Key Considerations for Health App Developers from the FTC

If your company creates health-related apps, the Federal Trade Commission (FTC) has set out some key considerations:

  • Make accurate representations. Clearly explain how people’s information will be used and shared and then live up to those promises. If your company has deployed apps to read credentials at storefronts, ensure that those businesses understand your practices and the limits on how they may use the data you share.
  • Keep your app updated and your customers in the loop. If your app needs to be updated to protect against new security vulnerabilities, follow through and do just that. And if a customer needs to update information on file to continue to use your app, communicate that clearly.
  • Review and update your privacy claims. Companies are creating apps that may evolve over time to share new or different information, particularly as they relate to public health developments. If your privacy claims don’t keep pace with changes to your data practices, consumers could be misled.
  • Minimize the data that is shared. When verifying a consumer’s vaccination status, it may be sufficient to communicate their status to another entity without sharing the person’s name, date of birth, email address, type of vaccine, etc. That principle applies equally to other health-related apps.
  • Protect the data you use for verification. If your app transmits sensitive data to verify a person’s status, use transit encryption. People using those apps (or other health apps) commonly rely on open Wi-Fi access points at coffee shops, airports, and other locations where it’s easy for info thieves to intercept data. If your app stores information on a phone, consider protecting or obscuring the data. This helps protect users in the event of viruses (the digital kind), malware, or a lost device.
  • Apply the lessons of the pandemic as you develop new health-related apps. Health apps are here to stay. But before your company rushes to market with a new product, train your team to prioritize best practices for secure development. If you Start with Security – and keep it Job #1 as you design, develop, and test – you can reduce the risk of rolling out a product with a fatal flaw. Another important resource: NIST’s Secure Software Development Framework (SSDF).
  • Before your product goes live, verify that it works as advertised and that security measures are operational. One unskippable step: testing your product to ensure it’s not susceptible to common security vulnerabilities.
  • If you’re dealing with health data or kids’ data, understand applicable standards and regulations. Additional legal provisions may apply when health information and kids’ information is involved. Seek guidance on the Children’s Online Privacy Protection Act and the COPPA Rule, the Health Insurance Portability and Accountability Act (HIPAA), the Health Breach Notification Rule, and other relevant laws.Does your business, nonprofit, or other group check people’s vaccine status?
  • Research the marketplace. If you decide to use an app or other technology to assist in  performing health-related functions, exercise the utmost care in selecting service providers. Investigate the companies, learn more about their software, and ask questions about their privacy and data security practices. What information will they be sharing with you? What information will an app be collecting from you, your customers, or your employees? Are the representations you make to others consistent with your service provider’s practices.
  • Provide a secure environment. If you do use technology to collect personal information, do you have a secure network through which the information is transmitted? And if you must maintain information, can you store it securely?
  • If you need to maintain information about a person’s health status, consider how long you have to retain it. Once you no longer have a legitimate need for someone’s vaccine status or other health-related information, dispose of it securely.  Why collect or keep data you don’t need?

Leave a Reply

Your email address will not be published. Required fields are marked *