Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Qualitative Analysis Framework for mHealth Privacy Practices

Thomas Cory, Wolf Rieder, Thu-My Huynh

TL;DR

The paper addresses privacy risks in mobile health (mHealth) apps, where PII and PHI are at risk despite GDPR and HIPAA. It proposes a qualitative framework that triangulates Observation, Expectation, and Declaration to assess how apps actually manage data, what users and regulators expect, and how transparent the apps are about their practices. Applying the framework to 152 leading Android mHealth apps, the study finds pervasive third-party trackers, notable PHI transmissions, and substantial misalignment and undeclared data practices on privacy labels, highlighting gaps in current regulatory and disclosure mechanisms. The work offers a multidimensional methodology for evaluating mHealth privacy and sets a foundation for policy and design improvements, including more accurate privacy labels and stronger enforcement.

Abstract

Mobile Health (mHealth) applications have become a crucial part of health monitoring and management. However, the proliferation of these applications has also raised concerns over the privacy and security of Personally Identifiable Information and Protected Health Information. Addressing these concerns, this paper introduces a novel framework for the qualitative evaluation of privacy practices in mHealth apps, particularly focusing on the handling and transmission of sensitive user data. Our investigation encompasses an analysis of 152 leading mHealth apps on the Android platform, leveraging the proposed framework to provide a multifaceted view of their data processing activities. Despite stringent regulations like the General Data Protection Regulation in the European Union and the Health Insurance Portability and Accountability Act in the United States, our findings indicate persistent issues with negligence and misuse of sensitive user information. We uncover significant instances of health information leakage to third-party trackers and a widespread neglect of privacy-by-design and transparency principles. Our research underscores the critical need for stricter enforcement of data protection laws and sets a foundation for future efforts aimed at enhancing user privacy within the mHealth ecosystem.

A Qualitative Analysis Framework for mHealth Privacy Practices

TL;DR

The paper addresses privacy risks in mobile health (mHealth) apps, where PII and PHI are at risk despite GDPR and HIPAA. It proposes a qualitative framework that triangulates Observation, Expectation, and Declaration to assess how apps actually manage data, what users and regulators expect, and how transparent the apps are about their practices. Applying the framework to 152 leading Android mHealth apps, the study finds pervasive third-party trackers, notable PHI transmissions, and substantial misalignment and undeclared data practices on privacy labels, highlighting gaps in current regulatory and disclosure mechanisms. The work offers a multidimensional methodology for evaluating mHealth privacy and sets a foundation for policy and design improvements, including more accurate privacy labels and stronger enforcement.

Abstract

Mobile Health (mHealth) applications have become a crucial part of health monitoring and management. However, the proliferation of these applications has also raised concerns over the privacy and security of Personally Identifiable Information and Protected Health Information. Addressing these concerns, this paper introduces a novel framework for the qualitative evaluation of privacy practices in mHealth apps, particularly focusing on the handling and transmission of sensitive user data. Our investigation encompasses an analysis of 152 leading mHealth apps on the Android platform, leveraging the proposed framework to provide a multifaceted view of their data processing activities. Despite stringent regulations like the General Data Protection Regulation in the European Union and the Health Insurance Portability and Accountability Act in the United States, our findings indicate persistent issues with negligence and misuse of sensitive user information. We uncover significant instances of health information leakage to third-party trackers and a widespread neglect of privacy-by-design and transparency principles. Our research underscores the critical need for stricter enforcement of data protection laws and sets a foundation for future efforts aimed at enhancing user privacy within the mHealth ecosystem.
Paper Structure (19 sections, 6 figures, 1 table)

This paper contains 19 sections, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Concept
  4. Observation
  5. Expectation
  6. Declaration
  7. Implementation
  8. App Selection
  9. Data Collection
  10. Results
  11. Observation
  12. Embedded Trackers
  13. Contacted Trackers
  14. PII and PHI Transmissions
  15. Manual Interactions vs. Automated Crawls
  16. ...and 4 more sections

Figures (6)

  • Figure 1: Overview of the proposed analysis framework, highlighting the three integrated dimensions that provide the context for a qualitative assessment of mHealth privacy practices.
  • Figure 2: The 20 most prevalent third-party trackers ranked by the number of mHealth apps that embed their Java libraries.
  • Figure 3: The 20 apps that contacted the highest number of third-party tracker hosts, contrasted with the number of non-tracker hosts they contacted.
  • Figure 4: Transmission volume (i.e. number of transmitting apps) of 21 PHI types, grouped by data category and specificity, contrasting transmissions to non-trackers and third-party trackers.
  • Figure 5: Comparison of observed transmission volumes of standard PII, nonstandard PHI, and medical PHI in the network traffic captured during the manual interactive crawl and the automated non-interactive crawl.
  • ...and 1 more figures