Who protects your health data?

Viewing heart rate data in the Health app is not useful for those interested in fitness training.

Of all your personal data, those concerning your health, its care, and medical records, are invariably the most sensitive of all. They could contain details of treatment for diseases such as syphilis or AIDS, of psychiatric care, or the results of blood and other tests.

Until a few years ago, almost all personal health records were held by, and in, healthcare facilities such as hospitals, where professionals, doctors in particular, were responsible for overseeing their protection. We are now rapidly reaching the point where more of our health data will be stored on our iPhones and similar devices than in hospitals. Most of it might be relatively humdrum, such as heart rate, blood pressure, maybe blood glucose levels, but as the amount increases, so does its sensitivity.

We may choose to publish much of the health data which we store on these devices. If you use Strava or one of the other fitness services, you are likely to want others to see your impressively low/high heart rates when out running or cycling. But you would be understandably incensed if those same sites were to publish your HIV test results, or details of your latest gynaecological examination.

Yet remarkably few countries have any legislation making specific provision for the protection of health data. In Europe in general, and the UK in particular, our mainstay directive and law (the Data Protection Act 1998) were drafted well before the end of the last century. They do not draw any particular distinction between general personal information, such as your preference for breakfast cereal, and the most sensitive health data.

It is therefore unsurprising to see software developers and online services treating health data just like any other potentially marketable information. A recent letter in the Journal of the American Medical Association by Blenner and others – which ironically is itself not freely available – shows how cavalier Android services are. Of the diabetes apps which they evaluated, 80% collected user data, just under half shared user data with business partners or other third parties, but less than 30% would only share personal information if the user gave their consent.

Apple appears much more joined up and protective with iOS. Official access to health data is through its HealthKit, which places strict user controls over the types of data which can be accessed. If you deny access by an app to a specific type of data, HealthKit ensures that the app does not even know the data exists. Apple is prescriptive in how developers can use HealthKit. The following is quoted directly from its documentation:

In addition, your app must not access the HealthKit APIs unless the app is primarily designed to provide health or fitness services. Your app’s role as a health and fitness service must be clear in both your marketing text and your user interface. Specifically, the following guidelines apply to all HealthKit apps.

  • Your app may not use information gained through the use of the HealthKit framework for advertising or similar services. Note that you may still serve advertising in an app that uses the HealthKit framework, but you cannot use data from the HealthKit store to serve ads.
  • You must not disclose any information gained through HealthKit to a third party without express permission from the user. Even with permission, you can only share information to a third party if they are also providing a health or fitness service to the user.
  • You cannot sell information gained through HealthKit to advertising platforms, data brokers or information resellers.
  • If the user consents, you may share his or her HealthKit data with a third party for medical research.
  • You must clearly disclose to the user how you and your app will use their HealthKit data.
  • You must also provide a privacy policy for any app that uses the HealthKit framework.

The HealthKit data is only kept locally on the user’s device. For security, the HealthKit store is encrypted when the device is not unlocked.

There is that uncomfortable word again: encrypted.

Nowhere in any of the debate about unlocking iPhones, terrorism, crime, law enforcement, encryption, and all the other issues that have been raised, has anyone considered the privacy of health data. Nowhere in the UK’s now infamous Investigatory Powers Bill is there any consideration of the fact that, among the data and electronic communications which the law enforcement and security agencies wish to access individually and in bulk, some of that will be personal health data.

Ordinarily, in criminal or civil proceedings, courts will grant access to health data only when a convincing case is made of that need. In criminal experience, the need for access to a suspect’s (or the accused’s) health and medical records is exceptional.

The blind juggernaut being driven through our privacy in the name of security and law enforcement has no respect for our health data. Like everything else in our no-longer private lives, those data will be handed over without our consent or knowledge, to people who have nothing at all to do with healthcare.

Rather than driving through legislation to destroy our privacy, should our politicians not respond to the changing world by enacting better protection for it?

Further reading

Blenner SR et al. (2016) Privacy Policies of Android Diabetes Apps and Sharing of Health Information, JAMA. 2016;315(10):1051-1052. doi:10.1001/jama.2015.19426.

In the UK, legal principles for the protection of personal data are laid down in the ageing Data Protection Act 1998, drafted when almost all health data were confined to medical sites such as hospitals, and a lot were still recorded on paper. That Act is, in turn, the UK’s implementation of the European Data Protection Directive of 1995, which is showing similar signs of senility.

Recognising the limitations of this generic legislation even before it came into force, Dame Fiona Caldicott was asked to report on the management of confidentiality within the UK health services, and came up with seven principles, known ever since by her name. They are well described on Wikipedia. Although these have become mandatory within UK healthcare services, they are almost unheard of outside them.

US legislation is centred on HIPAA of 1996 and the HITECH Act of 2009, neither of which address today’s issues of keeping personal health data private.

The Electronic Freedom Foundation has special interest in health data, introduced here.

Apple’s HealthKit Framework documentation.