According to the Guardian, which quotes as its primary source an article in the Financial Times, Apple has informed developers that they “'must not sell an end-user's health information collected through the HealthKit APIs to advertising platforms, data brokers or information resellers.”
The new Apple rule reportedly adds that developers “could share their data with 'third parties for medical research purposes' as long as they get users' consent.”
APIs, or application programming interfaces, are bits of computer code used to connect one computer system with another. In Apple's case, APIs link its smartphones' and tablets' proprietary operating systems to the thousands of mobile applications created by developers outside the company, a symbiotic relationship for both Apple and a myriad of app developers.
More recently the feds have taken steps toward promoting consent-management technology, particularly tech that handles the disclosure of information involving drug or alcohol treatment.
A driver of the policy shift has been the feds' push toward accountable care organizations to constrain soaring healthcare costs. ACOs put providers at financial risk for the cost of care to broad patient populations whose numbers often include patients who have received treatment for drug and alcohol abuse and whose data often is covered by a separate federal privacy rule.
That rule—42 CFR Part 2—is far more stringent than HIPAA. It obliges covered behavioral health providers to obtain patient consent prior to disclosure of their medical records, even for treatment, payment or other healthcare operations, all exempt from the consent requirement under HIPAA. And, it contains a “tag, you're it” principle that imposes similar consent requirements on downstream providers who receive data protected by the rule.
As a result, vendors have been scrambling to modify their systems to incorporate first-generation technologies to provide even the most basic of electronic consent-management capabilities.
Meanwhile, the feds are considering revising the rule to make health information exchange easier between providers of behavioral health and other healthcare organizations.
The Federal Trade Commission recently called again for a federal law to protect the privacy of personal data collected by data brokers, recognizing that much of the healthcare data that people willingly give to nonprovider websites or mobile application developers—entities not deemed to be “covered entities” and thus not governed by HIPAA—is sold by data brokers.
The FTC had advocated for some time that developers voluntarily adopt policies of “informed consent” prior to disclosure of personal data.
“They're being coy about it,” said Peel, an Austin, Texas, psychiatrist and founder of the Patient Privacy Rights Foundation, a not-for-profit privacy advocacy group. “I'm dying to see more details.”
If the leaked reports prove true, she said, it's a “victory of victories” that could be emulated by other major developers.
Follow Joseph Conn on Twitter: @MHJConn