Get Adobe Flash player
NEWS Does That App Have Your Back? Navigating health data and pri- vacy concerns in the age of apps By JANET BURT-GERRANS Senior Investigator, Office of the Information and Privacy Commissioner for Nova Scotia A pp developers have long since saturated the children’s game market, sometimes recycling old concepts. Take “Crossy Road,” for example. The concept – try to get your character across the road without getting squished by a stream of vehicles – is reminiscent of “Frogger,” an arcade game released in 1981. Ever-evolving, developers have clearly set their sights on the lucrative health services industry. Doctors and other health providers have proven to be willing participants in trying new technol- ogy to help them manage old problems: adminis- tration, scheduling, communication, information sharing and reference. In 2014, the Ontario Medical Association (OMA) reported on a study showing increased usage of smart devices by Canadian family physi- cians and estimated around 100,000 health apps were available. At that time, the OMA was sound- ing the alarm: “buyer beware.” They provided tips to physicians considering using mobile apps, cit- ing concerns with accuracy, quality and privacy.¹ The number of health apps now available is estimated at 325,000. Doctors’ use of mobile devices has increased and the U.S. Department of Health and Human Services reported that 9% of major health care data breaches in 2015 involved a mobile device.² Peer-reviewed research shows that many health apps do not provide adequate privacy protections, even when a privacy policy exists.³ A custodian of personal health information considering adopting a new app or technology must cross that road carefully, lest they be flatted by a truckload of privacy issues. The provisions of the Personal Health Information Act (PHIA) place responsibility squarely on the custodian to ensure personal health information is protected against theft, loss, and unauthorized access, use, disclosure, copying or modification. PHIA also prescribes additional safeguards for electronic systems.⁴ A Privacy Impact Assessment for any new technology being considered is a must. Ask a range of questions, including: Is it necessary? Who will have access to data in transit and during storage? What servers will the data touch? Is the data encrypted and firewall protected? How will security updates be done? Is data vulnerable if the device is using public wi-fi? Some tools and checklists are available on the Office of the Information and Privacy Commissioner website to help.⁵ These tools provide a framework, but the technology is changing rapidly, requiring custo- dians to maintain vigilance over any technology in use. New technology offers great opportunity, but it also comes with great risks. Personal health information custodians have a heavy responsibil- ity to safeguard the personal health information entrusted to them. Asking the right questions – and not assuming that technology marketed to health professionals contains the features neces- sary to ensure health privacy – is a good start. Doctors need to choose wisely from a crowded field of flashy options. What’s on the other side of the road? For the custodian who makes it across this busy highway, peace of mind and secure personal health information awaits. References 1. Ontario Medical Association, “There’s an app for that: The use of mobile medical applications in clinical practice” [cited 2018 Jan 30] Available from: https:// calpractice.pdf. 2. Manisha Kathooria, “mHealth: 40 Statistics To Know” Health IT Outcomes. November 28, 2016. [cited 2018 Jan 30]. Available from: www.healthitoutcomes. com/doc/mhealth-statistics-to-know-0001 3. Sarah R. Blenner, et al., “Privacy Policies of Android Diabetes Apps and Sharing of Health Information” Journal of the American Medical Association. 2016; 315(10): 1051-1052 [cited 2018 Jan 30]. Available from: ticle/2499265 ; Lisa Rosenfeld, et. al., “Data Security and Privacy in Apps for Dementia: An Analysis of Existing Privacy Policies” The American Journal of Geriatric Psychiatry August 2017; 25(8): 873-877 [cited 2018 Jan 30]. Available from: S1064-7481(17)30301-9/fulltext 4. PHIA s.62, 65, Regulation 10 5. Janet Burt-Gerrans is a legal professional with multi-sector public administration experience. She is a Senior Investigator with the Information and Privacy Commissioner’s office. March 2018 | doctorsNS 21