Just last week, the Consumer Electronics Association released guidelines about privacy policies for health and fitness devices. At the Partners Healthcare Connected Health Symposium in Boston last week, a panel of experts also had some ideas about maintaining privacy and security in the world of health and fitness devices -- a world where HIPAA often doesn't apply.
Right now, the biggest assurance users of consumer health services have of their privacy is the terms of service document they have to sign when they download an app. But, as Jennifer S. Geetter, a partner at McDermott Will & Emery, explained, Terms of Service aren't very easy for the average person to read, nor do those who actually do read them have much recourse other than opting out of the service.
"Part of the reason folks don’t read their rental car contracts or their mortgage documents is because they’re very long, they’re very complicated, and they tend not to vary very much," she said. "There’s a sense that whatever’s in here, is in here and there’s not much you can do about it. ... I think some of those dynamics apply to the privacy policies and the terms of service that all of us click robotically, because at that moment, when we want to download an app or use a new tool, our ability to restrain ourselves is at its lowest. We’re exactly at that point where we’ve decided we need something and we’re this close to getting it. Even if we read the terms and conditions we’re not negotiating on them. They are what they are."
Unlike in other areas, where the contents of the document are well agreed upon, makers of health apps have very different ideas about what's appropriate to do with user data, so all their terms of service are a little bit different. Using that data is part of how many health apps can afford to operate.
"These apps are largely free. And there isn’t a lot of reflection on 'How are all of these apps that are valued in the marketplace free?'" Geetter went on. "Well they’re not free. They’re [paid for with] our data. And until we understand that we’re making that transaction -- and we might be OK with it-- but I think there’s a gap in how we are all navigating the digital landscape with how it actually works, and that’s part of the challenge."
Dr. Jordan Shlain, founder and chairman of HealthLoop, thinks the solution is to take an example from another field where we now take clear labelling for granted: food.
"It used to be, if you ate a banana, you knew what was in it. It was a banana," Shlain said. "And then we started getting processed food, processed chemicals, and now we have a label. It’s a standardized version of a set of very complex things that we simplify. Where’s the nutrition label for privacy? Where is the label that summarizes terms and services in a very simple way? Will I receive emails that I didn’t want by signing up for this? Will you share my data and with whom? Will I have an opportunity to make my data disappear? Will I get benefit from you selling or sharing my data? Can I get out of it?"
Shlain thinks there's a reason that the 'nutrition label for privacy' has yet to emerge, though.
"Nobody wants to do that," he said, "because then they would be exposed for selling your stuff and they’re marketing it, and you’re going to get emails and texts from people you don’t know in ways you weren’t aware of and it’s annoying."
But there is hope for an approach like this to go forward. The recent CEA guidelines are an industry-led step in the right direction. And Geetter believes the FCC is very likely to step in to make sure terms and conditions are presented in ways that give the consumer the best chance to respond to them. It will likely take a combined industry and government effort to really standardize how privacy and security are managed, she said.