Today, we carry powerful computers in our pockets that monitor and analyze the most intimate details of our lives. The data collected from our smartphones and wearables can reveal everything from our location history to our heart rhythms.

This wealth of personal data provides immense value – helping us track our health, fitness, sleep patterns and more – but also raises crucial questions around privacy. Who exactly owns our personal data? How securely is it stored? And how might it be used or exploited without our knowledge? 

As consumers embrace health tracking technology, the onus lies on tech companies to be transparent around data practices and prioritize user privacy. Without thoughtful safeguards in place, we risk our sensitive information falling into the wrong hands.

Let’s look at limited regulations that currently apply to most health apps as well as measures they can take to better protect user data through encryption, access controls, consent controls and transparency.

What Types of Data Do Health Tracking Apps Collect?

Health tracking apps can gather a large amount of health and personal data from users:

• Biometric data: Apps connected to wearable devices record biometric data like heart rate, blood pressure, sleep patterns, steps, calories burned, menstrual cycle, fertility windows, etc.
• Location data: GPS tracking records your routes and locations during workouts and daily activity.
• Health records: Some apps sync with electronic health records from hospitals and clinics.
• User profiles: Apps collect personal details like name, email, age, gender, height, weight, medications, medical conditions, menstrual health, and more.
• Usage data: Apps track your usage behavior, like which features you use, time spent, etc.
• Mental health data: Meditation and mindfulness apps can infer stress, anxiety, and depression levels based on usage.

How Is This Health Data Used by Apps?

Health apps primarily use collected data to provide their services to users, such as activity tracking, health monitoring, and personalized insights. But there are other secondary uses:

• Targeted in-app advertisements based on health data profiles
• Sale of anonymized data to third parties like pharmaceutical companies, research organizations, etc.
• Sharing data with the parent company for broader analytics and ad targeting
• Law enforcement requests approved by court orders

You might be using a VPN for online privacy. But it doesn’t prevent such apps from collecting data. What does a VPN do? Does a VPN change your IP? Yes, it does when it is enabled, but since you have to give permission to health apps to track your data, a VPN may not be helpful here.

What Are the Privacy Risks?

Despite the benefits of health apps, the large-scale collection of personal and sensitive health data poses several privacy risks if not handled securely:

• Data breaches: Apps are vulnerable to hacking attacks that can expose user data.
• Unauthorized access: Poor access controls can allow unauthorized parties to access sensitive health data.
• Data selling: User data may be sold to third parties like data brokers, advertisers, and insurance firms.
• Tracking and surveillance: Location, biometrics, and usage data could enable tracking of users’ activities and health.
• Discrimination: Health conditions, sexual orientation, and pregnancies could lead to discrimination by employers, insurers, etc., if data is compromised.
• Re-identification: Anonymized data can potentially be linked back to identify individuals.
• Uninformed consent: Vague privacy policies and terms of service often don’t adequately explain how data will be used.

What Regulations Apply to Health Apps?

• The Health Insurance Portability and Accountability Act (HIPAA) regulates protected health information (PHI) handled by healthcare providers and associated entities. But most health apps don’t qualify as HIPAA-covered entities.
• The Federal Trade Commission (FTC) oversees the enforcement of consumer privacy and security through its Health Breach Notification Rule, which applies to health apps and connected devices.
• Apps must comply with state data breach notification laws requiring disclosure of breaches involving personal information.
• The Children’s Online Privacy Protection Act (COPPA) imposes certain requirements for apps collecting data on children under 13 years old.
• The European Union’s General Data Protection Regulation (GDPR) protects EU citizen data and applies to many health app companies.

How Can Health Apps Better Protect User Data?

Health apps should implement robust privacy and security protections like:

• Minimizing data collection to only essential user information required for core functionality.
• Anonymizing and aggregating data where possible to avoid collecting personally identifiable data.
• Using differential privacy techniques to preserve anonymity in aggregated datasets.
• Encrypting stored data and transmitting data over secure connections.
• Having strong access controls to limit employee access to only necessary data.
• Conducting frequent security audits and penetration testing.
• Enabling users to export their data so they can move to another platform if desired.
• Providing users granular consent options to opt in or opt out of specific data uses.
• Maintaining transparency through detailed privacy policies explaining data practices.

Hence, health-tracking apps provide useful services but also raise valid privacy concerns, given the sensitive nature of the collected data. While regulations are limited, health apps should take proactive measures to implement privacy-by-design principles and robust security protections to safeguard user data and maintain trust. Ultimately, users should also carefully review privacy policies to make informed choices about the apps they use.