App Privacy Guidelines & Survey

Please read through the guidelines below and provide feedback using the brief survey at the end.

App Privacy (P) Guidelines
Privacy will assess whether a mobile health app protects the user’s information, including Protected Health Information (PHI), Personal Information (PI), Personally Identifiable Information (PII) in full compliance with all applicable laws, rules and regulations. Where jurisdictions may conflict, the App Designer shall comply with the more rigorous requirements.  It is incumbent upon the developer to understand the scope and full requirements of the Privacy Rules and potential notification requirements of the region(s) for which they intend to operate. Developers should have relevant procedures in place and be able to document those procedures.

Guideline P1 – Notice of Use and Disclosure
The Privacy Notice is externally facing and describes to an app user how the organization collects, uses, and retains their data (e.g., PHI, PI, PII). This notice should be unbundled from other information notices regarding the application.  The type(s) of data that the app obtains, and how and by whom that information is used, is disclosed to the user in a Privacy Notice

     Requirements for Guideline P1

  • 01 The identity of any entities that will have access to, collect and/or use of the user’s personal information, shall be made available and disclosed to the user on an at least an annual basis and shall disclose use by any parties as a part of the use chain.
  • 02 The app publisher shall disclose any and all ownership, rights or licenses to any data collected about the app and its usage, including the use of any data for commercial purposes.
  • 03 The app shall have a section (tab, button or equivalent) or active link to its Privacy Policy, and owner represents that commercially reasonable efforts are used to notify users of any material changes to its Privacy Policy.
  • 04 If registration is required to use all or some of the app’s features, the user shall be provided with an explanation as to the uses of the registration information.
  • 05 User shall be provided (or have access to) a clear list of all data points collected and/or accessed by the app, including by the app publisher and all third parties such as in-app advertisers. This includes personal data pertaining to the usage of the app, including but not limited to browsing history, device (e.g., unique identifiers), operating system, and IP addresses. How and from where such data points are collected shall be disclosed.  An Option should exist for user to opt-out of passing data to in-app advertisers.
  • 06 User shall be provided (or has access to) a clear list of all data points collected and/or accessed by the app pertaining to the specific user, including user-generated data and data that are collected automatically about the user through other means or technologies of the app. This includes data points collected for the purpose of any third-party sharing. How and from where such data points are collected is disclosed.
  • 07 The app publisher shall obtain affirmative express consent before using user data in a materially different manner than was previously disclosed when collecting the data or collecting new data, including for third-party sharing.
  • 08 The app publisher shall obtain affirmative express consent before collecting personal data, in particular, Personally Identifiable Information (PII), Personal Health Information (PHI), financial data or location data, including obtaining HIPAA authorizations where applicable.
  • 09 The privacy policy shall inform users how they can get a copy of their personal information that was collected by the app. A designated individual or toll-free number may be required to be listed depending on domicile of user. The privacy policy shall also inform users how they can correct and update information supplied by, or collected about them, held by or on behalf of the owner, or shared with third parties, including the identity of such third parties, particularly in compliance with the HIPAA Privacy Rule, if applicable, and any other state or
  • international laws, rules, or regulations to the extent applicable.
  • 10 If not otherwise provided by default, the app shall allow users to control the collection and use of their in-app browsing data by supporting an online Do Not Track mechanism.
  • 11 If not otherwise provided by default, the app shall allow users to control their receipt of commercial messages from the app publisher and third parties through an “opt out” option, “do not contact,” or substantially similar feature.
  • 12 The app publisher shall not share any personal data with third parties, unless the app publisher: (i) has an agreement with such third party that addresses safeguarding any and all such user data (BAA); and (ii) takes the necessary measures to anonymize/de-identify all user data in accordance with the Health and Human Services Safe Harbor guidelines for de-identification.(iii) the user provides an affirmative user consent (iv) except when expressly disclaimed by app publisher (v) The app publisher has documented this within the Privacy Policy.
  • 13 App publisher should allow a user to delete all personal data from systems if canceling or deleting accounts. This functionality could be accessed by the user in app or by app owner.
  • 14 A mechanism shall be in place to notify users of changes to the Privacy Policy.
  • 15 A mechanism shall be provided that enables users to acknowledge and consent to changes to the Privacy Policy.
  • 16 User will be promptly notified (according to state or federal laws or contractual obligations) if breach occurs that has compromised their information in accordance with applicable state, federal and country laws.

 

Guideline P2 – Retention
If data is collected, the user shall be informed about how long the data is retained.

     Requirements for Guideline P2

  • 01 The Privacy Policy shall disclose the retention policy regarding user information. Such statement shall include policies with respect to data retention under any third-party data sharing arrangement.
  • 02 Retention and deletion time periods, which are based on clearly defined business needs or legal obligations, shall be set. If business needs are defined as “in perpetuity,” this shall also be disclosed.

 

Guideline P3 – Access Mechanisms
The app user is informed, through an End User License Agreement, if the app accesses local resources (e.g., device address book, mobile and/or LAN network interface, system stored credit card information, GPS and other location-based services, contacts, camera, photos, SMS or MMS messaging, and Bluetooth) or resources from and/or for social networking platforms, provided with an explanation by any appropriate means (e.g., the “About” section) as to how and why such resources are used, and opt-in consent is obtained to access such resources.

     Requirements for Guideline P3 

  • 01 If the app accesses any of the mobile device’s native hardware (camera, microphone, GPS/location, Calendar, Address Book, etc.) the express reason for requiring such access shall be disclosed to the user, separate from any warning/consent present in the mobile operating system.
  • 02 If the app accesses or uses any Wi-Fi, LAN, or mobile network data connections, an estimate of the amount of data consumed shall be provided to the user along with a notice that carrier data charges may apply.
  • 03 If the app accesses social networking sites (such as Facebook, Instagram, or like social media), the reason why such sites are being accessed is disclosed to the user.

