The market for health apps is growing very rapidly and the questions of privacy and personal data and false diagnosis have become hot topics for users, providers and other actors on the market.
The market for health and fitness apps (software that give new functions to phones) was valued at SEK 90 billion last year according to Computer Sweden, and it is expected to grow by 30 percent over the next five years. Mobile phones may give patients greater control over their own illness, they may be used to record calorie intake and measure ECG. Currently more than 100 000 apps for health and well-being exist and a lot of them are about monitoring and measuring values. With the help of apps different kinds of health data may be recorded continuously every day, every hour, all the time and advocates suggest that the healthcare system needs to step out and apply this new technology as a valuable resource and the way of the future. Apps may spare patients much suffering and spare health providers and insurers many expensive hospital admissions.
However, as Nordic Life Science has previously reported, questions about privacy and false or harmful diagnosis are issues of great importance in this rapidly growing field. The Swedish Medical Products Agency is currently reviewing a number of dubious health and fitness applications that could be potentially harmful and the Agency is able to remove mobile health apps from the market. It has also warned the public not to put too much trust into commercial apps.
According to the Swedish Medical Products Agency an app that diagnoses a person’s health condition is a medtech product, and it needs to be CE-marked according to EU regulations. However, not many of the health apps available today have been certified and some could even be harmful. They hope that their investigations will be a wakeup call for health app developers and manufacturers.
Personal integrity at risk
Another legal issue for health app developers and users is the question of personal integrity. The field of apps opens up a new way of collecting personal data. If and on what basis can health data be processed and what do need providers need to secure?
Recently a team of English and French researchers reported results from a six month-long study of 87 medical apps, approved by the British healthcare authority the NHS as safe. The study showed that most of these handled personal data in an unsecure/unsafe way. All apps saved information without encryption on the mobile phone and three out of ten apps sent personal information that could be linked to the individual in plain text on the Internet, available for hackers. The researchers’ advise to the public is to think ahead before downloading apps and uploading information that could be sensitive for their integrity.
The Article 29 working party in Sweden has addressed this issue and written to the EU commission to request clarification of the scope of the definition of health data in relation to use of lifestyle and other similar apps.
In 2014/2015 The Swedish Data Protection Authority reviewed a couple of health apps. They looked into how the developers handled personal information and which safety measures they used to protect this data. They also looked into the information that users are provided with about how their personal data will be used and if they are able to consent to this use. For example, they concluded that two apps required what is known as strong authentication when the user logs in. This could be achieved, for example, by e-legitimation, disposable passwords or by ensuring the mobile phone’s unique identity and locking it to the app and the user’s account, protected by a password. Simply having a user id or a pin code is not enough if the app stores sensitive information.
“Health app developers must inform every single user about how his or her personal information will be handled. This information must also be available after installation. And normally the user must give their consent on how the personal data is handled. If the app could register information about people other than the primary user these persons should give their consent. The developer must also decide how long the personal data collected by the app should be stored. This is particularly important for users who have erased the app or have been inactive for a long period of time. The developer should decide when inactivity leads to expiration, and then inform the user so he or she is able to save their information,” advises Martina Lindkvist, lawyer at the Swedish Data Protection Authority.
There is also often sensitive information (*) registered in health apps and therefore the app must use strong authentication so that unauthorized persons cannot get hold of this information, advises Lindkvist.
Simplifying the development of e-health services
Due to theses legal issues and the fact that the health app market is exploding, bringing both great opportunities for progress in healthcare, and as mentioned above, a lot of risks, there is a need for administrative e-services and features that streamline the contact between healthcare and the patient. The Swedish Healthcare Innovation Platform (HIP) aims to provide these services. The platform provides access to tools that simplify the development of e-health services, for example offering instructions and complete code, so called APIs, which meet the legal requirements. “A tool box for people with innovative e-solutions for healthcare” is how HIP describes its services, which include health app developers. Thanks to the security functions patient information is available, for example from the Swedish Nationell Patientöversikt, and open access data is easier to use through the platform, such as statistics from quality registers.
BCC Research, which studies technology-based markets, forecasts that global revenues for m-health will reach $21.5 billion in 2018. Experts also forecast that health apps will evolve from fun into serious health monitoring/diagnostics platforms, integrated into national healthcare systems, and these serious apps require more serious regulations.
* In PUL personal data is separated from sensitive personal data. Sensitive personal data could be ethnic origin, political opinions, religious views, membership of a union, health or sex life. When it comes to health, such information could be data about sick leave, pregnancy or doctor’s appointments. Sensitive information is extra worthy of protection and there are special rules in PUL for this kind of information.