Health and fitness apps are great for tracking health data and sharing stats with friends to stay accountable to your fitness goals. But odds are, you weren’t hoping to share that data with app developers, third-party companies, or hackers.

Unfortunately, that may be exactly what’s happening. Not only are fitness apps selling data to third parties using language hidden in user agreements, but with health data passing through so many hands, it’s at a higher risk of theft by malicious actors.

If you’d prefer your health information to stay private, here’s what you need to know.

Who Is and Isn’t Required to Protect Personal Health Information?

  • The Department of Health and Human Services states that only covered entities are required to comply with HIPAA. Covered entities include most healthcare providers, health plans, and healthcare clearinghouses. Business associates of these entities also must comply with HIPAA. Read more.
  • Politico notes that “as federal rule-makers grapple with making patient data more easily shareable, some health leaders fear that their actions could lead to a proliferation of apps selling or exploiting medical data. They worry that patients are likely to sign away their rights to data — perhaps including detailed family histories — without realizing what they’re doing.” Read more.

Why Should I Care?

  • Computer World asserts that “the healthcare information, stripped of basic personal identifiers is sold off to researchers, drug developers, marketers and others. Medical informatics companies, such as Iqvia (IMS Health), Optum, and Symphony Health reap the profits of selling the healthcare data while the people from whom it’s collected have no control over how it’s used. Nor do they get any compensation for it.” Read more.
  • “Although companies say the data being shared has been anonymized, ‘it’s not that hard to combine data from a number of sources to figure who you are,’ [Jennings Aske, senior vice president and chief security officer at NewYork-Presbyterian Hospital] said. ‘And ultimately you can strip my name from something but my iPhone Mac address is still there and my cable provider pretty much keeps the same IP address.’” Read more.
  • Most health apps are susceptible to common hacking techniques, one study found. “Ninety-five percent of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues,” according to Healthcare IT News. Read more.

How Can I Protect Myself?

  • “How much of your data is shared, and to whom, is usually set out in the privacy policy that most people accept (and don’t bother to read) when they are installing an app.” To help, The Verge has a run down of some of the most popular health apps’ privacy policies. Read more.
  • In addition to reading privacy policies, consumers should set privacy settings to the strictest settings possible, limit the data they enter in apps, and contact tech companies directly if user agreements aren’t clear about how data will be used, Security Boulevard advises. Read more.

How Do Medical Practices Protect My Health Information?

  • “The Federal HIPAA Security Rule requires health service providers to protect electronic health records (EHR) using proper physical and electronic safeguards to ensure the safety of health information. Breaches 8of over 500 records, whether due to a hacking incident, accidental disclosure, lost or stolen devices, or unauthorized internal access, must be reported.” Read more.
  • “If [an] organization wants to do business with a covered entity or business associate that requires HITRUST certification, [they] need to get HITRUST certified in order to work with that entity. … Organizations that are HITRUST certified have demonstrated that they have effective security and privacy practices in place that are in line with strict healthcare industry regulations like HIPAA,” explains Datica. Read more.
  • “Although gaps in HIPAA regulations have left PHI vulnerable to attack and misuse, there are legislative avenues to prevent this from happening. Additional statutes have been periodically added to HIPAA to improve regulations, and further adjustments to HIPAA may address current threats to our health data privacy.” Read more.

For now, few protections exist for consumers who want to use health-based technology without exposing their data to third parties and malicious actors. That means if you want to keep your data private, it’s up to you to vet apps and devices and avoid the ones that put your privacy at risk. While it may narrow the options, it’s worth it to keep your most personal information secure.

Guest blog written by Diane Harrison (email

Image via Unsplash