The Privacy and Security Sections of the Xcertia Guidelines Are Now Available for Public Comment.
Comment Period Runs Until December 15, 2018.
App Privacy (P) Guidelines
Privacy will assess whether a mobile health app protects the user’s information, including Protected Health Information (PHI), Personal Information (PI), Personally Identifiable Information (PII) in full compliance with all applicable laws, rules and regulations. Where jurisdictions may conflict, the App Designer shall comply with the more rigorous requirements. It is incumbent upon the developer to understand the scope and full requirements of the Privacy Rules and potential notification requirements of the region(s) for which they intend to operate. Developers should have relevant procedures in place and be able to document those procedures.
Guideline P1 – Notice of Use and Disclosure
The Privacy Notice is externally facing and describes to a app user how the organization collects, uses, and retains their data (e.g., PHI, PI, PII). This notice should be unbundled from other information notices regarding the application. The type(s) of data that the app obtains, and how and by whom that information is used, is disclosed to the user in a Privacy Notice
Performance Requirements for Guideline P1
- 01 The identity of any entities that will have access to, collect and/or use of the user’s personal information, shall be made available and disclosed to the user on an at least annual basis and shall disclose use by any parties as a part of the use chain.
- 02 The app publisher shall disclose any and all ownership, rights or licenses to any data collected in connection with the app and its usage, including the use of any data for commercial purposes.
- 04 If registration is required to use all or some of the app’s features, the user shall be provided with an explanation as to the uses of the registration information.
- 05 User shall be provided (or has access to) a clear list of all data points collected and/or accessed by the app, including by the app publisher and any and all third parties such as in-app advertisers, pertaining to the usage of the app, including but not limited to browsing history, device (e.g., unique identifiers), operating system, and IP addresses. How and from where such data points are collected shall be disclosed. An Option should exist for user to opt-out of passing information to in-app advertisers.
- 06 User shall be provided (or has access to) a clear list of all data points collected and/or accessed by the app pertaining to the specific user, including user-generated data and data that are collected automatically about the user through other means or technologies of the app. This includes data points collected for the purpose of any third-party sharing. How and from where such data points are collected is disclosed.
- 07 The app publisher shall obtain affirmative express consent before using user data in a materially different manner than was previously disclosed when collecting the data or collecting new data, including for the purpose of third-party sharing.
- 08 The app publisher shall obtain affirmative express consent before collecting personal data, in particular, Personally Identifiable Information (PII), Personal Health Information (PHI), financial data or location data, including obtaining HIPAA authorizations where applicable.
- international laws, rules, or regulations to the extent applicable.
- 10 If not otherwise provided by default, the app shall allow users to control the collection and use of their in-app browsing data by supporting an online Do Not Track mechanism,
- 11 If not otherwise provided by default, the app shall allow users to control their receipt of commercial messages from the app publisher and third parties through an “opt out” option, “do not contact,” or substantially similar feature.
- 13 App publisher should allow a user to delete all information from systems if canceling or deleting accounts. This functionality could be accessed by the user in app or by app owner.
- 16 User will be promptly notified (according to state or federal laws or contractual obligations) if breach occurs that has compromised their information in accordance with applicable state, federal and country laws.
Guideline P2 – Retention
If data is collected, the user shall be informed about how long the data is retained.
Performance Requirements for Guideline P2
- 02 Retention and deletion time periods, which are based on clearly defined business needs or legal obligations, shall be set. If business needs are defined as “in perpetuity,” this shall also be disclosed.
Guideline P3 – Access Mechanisms
The app user is informed, through an End User License Agreement, if the app accesses local resources (e.g., device address book, mobile and/or LAN network interface, system stored credit card information, GPS and other location-based services, contacts, camera, photos, SMS or MMS messaging, and Bluetooth) or resources from and/or for social networking platforms, provided with an explanation by any appropriate means (e.g., the “About” section) as to how and why such resources are used, and opt-in consent is obtained to access such resources.
Performance Requirements for Guideline P3 Access Mechanisms
- 01 If the app accesses any of the mobile device’s native hardware (camera, microphone, GPS/location, Calendar, Address Book, etc.) the express reason for requiring such access shall be disclosed to the user, separate from any warning/consent present in the mobile operating system.
- 02 If the app accesses or uses any Wi-Fi, LAN, or mobile network data connections, an estimate of the amount of data consumed shall be provided to the user along with a notice that carrier data charges may apply
- 03 If the app accesses social networking sites (such as Facebook, Instagram, or like social media), the reason why such sites are being accessed is disclosed to the user.
Guideline P4 – Health Insurance Portability and Accountability Act (HIPAA) Entity or Business Associate
If the app, on behalf of a Covered Entity or a Business Associate (each as defined by HIPAA and the rules thereunder), collects, stores, and/or transmits information that constitutes Protected Health Information (as defined by HIPAA and the rules thereunder), it does so in full compliance with HIPAA and all applicable state and international laws, rules and regulations.
