues, which are more about policy, and less about data security issues, which are more about tools that can ensure the privacy policies are followed. As such, we did not assess specific security measures, including the security measures the app developers take and how strongly data is encrypted. Future work might be conducted by security specialists to better understand data security architecture
In the future, physicians might play a role in creating awareness about the risks and benefits regarding clinically validated applications. Traditionally, there are on-line star ratings by users but a study of 137 patient-facing apps found that star-based ratings had low correlation with the apps’ clinical utility or usability. 50 Clinical ratings of individual features of mental health apps also show low interrater reliability 51 and the frequently updating nature of apps means any static score for them will be rapidly out of date. There may be utility in using smartphone app evaluation frameworks in future research whereby both doctors and patients have tools to weight the risks, evidence, usability, and data sharing potential of an app. The American Psychiatric Association (APA) created one such framework which guides users to consider aforementioned app characteristics. 52 Of note, this framework does not recommend any one app; but rather seeks to guide informed decisions making and shared conversations around apps. As there is nothing specific to psychiatry or mental health in this framework, it would also work well for consideration of headache and other apps.
Conclusion
This study showed that headache apps could potentially share information with third parties, posing privacy risks because there are few legal protections against the sale or disclosure of data from non-HIPAA (or non-COPPA) regulated medical apps to third parties.
Acknowledgments
Dr. Mia Minen is a recipient of the NIH AT009706–01 and the American Academy of Neurology-American Brain Foundation Practice Research Training Fellowship which provides salary support to allow her time to conduct research. In addition, Dr. Mia Minen is part of the Empire Clinical Research Investigator Program.
Abbreviations:
- apps
Applications
- HIPAA
Health Insurance Portability and Accountability Act
- PHI
Personal Health Information
- COPPA
Children’s Online Privacy Protection Act
Contributor Information
Mia T. Minen, Departments of Neurology and Population Health, NYU Langone Medical Center, New York, NY.
Eric J. Stieglitz, Technology and Privacy Attorney, New York, NY.
Rose Sciortino, Barnard College, Columbia University, New York, NY.
John Torous, Department of Psychiatry, Beth Israel Deaconess Medical Center and Harvard Medical School, Boston, MA.
References
- 1.Nappi G, Jensen R, Nappi RE, Sances G, Torelli P, Olesen J. Diaries and calendars for migraine. A review. Cephalalgia 2006;26(8):905–916. doi: CHA1155 [pii]. [DOI] [PubMed] [Google Scholar]
- 2.Baos V, Ester F, Castellanos A, et al. Use of a structured migraine diary improves patient and physician communication about migraine disability and treatment outcomes. Int J Clin Pract 2005;59(3):281–286. doi: IJCP469 [pii]. [DOI] [PubMed] [Google Scholar]
- 3.McKenzie JA, Cutrer FM. How well do headache patients remember? A comparison of self-report measures of headache frequency and severity in patients with migraine. Headache 2009;49(5):669–672. doi: 10.1111/j.1526-4610.2009.01411.x [doi]. [DOI] [PubMed] [Google Scholar]
- 4.Giffin NJ, Ruggiero L, Lipton RB, et al. Premonitory symptoms in migraine: An electronic diary study. Neurology. 2003;60(6):935–940. doi: 10.1212/01.wnl.0000052998.58526.a9. [DOI] [PubMed] [Google Scholar]
- 5.Mobile medical applications. http://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/default.htm. Updated 9/22/15. Accessed 12/23, 2015.
- 6.Krebs P, Duncan D. Health app use among US mobile phone owners: A national survey. JMIR Mhealth Uhealth 2015;3(4). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 7.Mobile health apps interactive tool. Federal Trade Commission Web site. https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool. Updated 2016.
- 8.Balebako R, Marsh A, Lin J, Hong J, Cranor L. The privacy and security behaviors of smartphone app developers.2014;2.
- 9.Consumer electronics association guiding principles on the privacy and security of personal wellness data. Consumer Technology Association Web site. https://www.cta.tech/cta/media/policyImages/policyPDFs/Guiding-Principles-on-the-Privacy-and-Security-of-Personal-Wellness.pdf. Updated 2015.
- 10.Blenner DR, Kollmer M, Rouse AJ. Privacy policies of android diabetes apps and sharing of health information. Jama. 2016;314:1051–1052. [DOI] [PubMed] [Google Scholar]
- 11.Rosenfeld L, Torous J, Vahia I. Data security and privacy in apps for dementia: An analysis of existing privacy policies. The American Journal of Geriatric Psychiatry. 2017;25(8):873–877. [DOI] [PubMed] [Google Scholar]
- 12.Huckyale K, Prieto JT, Tilney M. Unaddressed privacy risks in accredited health and wellness apps: A cross-sectional systematic assessment. BMC Med 2015;13:214–226. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 13.Stevens L NHS app library to be launched this month. 2017(March 8). [Google Scholar]
- 14.NHS Beta Website Web site. https://apps.beta.nhs.uk/about-us/. Accessed April 19, 2018.
- 15.Agaku I, Adisa A, Ayo-Yusuf O, Connolly G. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Inform Assoc. 2014;21:374–378. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 16.California healthcare foundation national consumer health privacy survey 2005. National Consumer Health Privacy Survey 2005 Web site.. Updated 2015.