 

Guideline P4Health Insurance Portability and Accountability Act (HIPAA) Entity or Business Associate
If the app, on behalf of a Covered Entity or a Business Associate (each as defined by HIPAA and the rules thereunder), collects, stores, and/or transmits information that constitutes Protected Health Information (as defined by HIPAA and the rules thereunder), it does so in full compliance with HIPAA and all applicable state and international laws, rules and regulations.

     Requirements for Guideline P4

  • 01 The user can affirmatively opt in or out (at any time) of information shared with or given access by third parties.
  • 02 The app publisher certifies that a Business Associate Agreement (BAA) has been executed pursuant to HIPAA with any and all necessary third parties.
  • 03 The user can access or request any of his/her Protected Health Information (PHI) collected, stored and/or transmitted by the app.
  • 04 The app publisher uses requisite efforts to limit the use and disclosure of PHI, including ePHI, to the minimum necessary to accomplish the intended purpose (e.g., “need-to- know”).
  • 05 The publisher must demonstrate that procedures are in place so that in the event of a breach the app publisher shallnotify affected individuals, HHS, and in some cases, the media (news agencies, print, radio, etc.) of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach.

 

Guideline P5 – Children’s Online Privacy Protection Act (COPPA)
The app has measures in place to protect children in accordance with applicable laws and regulations (e.g., Children’s Online Privacy Protection Act).

 

     Requirements for Guideline P5

  • 01 The app provides clear notice of the content that will be made available and its suitability for specific age groups.
  • 02 The app includes a clear and conspicuous Privacy Notice/Policy that addresses use by any child under the age of 13 and prevents usage without verifiable parental authority (please note state laws may have additional carve out regulations for children).
  • 03 The app provides for an age verification process—either automatic or self-reported—to control access to age-restricted content and to minimize the inappropriate collection, use, or disclosure of personal information from a child.
  • 04 The app does not, without obtaining verifiable parental/legal guardian consent, collect, use, or disclose data from any child under the age of 13.
  • 05 The app enables a parent/legal guardian who becomes aware that the child has provided information without his/her consent to contact the app publisher and eliminate account/delete that data.
  • 06 The Privacy Policy provides that the app publisher will delete any child’s personal information upon notice, or if the App publisher becomes aware or has knowledge, that such information was provided without the consent of a parent/legal guardian, including information that was shared with a third party.
  • 07 Apps that are intended for children must have a location default setting that enables parents/legal guardians to prevent the app from automatically publishing their child’s location.
  • 08 Apps that are directed at children under the age of 13 will have a default setting that prevents in-app purchases.
  • 09 Apps that are directed at children under the age of 13 will have a default setting that prevents usage of camera and microphone.

 

Guideline P6General Data Protection Regulation (GDPR)
The app has measures in place to comply with applicable laws and regulations related to the European Union General Data Protection Regulation (GDPR).

 

     Requirements for Guideline P6

  • 01 Provide Privacy Notice at the time user is providing information to the app. The Privacy Notice should be available in search feature.
  • 02 The Privacy Notice must be concise (plain language), transparent and accessible. For the Privacy Notice to be easily readable, key information is at front of notice and in a layered notice approach links are available for additional information in full version.
  • 03 The Privacy Notice must include the name of the organization, processor, name and contact details of the representative, and contact details of the Data Protection Officer (DPO) if a DPO is required.
  • 04 The Privacy Notice must state the lawful basis, legitimate purposes, and rights available to individuals in respect of processing.
  • 05 The user must be informed of the categories/source of personal data obtained if it is obtained from third party sources. This must be provided within a reasonable period of obtaining the personal data and no later than one month. Notice must be provided of the recipients of categories of personal data, whether the individuals are under a statutory or contractual obligation to provide personal data and the details of transfers of personal data to any third countries or international organizations.
  • 06 The details and existence of automated decision-making including profiling (if applicable) and the retention periods for personal data must be provided.
  • 07 Unexpected uses of user data should be posted on the front page of the Privacy Notice and there must be separate consent for different uses. A user must be given a simple way to consent to all types of uses listed (e.g. opt in/opt out boxes for each). If the app is requesting the user to receive direct marketing materials, then there should be a separate opt out box.
  • 08 The user must be put on notice that they have the right to withdraw from further use of data (if applicable through respective regional data governance laws) and the right to file a complaint with the respective regional supervisory authority.
  • 09 Best practice is to conduct audits to see what personal information the app maintains and conduct user testing to see if the privacy notice is easily understandable.
  • 10 The app developer must ensure the Privacy Notice is consistent with current use. If a material change is made to the collection or use of data, the Privacy Notice must updated  prior to processing.
  • 11 If the event of a breach of personal data, understand the type of data that has been impacted. Prepare a written report. And, based upon notice requirements of area of operation, Report within 72 hours of becoming aware of the reportable breach to the relevant supervisory authority.
  • 12 The App Developer shall be responsible for knowing relevant and appropriate regulations for the Regions in which they intend to operate
  • 13 The End User Licensing Agreement (EULA) should document how notice shall be provided to individual and appropriate authorities.

 

References: Additional information may be found at these sites:

US State Breach Notification Requirements: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

European Union General Data Protection Requirements- Information Commissioners Office UK: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed

Health and Human Services Safe Harbor: https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=1&SID=90f45f0c857144405b17a43c35600c16&ty=HTML&h=L&mc=true&r=SECTION&n=se42.5.1001_1952

HIPAA:  https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?language=en

 

Please Complete the Following and Submit