Performance Requirements for Guideline P4
- 01 The user can affirmatively opt in or out (at any time) of information shared with or given access by third parties.
- 02 The app publisher certifies that a Business Associate Agreement (BAA) has been executed pursuant to HIPAA with any and all necessary third parties.
- 03 The user has the ability to access or request any of his/her Protected Health Information (PHI) collected, stored and/or transmitted by the app.
- 04 The app publisher uses requisite efforts to limit the use and disclosure of PHI, including ePHI, to the minimum necessary to accomplish the intended purpose (e.g., “need-to- know”).
- 05 The publisher must demonstrate that procedures are in place so that in the event of a breach the app publisher shallnotify affected individuals, HHS, and in some cases, the media (news agencies, print, radio, etc.) of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach.
Guideline P5 – Children’s Online Privacy Protection Act (COPPA)
The app has measures in place to protect children in accordance with applicable laws and regulations (e.g., Children’s Online Privacy Protection Act).
Performance Requirements for Guideline P5
- 01 The app provides clear notice of the content that will be made available and its suitability for specific age groups.
- 02 The app includes a clear and conspicuous Privacy Notice/Policy that addresses use by any child under the age of 13 and prevents usage without parental authority (Please note state laws may have additional carve out regulations for children).
- 03 The app provides for an age verification process—either automatic or self-reported—to control access to age-restricted content and to minimize the inappropriate collection, use, or disclosure of personal information from a child.
- 04 The app does not, without obtaining verifiable parental/legal guardian consent, collect, use, or disclose data from any child under the age of 13.
- 05 The app enables a parent/legal guardian who becomes aware that the child has provided information without his/her consent to contact the app publisher and eliminate account/delete that data.
- 07 Apps that are intended for children must have a location default setting that enables parents/legal guardians to prevent the app from automatically publishing their child’s location.
- 08 Apps that are identified for children will have a default setting that prevents in-app purchases.
- 09 Apps that are identified for children will have a default setting that prevents usage of camera and microphone.
Guideline P6 – General Data Protection Regulation (GDPR)
The app has measures in place to comply with applicable laws and regulations related to the European Union General Data Protection Regulation (GDPR). The GDPR applies if app processes information about individuals in the context of selling goods or services to citizens of the European Union (EU).
Performance Requirements for Guideline P6
- 01 Provide Privacy Notice at the time user is providing information to the app. The Privacy Notice should be available in search feature.
- 02 The Privacy Notice must be concise (plain language), transparent and accessible. In order for the Privacy Notice to be easily readable, key information is at front of notice and in a layered notice approach links are available for additional information in full version. Dashboards, icons, and mobile and smart device functionalities (e.g., pop-ups and alerts) are recommended tools for users to easily access their settings and preferences.
- 03 The Privacy Notice must include the name of the organization, processor, name and contact details of the representative, and contact details of the Data Protection Officer
- 04 The Privacy Notice must state the lawful basis, legitimate purposes, and rights available to individuals in respect of processing.
- 05 The user must be informed of the categories/source of personal data obtained if it is obtained from third party sources. This must be provided within a reasonable period of obtaining the personal data and no later than one month. Notice must be provided of the recipients of categories of personal data, whether the individuals are under a statutory or contractual obligation to provide personal data and the details of transfers of personal data to any third countries or international organizations.
- 06 The details and existence of automated decision-making including profiling (if applicable) and the retention periods for personal data must be provided.
- 07 Unexpected uses of user data should be posted on the front page of the Privacy Notice and there must be separate consent for different uses. A user must be given a simple way to consent to all types of uses listed (e.g. opt in/opt out boxes for each). If the app is requesting the user to receive direct marketing materials, then there should be a separate opt out box.
- 08 The user must be put on notice that they have the right to withdraw from further use of data (if applicable through respective Regional data governance laws) and the right to file a complaint with the respective regional supervisory authority.
- 09 Best practice is to conduct audits to see what personal information the app maintains and conduct user testing to see if the privacy notice is easily understandable.
- 10 The app owner updates the Privacy Notice to be consistent with current use. If there is a different use the Privacy Notice is updated and communicated to user prior to processing.
- 11 If the event of a breach of personal data, understand the type of data that has been impacted. Prepare a written report. And, based upon notice requirements of area of operation, Report within 72 hours of becoming aware of the reportable breach to the relevant supervisory authority.
- 12 The App Developer shall be responsible for knowing relevant and appropriate regulations for the Regions in which they intend to operate
- 13 The End User Licensing Agreement should document how Notice shall be provided to individual and appropriate Authorities.
