Do Mobile Phone Healthcare Apps Violate HIPAA?

HealthDay News –  Mobile applications, or “apps”, designed to manage sensitive healthcare information between patients and doctors may have insufficient privacy policies, according to a study published in the March 8 issue of the Journal of the American Medical Association.

Sarah Blenner, JD, MPH, of the Illinois Institute of Technology Chicago-Kent College of Law in Chicago, and colleagues focused on 211 diabetes-specific apps available for download in mid-2014 on Google Play. Blenner and her associates noted that Google Play mandates that all apps post a point-of-sale list of information-handling “permissions” that consumers must agree to before downloading, whether or not they’re actually read.

Among the apps studied, these permissions included: tracking patient location (nearly 18%); remotely activating a user’s microphone or camera (about 4 and 11%, respectively); and modifying or deleting stored information (64%). The study authors also found that about 80% of the apps actually had no declared privacy policy of any kind. And of the roughly 20% that did have a privacy policy, patient privacy protection was very often not the main focus, the researchers said.

Among 65 apps randomly selected by the research team, more than 86% tracking “cookies” on users’ phones to monitor sensitive health information (such as insulin levels) that could be easily shared with third parties. More than three-quarters shared such information, whether or not they had a privacy policy in place, the investigators found. 

“Consumers really need to understand what an app developer’s privacy practice is before downloading and using these apps,” Blenner told HealthDay. “Because once their medical information is leaked, they can’t ever regain control over it.”

Summary and Clinical Applicability

The Health Insurance Portability and Accountability Act (HIPAA) established national standards for the protection of patient privacy and healthcare information.  However, it was initially enacted before the development and widespread adoption of phone applications to transmit and manage data. Because of this, it is sometimes difficult to determine which apps must be HIPAA-compliant and which are exempt.  

Challenges in protecting patient information include the fact that phones and tablets can be stolen, and information stored on them may be compromised. Mobile phone users also may intentionally or unintentionally share personally identifiable information, even if the original intention of the app was not to gain that information.  Additionally, the advent of social media makes it easier for users, including healthcare practitioners, to post information that inadvertently breaches HIPAA privacy laws. 


Blenner S, Köllmer M, Rouse A, Daneshvar N, Williams C, Andrews L. Privacy Policies of Android Diabetes Apps and Sharing of Health Information. JAMA. 2016;315(10):1051-1052. doi:10.1001/jama.2015.19426.

Full Text (subscription or payment may be required)