- 17.California°Healthcare°Foundation°National consumer Health°Privacy°Survey 1999.. Updated 1999.
- 18.Torous J, Roberts LW. Assessment of risk associated with digital and smartphone health research: A new challenge for institutional review boards. J technol behav sci 2018:1–5. [Google Scholar]
- 19.The best migraine apps of the year. Published June 21, 2017. Updated 2017.
- 20.froggyware. Headache diary lite. 2013;3.40. [Google Scholar]
- 21.Welltodo LLC. Migraine coach - smart headache coach and diary. 2017;2.2.5.
- 22.Curelator I Track migraine headache . trigger and protector diary. 2017;1.5.4. [Google Scholar]
- 23.Leap Fitness Group, North Park App. Blue light filter. 2017.
- 24.Audiojoy. 5 minute headache relief LITE. 2011;1.0.0. [Google Scholar]
- 25.Times Music, Winjit. Music to beat migraines. 2016;1.0.0.5.
- 26.ManagingLife. Manage my pain pro. 2017;2.68. [Google Scholar]
- 27.BetterQOL.com. Iheadache. 2017;2.5.
- 28.Pfizer Inc. Migraine eDiary. 2016;2.1. [Google Scholar]
- 29.Healint. Migraine buddy. 2017;23.3.1. [Google Scholar]
- 30.Softarch Technologies AS. iMigraine - migraine tracker. 2017;2.0.
- 31.AR Productions. Headache log. 2017;1.3.
- 32.Health Monitor. Migraine monitor. 2017;1.3.9.
- 33.M3 Technology Srl. Migraine, headache diary app lite. 2017;1.6.2.
- 34.SR Media. Migraine diary. 2017;2.7.1.
- 35.PPL Development Company L. Brainwave tuner - binaural beats and white noise.. 2016;4.7.1.
- 36.Vital Tones Ltd. Vital tones migraine. 2016;1.2.
- 37.Bargak Jakob. Acupressure against migraine. 2014;0.5.1. [Google Scholar]
- 38.Zeleniak Brian. Pain killer 2.0. 2017;1.8. [Google Scholar]
- 39.SaaGara. Relax: Stress & anxiety relief. 2016;4.9.
- 40.Culbertson Nick. Nature soundscapes: Stress and anxiety relief. 2016;1.1. [Google Scholar]
- 41.Surf City Apps LLC. Migraine relief hypnosis free. 2017;3.7.
- 42.Ipnos Software. Relax melodies. 2017;6.2.
- 43.Chekrout A, Zotti R, Shehzad Z, et al. Cross-trial prediction of treatment outcome in depression: A machine learning approach. The Lancet Psychiatry. 2016;3(3):243–250. [DOI] [PubMed] [Google Scholar]
- 44.About the axon registry. American Academy of Neurology Web site. https://www.aan.com/policy-and-guidelines/quality/axon-registry2/axon-registry/2018.
- 45.The American registry for migraine research. The American Registry for Migraine Research Web site. https://www.armr.org/. Updated 20172018.
- 46.NIST Special Publication 800–53 (Revision 4) Security and Privacy Controls for Federal Information Systems and Organizations Web site. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdfApril 19, 2018.
- 47.Siwicki B 8 out of 10 mobile health apps open to HIPAA violations, hacking, data theft. HealthcareITNews Web site. http://www.healthcareitnews.com/news/8-out-10-mobile-health-apps-open-hipaa-violations-hacking-data-theft. Published 13 January 2016. Updated 2016.
- 48.Palermo T, Valenzuela D, Stork P. A randomized trial of electronic versus paper pain diaries in children: Impact on compliance, accuracy, and acceptability. Pain 2004;107(3):213–219. [DOI] [PubMed] [Google Scholar]
- 49.Iribarren SJ, Cato K, Falzon L, Stone PW. What is the economic evidence for mHealth? A systematic review of economic evaluations of mHealth solutions. PLoS One 2017;12(2):e0170581. doi: 10.1371/journal.pone.0170581 [doi]. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 50.Singh K, Drouin K, Newmark L, et al. Many mobile health apps target high-need, high-cost populations, but gaps remain. Health Affairs 2016;35(12):2310–2318. [DOI] [PubMed] [Google Scholar]
- 51.Powell AC, Torous J, Chan S, et al. Interrater reliability of health app rating measures: Analysis of top depression and smoking cessation apps. JMIR Mhealth Uhealth 2016;4(1). [DOI] [PMC free article] [PubMed] [Google Scholar]
- 52.Torous J, Chan S, Gipson S, et al. A hierarchical framework for evaluation and informed decision making regarding smartphone apps for clinical care. Psychiatric Services 2018. [DOI] [PubMed] [Google Scholar]
- 53.Gerfelder Benjamin. Headache diary. 2013;1.25. [Google Scholar]
- 54.Mountain Owl Software. Headache wizard free. 2017;1.1.0.
- 55.clover8488. Headache migraine therapy. 2015;1.0.
- 56.Dr. Isaac’s Holistic Wellness. Migraine headache protocols. 2017;0.21.
- 57.The Headache Stopper. The headache stopper. 2014;1.0. [Google Scholar]