References: Additional information may be found at these sites
US State Breach Notification Requirements:
European Union General Data Protection Requirements- Information Commissioners Office UK:
Health and Human Services Safe Harbor:
App Privacy: Your Comments Are Encouraged and Appreciated
App Security (S) Guidelines
Security- Will assess if the application is protected from external threats and maintain the integrity, availability, confidentiality, and resilience of the data.
Guideline S1 – Security Operations
The app publisher ensures that the app’s security procedures comply at all times with generally recognized best practices and applicable rules and regulations for jurisdiction(s) in which the app is intended to be sold or used and such procedures are explained or made available to users.
Performance Requirements for Guideline S1
- 01 Administrative, physical, and technical safeguards to protect user’s information from unauthorized disclosure or access are provided and employed.
- 02 Access to user’s information is limited to those authorized employees or contractors who need to know the information in order to operate, maintain, develop, or improve the app.
- 03 If the app utilizes unique identifiers, the identifier is linked to the correct user and is not shared with third parties.
- 04 If any third-party vendor services are utilized as part of the app, an Information Security Risk Assessment should be conducted of the respective third parties.
- 05 If your organization is subject to HIPAA or other Information Security and/or Privacy regulations, an internal risk assessment for any systems related to PHI/PII should be conducted.
- 06 App developer should create and maintain a baseline configuration document for potential risks to be identified
- 07 Risk-appropriate authentication methods are used to authenticate users.
- 08 A written description of security procedures (in detail sufficient to apprise end users about how their personal information is safeguarded) is provided in a section of the app (tab, button, or equivalent) or through an active link. The security procedures are written in clear, easy-to-understand language and terms and are affirmatively agreed to by the user. Such components include, but are not limited to, how personal information is safeguarded, how unique identifiers are linked to the correct user, and authentication methods used.
- 09 App developer should designate someone to be responsible for information security
- 10 App developer Designated staff for information security should have a baseline of information security knowledge
- 11 Responsibilities for information security staff should be clearly documented
- 12 Any staff members handling PHI/PII should be required to take Information Security Awareness training, highlighting HIPAA.
- 13 The app publisher has a mechanism in place to review security procedures on an ongoing basis and update security procedures, as necessary, to ensure that they comply at all times with applicable rules and regulations for jurisdiction(s) in which the app is intended to be sold or used.
- 14 Cloud-based apps meet Statement on Guidelines for Attestation Engagements (SSAE) No. 16 requirements and a SSAE No. 16 audit report is provided. (http://ssae16.com/SSAE16_overview.html)
- 15 If the app uses Short Messaging Service (SMS) or Multi-Media Message Service (MMS), the user is informed whether messages are encrypted and, if so, the level of encryption.
- 16 Any app that collects, stores and/or transmits user financial data for any purpose, including payment processing, or the app directs to any website for the purpose of collecting and/or processing of financial information, including any third party website, shall comply with any and all applicable Federal and state laws, rules and regulations, and private sector regulatory best practices guidelines and initiatives regarding data security requirements.
Guideline S2 – Vulnerability Management
The app, including without limitation, any advertisement displayed or supported through the app, is free from known malicious code or software such as malware, including, but not limited to, viruses, worms, trojan horses, spyware, adware, rootkits, backdoors, keystroke loggers, and/or botnets at time of release and/or upgrades.
Performance Requirements for Guideline S1
- 01 A scan of the app by the App Developer using scanning software does not reveal any known malicious code or software objects prior to release.
- 02 A scan of any third-party code, including advertising networks, incorporated into app for purposes of displaying or supporting advertisements (e.g., banner, interstitial) does not reveal any known malicious code or software.
- 03 If ongoing scanning does produce evidence of malicious code or software objects, proactively work to update the app and notify end users.
Guideline S3 – Systems & Communication Protection
If the app collects, stores or transmits any personal information, including, but not limited to, usernames and passwords, such information is collected, stored, and transmitted using encryption.
Performance Requirements for Guideline S3
- 01 Passwords are stored using a random length, one-way salted hash, or current accepted guideline.
- 02 Usernames and passwords are collected and transmitted only when using encryption between the client app and the server.
- 03 Other personal information while at rest and/or in motion is encrypted using a generally recognized, industry-accepted encryption method (e.g., FIPS 140-2, ISO/IEC) for such information and the encryption level is disclosed.
- 04 App contains security safeguards to verify the identity of intended user in the event of forgotten, lost or unknown user name, password and/or passcode (“unique identifiers”), for purposes of reminders, re-linking, or creation of new unique identifiers.
