Regulators inquire about security of Apple’s Health app and HealthKit developer tools
The primary concern of the FTC is ensuring collected data is not used in any manner without owner consent. Apple has stressed to regulators that a user’s health information would not be sold in any way, and it would not allow data to be treated that way by third-party developers using the HealthKit SDK.
According to Apple spokeswoman Trudy Muller, “We designed HealthKit with privacy in mind,” allowing consumers to determine how information is used or shared. Muller also pointed out that Apple has been working closely with regulators around the world to provide assurances about the data protections in place for Health, “We’ve been very encouraged by their support.”
The FTC is not launching a formal investigation, but the inquiries do indicate a concern over potential risks related to how health data is collected outside the confines of medical equipment or a medical professional. The agency has requested that Congress pass legislation that would make the business practices of data brokers (third-party health-app companies) more visible.
One reason why this is such a concern is that data gathered by any health app, or wearable, whether from Apple, Samsung, Google, or the like, is not protected by HIPAA, the Health Insurance Portability and Accountability Act. The privacy rules cover everything, including what some might consider mundane data, like heart rates. Individual health information cannot be exchanged without consent of the person whose data it is.
Another reason for the inquiry, arguably more alarming, is that the FTC conducted a study of developers whose apps gathered health data. It was found that developers of 12 mobile health and fitness apps shared or sold that data to more than 76 different parties, including advertisers.
While it is not yet known how Apple will enforce its rules about not allowing developers to use health data for ads or data-mining, for now the company is trying to set the precedent that puts the control of health data in the hands of the consumer.