Do You Want Your Apps to Know About Your Last Doctor’s Visit?

It sounds amazing. You sign up for an app that tracks your robust heart rate, your 10,000 daily steps, and other minute-by-minute data, and then, with a few short clicks, you can also download the years of medical records that show your struggles with cholesterol and the procedures you’ve had with a variety of specialists. It’s all in one convenient spot.

You’ll have that option soon, by way of a little-noticed federal regulation that is winding its way toward final approval later this year. The rule would effectively wrest control over your health records from health-service providers. The idea is that, with a single click, you would be able to transfer those records to a third-party app—say, Apple Health—that could aggregate everything from every doctor you’ve ever seen.

The upsides for patient safety, holistic care, and choice could be tremendous: You’ll be empowered to ensure that your doctors know everything about your history, without needing to either awkwardly arrange for paper records to be sent from one place to another or rely on your own faulty memory. Ever since the federal Health Insurance Portability and Accountability Act, known as HIPAA, was passed in 2000, Americans have had the right to get copies of their medical records. Finally, it seems, that right will become practical, because the new rule will make it mandatory for all health care systems to make their data easily downloadable through an API.

But the societal tradeoffs prompted by technology adoption are seldom obvious at the outset. Each individual choice seems innocently incremental, an exercise of freedom made easy through digital encouragement. So it is with this new regulation.

Few Americans may realize that, under current law, releasing their digital health records to an app—So easy! Just like using Uber!—is like being bitten by a vampire: There is nothing you can do to reverse this action, and it has the potential to infect every part of your life. Third-party health apps—think apps for fertility, weight loss, lifestyle changes, or diabetes management—aren’t covered by federal privacy laws. They certainly aren’t covered by HIPAA, which governs only health industry “covered entities,” like health insurance companies, doctors, and hospitals, and requires that those actors adequately protect your health information and use (and disclose) that data only as minimally necessary to provide you services.

So, unless something changes, once you click impatiently through your favorite health app’s terms of service, that app will be able to sell your data—including your name and everything in your medical records—to anyone. A recent study found that 19 out of a sample of 24 general-purpose mobile health apps shared user data with more than 50 unique companies, most of which were data analytics companies; another study showed that many depression-tracking and smoking cessation apps currently share users’ personal details with third parties without clear disclosure.

Just imagine how those analytics could be repurposed for use by companies considering hiring you, selling you insurance or a mortgage, making a decision to lend you money, or deciding whether or not to admit your child to preschool. Right—you didn’t expect that, did you? And you likely wouldn’t know if something like that happened to you. Much algorithmic decision-making is unknown to its subjects.

SUBSCRIBE

Subscribe to WIRED and stay smart with more of your favorite Ideas writers.

Some think these privacy concerns are overblown. Since mid-2017, Don Rucker has led the office inside the federal Department of Health and Human Services that is developing the rules. Rucker points out that people share sensitive data with apps all the time—heart rate data with fitness apps, banking data with who knows who—and should have the right to make similar choices about their medical data. Rucker also says he is working on “better ways of doing consent” for use of health information, so as to ensure people actually understand what will happen to their data. But this consent-based approach doesn’t go nearly far enough. We should clearly extend and revise HIPAA so it covers third-party apps and limits the apps’ ability to share data (just as we try to with credit data).

Let’s assume for a minute that we live in a perfect world: HIPAA applies to apps and adults are fully informed of the risks they take when they upload their health records and decide of their own free will to do so. Great! But what about kids?

When it comes to children, we have an even bigger job to do: We need to both make sure that third-party apps processing kids’ health data are covered by HIPAA and that the apps control who can get access to pediatric data once it’s inside the app’s castle wall.

Some pediatric data should be downloadable by parents onto the parent’s device (something Apple Health doesn’t yet support), so that parents can act as proxies for their kids. And some pediatric data should not be downloadable by parents or guardians, in order to protect the child’s rights.

Yes, it’s complicated. Natalie Pageler, the chief medical information officer of Stanford Children’s Health—a health care system in the Bay Area dedicated to pediatric care—is excited about the potential for third-party apps to support kids’ health: “A school readiness app could aggregate parental contact information with immunization records and physical exam notes to facilitate more timely and accurate compliance with school admission requirements,” she suggests. “If there were an infectious disease outbreak at the school, the app could then warn and provide instructions for parents of children who might be particularly vulnerable—like a child whose immune system was compromised.” Or a young adult heading to college could have access to their health information so that they could start taking care of their own health.

The problem is that, the rule does not include special provisions covering the privacy of kids’ data. That’s a grave mistake. The rule should require that a parent or guardian give specific permission every time pediatric data is shared outside the app. “Saying ‘Yes, I allow my data to be shared broadly’ shouldn’t even be an option for pediatric data,” according to Pageler.

Also, third-party apps need to be required to police who is allowed access to “adolescent-sensitive” data. Many states allow people younger than 18 to obtain substance abuse treatment, sexually transmitted infection treatment, prenatal services, or contraception without parental consent. That notion needs to be transferred to the app environment. If this problem isn’t fixed, some institutions could be in a bind. If a children’s hospital, say, makes adolescent-sensitive data available on an app, it could be found to have acted illegally under state law. But if it doesn’t, it could be fined under the new rule for blocking data from being downloaded.

At the moment, though, nuanced treatment of pediatric data by Big Tech has been effectively put on the “too hard” pile by federal regulators. That’s also a mistake. The answer to the pediatric issues Pageler (and the American Academy of Pediatrics) raises is not to lock kids out of the electronic health records revolution. The answer is: We need to protect their rights along the way.


More Great WIRED Stories

Read More