The Complex and Nuanced Challenge of mHealth Privacy

Imagine empowering a person living with diabetes to track their blood-sugar levels throughout the day, report on how they feel at various points (e.g., after meals or exercise) and record how much insulin they took - all from a phone in the palm of their hand. Then, with the simple touch of a button on that same phone, they send all of that valuable data to their doctor, who can provide immediate feedback or make adjustments to their treatment regimen.

This is the ideal mobile health story, one in which mobile technology makes it easier and more efficient to achieve better health outcomes - and these are the type of apps, if deployed in developing countries, that can help deliver better care than the current healthcare and communications infrastructure allow.

It's an amazing vision, but it is not risk free. What if this same person's health data becomes compromised? Suddenly, the fact that they have diabetes is no longer private information, whether or not they wanted to keep it private. The storybook tale of mHealth as an empowering tool can quickly turn into a tragedy of breached privacy and compromised security.

Thinking about the myriad medical apps that are being marketed to the provider and consumer market, the obvious questions around patient privacy and security are always at hand.

In any formal conversation about privacy in the US, we use the definitions provide by the National Committee for Vital and Health Statistics (NCVHS), an advisory committee to the US Department of Health and Human Services. "Health information privacy is an individual's right to control the acquisition, uses, or disclosures of his or her identifiable health data. Confidentiality, which is closely related, refers to the obligations of those who receive information to respect the privacy interests of those to whom the data relate. Security is altogether different. It refers to physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure."

Our challenges and questions ahead form a lengthy list when it comes to securing mobile health:

  • How do we enable patient control over the data they provide while using a mobile app?
  • How do the smartphone device manufacturers, operating system and app developers meet their obligation to respect a person's privacy interests and keep the data confidential?
  • How are those patient privacy interests expressed as policy and implemented in technology?
  • How do we understand the security posture of the popular smart phone and computing devices, communications mechanisms and user apps?
  • Is it too hard?
  • Do we care?

First, we must think globally (as the technology is ubiquitous throughout the world) and understand there are many factors to be considered. Privacy has many criteria, ranging from context to culture and a great deal in-between. At the most fundamental level, privacy is considered a human right that should never be sacrificed for the sake of urgency, convenience or negligence. When you put it in those terms, the powerful need to protect privacy is clear, especially when it comes to our healthcare at home and worldwide.
We know that global health-focused organizations such as the World Health Organization (in partnership with the International Telecommunications Union (ITU)), the United Nations, the World Bank, as well as technology vendors, industry associations and governments are working on deploying technology and having privacy policy discussions nearly in parallel - all with the goal of providing a new infrastructure to advance health.

Think of the weight on the shoulders of these global regulators. Development, uptake and sustainability of mHealth solutions around the globe are dependent substantially on privacy and data protection issues, which can be legal, ethical and socio-cultural in nature.
Imagine four young women, each in her early twenties and with her life affected by HIV. Consider a pregnant woman with HIV in Bangladesh, a mother with an HIV positive child in Nigeria, a woman with an HIV positive fiancé in India, and a single woman with HIV in Chile. Development of mHealth tools and solutions to optimize HIV treatment outcomes need to take into consideration the significant differences in cultural perspectives, codes of ethics, and laws protecting personal privacy and the confidentiality of health information in each of the countries in which these four women live.

HIV status is heavily stigmatized in Bangladesh. The confidentiality of a patient's HIV status is specifically protected by law in Chile. The law in India recognizes a right for health care professionals to disclose a patient's HIV status to his fiancé on the basis of public interest. Only one country - Chile - has a comprehensive privacy law. However, constitutional protections for privacy exist in Bangladesh and Nigeria. Telecommunications sector laws are in place in Bangladesh and India. Codes of medical ethics exist in each country; however, the applicability to mHealth varies. The significant degree of variability in protections, as described further in the recent report Patient Privacy in a Mobile World: A Framework to Address Privacy Law Issues in Mobile Health, demonstrates the need for privacy and security policy frameworks to guide efforts to implement sustainable approaches to mHealth that meaningfully improve access and health outcomes around the world.

Complexities like these are what has put global privacy policy and associated legal and regulatory frameworks at the forefront of the discussion happening in organizations across every country in the world, and especially in leading global health organizations. Complex problems rarely have simplistic solutions, and the answers in the case of mHealth privacy issues won't be easy. But solutions to these issues are well worth pursuing and will play a significant role in helping the field of mHealth realize its full potential.

This post is part of a series produced by The Huffington Post, the mHealth Alliance and HIMSS Media in conjunction with the mHealth Summit, which will take place in the Washington, DC, area on December 8-11, 2013. The Summit brings together leaders across sectors to advance the use of wireless technology to improve health outcomes, both in the United States and globally. For more information about the mHealth Summit, click here.