Shots - Health Blog
8:08 am
Fri December 2, 2011

Apps Can Help You Take A Pill, But Privacy's A Big Question

The American Medical Association just rolled out a shiny new iPhone app, My Medications, that you can use to keep track of your meds.

Mobile medical apps are a hot market, but unlike "Angry Birds," they're not just harmless fun. Some come with real privacy risks.

Sure, many medical apps are pretty benign. People use them to track how they're doing with their diets or to help them stop smoking. But apps are also being used to monitor their blood sugar, chart blood pressure and screen for depression. You might be a little more concerned about strangers finding out that information.

So with the phone increasingly becoming a portable medical record, the time seems ripe to consider how private that information should be.

One big issue: Medical apps aren't covered by a federal privacy law, known as HIPAA, that controls how doctors and health care providers store and share patients' health information. "They are offering to store and share some pretty sensitive information," says Deven McGraw, director of the health privacy project at the Center for Democracy and Technology.

Because apps aren't covered by HIPAA, a company that makes them can pretty much do with a customer's medical information what it pleases. As McGraw tells Shots, "If their privacy policy says, 'From time to time we will share your information with advertisers,' they can do that."

Smartphones can also be lost or stolen. And people tend to pass them around to share photos and games. But you might not want to pass around your medical records at the same time.

Some developers of medication management apps, including the AMA's, allow password protection. That's better than nothing, but not fail-safe. On the Apple App Store, the AMA app includes this disclaimer:

"When you purchase this application, you will be responsible for protecting the privacy and security of the information that you enter, and for deciding who to disclose, and give access to, the information. The AMA assumes no responsibility, and shall have no liability, for protecting the privacy or security of the information entered in the application or shared with others either intentionally or unintentionally."

Many of the medication apps encourage users to share their medication records via email. "With My Meds, you can share up-to-date medical information with your primary care physician, specialists, pharmacist, or family members and friends quickly and easily," the app's description chirps.

But email is notoriously insecure, as anyone who has mistakenly e-mailed a personal note to the entire office can attest. Doctors must comply with HIPAA, and the AMA issued e-mail guidelines in 2002 that cover privacy and etiquette. But doctors aren't always so good at following the rules. A survey of doctors' e-mail practices earlier this year found that most didn't follow the AMA guidelines.

So who's making sure that medical apps comply with existing privacy rules and guidelines? This sounds like a job for the Food and Drug Administration. But in July, when the FDA posted the draft of its plans to regulate medical apps, the agency said it would limit its oversight to those apps that "could present a risk to patients if the apps don't work as intended." In other words, an app that's a medical device, not a consumer convenience, gets the FDA's scrutiny.

So don't expect the feds to have your back if the sensitive medical information you uploaded is suddenly for sale on eBay.

Health apps can be terrific, McGraw says. "But it just depends on the company. It's really a customer-beware atmosphere."

Copyright 2013 NPR. To see more, visit http://www.npr.org/.