At a Tech in Policy event sponsored by Washington, D.C. newspaper The Hill, FTC Commissioner Julie Brill made it clear that the FTC is aware of recent concerns about health app data privacy and security and is looking into new ways to police the industry.
"The law is, on some level, always going to lag behind technology," she said. "Technology is moving at lightning speed. Our job at the commission is to try to instill in communities like the app community [and] like the developer community -- with respect to platforms [and] with respect to new technological systems -- that there are fundamental consumer protection rules that need to apply and that they need to think about as they move forward at lightning speed."
Brill identified some of the same concerns that have come to light lately in documents like the California Healthcare Foundation's recently published report on health data privacy; namely, that patient health data is being collected in consumer spaces that fall outside of the domain of HIPAA, allowing third parties to access the data and sell it to data brokers.
"We did a study of about 12 devices and apps and it turned out about 76 entities were receiving information off these apps and devices," Brill said. "And it wasn’t just things like UDID [the iPhone's unique identifier] and geolocation and whatnot. That was being collected, but it was also information about the consumer’s health. One was a pregnancy app and it was the time in which the woman was ovulating, and it was being collected by third parties."
The commissioner said that the FTC needs to step in on the level of data collection, rather than just concerning itself with how third parties use that data, because that is what consumers are concerned about. That said, she also elaborated on ways in which those third parties might use the data that could be especially problematic.
"Sometimes its used for marketing, which some people consider to be relatively benign, but sometimes these profiles might be used for more important decisions about consumers," she said. "For instance, are they a trustworthy customer? Should the company do business with them? And if that information is flowing for those sorts of purposes, I believe and the commission believes that consumers need many more tools and there needs to be much more transparency around that enterprise."
Brill was joined on stage by Morgan Reed, Executive Director of The App Association, who asserted that regulation needed to be done in a way that wouldn't limit the positive medical outcomes that can come from patients sharing self-tracking data with their doctors. Brill agreed, but pushed back on the difference between that and problematic data collection.
"That’s a completely consented to environment you’re talking about and I don’t think anyone’s trying to stop that from happening," Brill replied. "I think the concern is when it’s not just your clinician who’s seeing that information, because before it gets to your clinician, it gets outside of HIPAA, outside of that silo. Instead what we’re seeing is information through a third party communicating that you have diabetes, you have high blood pressure, and this is some information that goes into a profile about you. I think that’s a critical distinction between when you’re in a trusted environment and when you’re outside one, and your example is precisely what I’m talking about. It’s very sensitive health information. That information is going to be highly sensitive and we need to be very cognizant of how that environment is structured."