- 05 Organization should have a change management process when changes are made to the app or critical systems
- 06 Information systems related to the app should have antivirus software and mechanism to keep application environment up to date with security patches
- 07 Application data should be backed up regularly
- 08 Firewalls should be used for internal and external connections
- 09 Vulnerability assessments should be conducted on the application and organizational network on a regular basis
- 10 If removable media is used for the storage of PHI/PII, the media should be encrypted to protect the data from unauthorized access
- S3.11 Organization should have a documented patch management process for systems and app
- S3.12 Installed App and respective infrastructure should have the capability to log and audit activity within the system, e.g. who did what, when and how.
- S3.13 Installed App Audit logs should be maintained for a minimum of 90 days
Guideline S4 – Compliance
If the app collects, stores and/or transmits information that constitutes PHI as defined by HIPAA, and the rules thereunder (e.g., app publisher constitutes a Business Associate pursuant to HIPAA), it uses requisite efforts to maintain and protect the confidentiality, integrity, and availability of individually identifiable health information that is in electronic form (e.g., ePHI).
Performance Requirements for Guideline S4
- 01 If the app, or through its use, subjects the user or any party to HIPAA, the app publisher has implemented administrative, physical and technical safeguards, and developed policies and procedures, pursuant to the HIPAA Security Rule, as applicable. For purposes of the technical safeguards/security controls, only certain certified encryption technologies are permissible for compliance with HIPAA.
- 02 If applicable, the app or the app publisher has safeguards in place and/or uses requisite efforts to comply with any and all obligations pursuant to any BAA, including capabilities to assist a covered entity in curing any breach, and address all other requirements of HIPAA in the event of a breach including notifying affected users.
- 03 The app publisher has the capabilities to enable compliance, and shall comply with any and all applicable notification requirements to its users in the event that users’ PHI is or is suspected to be compromised (e.g., Breach Notification Rule pursuant to HIPAA including the capability to support and execute notification requirements).
S4.04 The app publisher has a mechanism to notify end users about apps that are banned or recalled by the app publisher or any regulatory entity (e.g., FDA, FTC, FCC, UL).
- 05 In the event that an app is banned or recalled, a mechanism or process is in place to notify all users about the ban or recall and render the app inoperable.
- 06 In the event that the app constitutes a medical device (e.g., 510(k)) or is regulated by the FDA in any other capacity, the app publisher has a policy and a mechanism in place to comply with any and all applicable rules and regulations for purposes of handling all aspects of a product notification or recall, including all corrections and removals.
Guideline S5 – Access Control and Authentication
If the app collects, stores and/or transmits personal information, the app offers one or more industry-accepted methods for guarding against identity theft.
Performance Requirements for Guideline S5
- 01 The app provides a method for securely authenticating the user at a session level (e.g., password, pass phrase, PIN, challenge phrase) and also utilizes additional methods or techniques to further secure the identity of the users whenever the system is initially establishing identity or the system has indications that the identity might have been compromised (e.g., multiple password failures).
- 02 Unique user IDs should be used for access to all roles within the application
- 03 Access within the application should be limited to what is needed for that individual’s specific role
- 04 A process for provisioning and deprovisioning access in a timely fashion should be documented
- 05 For remote access or privileged access should require 2nd factor authentication to reduce the risk of unauthorized access.
Guideline S6 – Asset Management
If the app collects, stores and/or transmits personal information, the app maintains a methodology for documenting those Assets.
- 01 Organization should have a process for tracking information and physical assets.
- 02 Information assets should be classified based upon value to the organizations and outside regulations, e.g. public, internal confidential, sensitive
Guideline S7 – Physical & Environmental Security
If the app collects, stores and/or transmits personal information, the app the app Developer shall maintain a record of how Security is maintained.
- 01 Organization should have a physical security program
- 02 Physical security program should include security and environmental controls for the building/data center which contains information assets and system
Guideline S8 – Incident Response
If the app collects, stores and/or transmits personal information, the app developer shall create and maintain an Incident Response system.
- 01 Organization should have an Incident Response plan in the event of an information security incident
- 02 If breach is determined, organization should notify customers and individuals affected in accordance with applicable regulation.
Guideline S9 – Disaster Recovery & Business Continuity
If the app collects, stores and/or transmits personal information, the app developer shall provide a documented plan when the app, data or access is not available for use.
- 01 Organization should have a documented DR/BC plan in the event that the application, data, or its infrastructure is not available for use
- 02 Tests from data back-up should happen on a regular basis
- 03 Tests of the DR/BC plan should happen on a regular basis
App Security: Your Comments Are Encouraged and Appreciated
Xcertia will respond to the critical need for a comprehensive effort to develop a framework of principles that will positively affect the trajectory of the mobile health app market. Xcertia’s guidelines will be a trustworthy resource to support consumer and clinician choice of mobile health apps.
Xcertia will incorporate feedback from its members in a consensus-driven process to advance the body of knowledge around the quality of clinical content, usability for both consumers and health care professionals, privacy and security, interoperability and evidence of clinical efficacy.