WHAT'S HAPPENING

THE PRIVATE SECTOR STEPS IN TO PROTECT ONLINE HEALTH PRIVACY, BUT CRITICS SAY IT CAN'T BE TRUSTED

BY DARIUS TAHIR

Most people have at least a vague sense that someone somewhere is doing mischief with the data footprints created by their online activities: Maybe their use of an app is allowing that company to build a profile of their habits, or maybe they keep getting followed by creepy ads.

It's more than a feeling. Many companies in the health tech sector — which provides services that range from mental health counseling to shipping attention-deficit/hyperactivity disorder pills through the mail – have shockingly leaky privacy practices.

A guide released this month by the Mozilla Foundation found that 26 of 32 mental health apps had lax safeguards. Analysts from the foundation documented numerous weaknesses in their privacy practices.

Jen Caltrider, the leader of Mozilla's project, said the privacy policies of apps she used to practice drumming were scarcely different from the policies of the mental health apps the foundation reviewed – despite the far greater sensitivity of what the latter records.

“I don’t care if someone knows I practice drums twice a week, but I do care if someone knows I visit the therapist twice a week,” she said. “This personal data is just another pot of gold to them, to their investors.”

The stakes have become increasingly urgent in the public mind. Apps used by women, such as period trackers and other types of fertility-management technology, are now a focus of concern with the potential overturning of Roe v. Wade. Fueled by social media, users are exhorting one another to delete data stored by those apps – a right not always granted to users of health apps – for fear that the information could be used against them.

"I think these big data outfits are looking at a day of reckoning," said U.S. Sen. Ron Wyden (D-Ore.). "They gotta decide – are they going to protect the privacy of women who do business with them? Or are they basically going to sell out to the highest bidder?"

Countering those fears is a movement to better control informa

tion use through legislation and regulation. While nurses, hospitals, and other health care providers abide by privacy protections put in place by the Health Insurance Portability and Accountability Act, or HIPAA, the burgeoning sector of health care apps has skimpier shields for users.

Although some privacy advocates hope the federal government might step in after years of work, time is running out for a congressional solution as the midterm elections in November approach.

Enter the private sector. This year, a group of nonprofits and corporations released a report calling for a self-regulatory project to guard patients' data when it's outside the health care system, an approach that critics compare with the proverbial fox guarding the henhouse.

MIXED SIGNALS: There is considerable doubt that the private sector proposal will create a viable regulatory system to guard patients' data. Many participants, such as Apple, Google, and 23andMe, dropped out during the gestation process.

The project’s backers tell a different story. The initiative was developed over two years with two groups: the Center for Democracy and Technology and Executives for Health Innovation. Ultimately, such an effort would be administered by BBB National Programs, a nonprofit once associated with the Better Business Bureau.

Participating companies might hold a range of data, from genomic to other information, and work with apps, wearables, or other products. Those companies would agree to audits, spot checks, and other compliance activities in exchange for a sort of certification or seal of approval. That activity, the drafters maintained, would help patch up the privacy leaks in the current system.

"It's a real mixed bag – for ordinary folks, for health privacy," acknowledged Andy Crawford, senior counsel for privacy and data at the Center for Democracy and Technology. "HIPAA has decent privacy protections," he said. The rest of the ecosystem, however, has gaps.

Still, there is considerable doubt that the private sector proposal will create a viable regulatory system for health data. Many participants – including some of the initiative's most powerful companies and constituents, such as Apple, Google, and 23andMe – dropped out during the gestation process. (A 23andMe spokesperson cited "bandwidth issues" and noted the company's participa