The mobile health apps gold rush may already be over

The new gold rush is mobile health apps, both to track medical conditions and fitness. But the Federal Trade Commission fired a warning shot this week against those seeking to mine users’ health information, in a move that could dissuade prospectors before they really get started.

The issue is complex, but it boils down to a Silicon Valley business model especially popular for mobile apps but is incompatible with federal rules on managing health information. Both Silicon Valley and Washington are to blame, but should a clash arise, Silicon Valley will lose — and the vision of your smartphone as your fitness and health hub, à la Apple’s HealthKit APIs and Samsung’s planned clone, will disappear.

[ Also on InfoWorld: Thought Obamacare was messy? Wait until health records come online • The rough road to reliable data exchange among EHRs • Patient engagement will be tough task for health tech • The iPad revolution is coming to a hospital near you • The savvy tech strategy behind the feds’ effort to remake health care. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

Here’s the issue: People are free to share their health information to anyone they want. But health information stored by others is subject to HIPAA rules on maintaining people’s privacy over their health history. HIPAA was born in the 1990s because insurers had started using health data to deny coverage or insurance, and some employers started screening out medically expensive employees in their hiring. In the 1980s, insurers, employers, landlords, and other businesses freely discriminated against those with AIDS and other diseases, which took the fears of abused medical information out of the realm of theory into ugly real-world practice.

When health data gets shared by an app, the feds get concerned … In the decades since, HIPAA has perversely limited the amount of data sharing among medical providers — because permission is needed to share that data. Never mind that the principal goal of HIPAA was to encourage health information portability, so people could more freely move among providers and not repeat the same pricey tests or risk inadvertently damaging procedures in emergency rooms caused by doctors who didn’t have access to your medical history. (The law’s name, after all, is the Health Insurance Portability and Accountability Act, with privacy as part of accountability.)

As I’ve previously written, the feds are aware of the irony of HIPAA’s privacy rules inhibiting the flow of health information, which has been a major goal of the feds since the first Bush administration to lower costs and improve care. Agencies like the FDA and the Health and Human Services Dept. have taken a wait-and-see approach to how people’s health data would be used in the expected wave of fitness and health apps and devices.

But they and now the FTC have all sent the same message about when they’d start to impose regulations. This week’s FTC warning is of particular note because it affects all apps, not only those considered “medical” in nature. In other words, all those fitness apps and sensors could get regulated if app developers and service providers aren’t careful with the user information they collect. (The other feeral red line is the practice of medicine, meaning diagnosing or treating medical ailments; that requires FDA approval. But Silicon Valley seems to already understand that.)

… But Silicon Valley uses your information to pay for those apps There’s where the Silicon Valley business model comes in. The way most app developers make money, especially in mobile and on the Web, is to mine user information and resell it to other companies, whether to target ads or to do more focused marketing or sales. That’s the red line for the FTC.

It’s fine to help users store their information gathered from a variety of apps and sensors — that’s Apple’s HealthKit API in a nutshell. It’s not fine to provide that information to others or mine it and use the mined data, even if “anonymized” and aggregated for other purposes than the users’. The standard of the FTC, FDA, and HHS contradicts the business models of Google, Facebook, and most “free” services today.

The U.S. government has been lax when it comes to protecting user privacy hoovered up by such companies, though the Europeans have not been so shy. That’s perhaps convinced Silicon Valley it can amass health data freely as well. Google learned better when it briefly entered the “health information vault” business a few years ago, only to abandon it when the company realized it could not mine that data without getting into legal trouble. But that was half a decade ago, and Silicon Valley has a short memory.

The feds don’t. Although the U.S. government is generally OK with mining users’ personal data for marketing, its attitude changes dramatically when it comes to health information. The feds may not care that Facebook knows you’re gay before you come out or Target knows you’re pregnant before you’ve told anyone, to use popular examples of how it can understand people initimately based on their Web and app habits, then expose that through the advertising it directs to you. But the feds care that no one but you knows you have arthritis or cancer unless they get your written permission each time they want to access that fact.

Silicon Valley’s “free” services work only if they can dredge as much information as possible about you, without needing to check after that first terms and conditions you accept to use the app or service. If they’re required to manage permissions in the same way that health care industry must under HIPAA and the follow-up HITech law, they can’t make any money — which means they won’t deliver all those health apps you’re reading about now in anticipation of Apple’s HealthKit and others’ similar technologies.

Who’ll have to blink first: The feds or Silicon Valley? Is that a good thing? Yes and no. Being able to know and act on your own health information is a powerful remedy. Due to the collision of the feds’ privacy mandates and Silicon Valley’s privacy-mining business model, we may not get that to the degree we expect, unless we’re willing to pay real money for the privilege — and most of us regularly prove we are not. But we also aren’t likely to be abused due to broad access to our health information.

For there to be a gold rush in mobile health apps, either the federal rules or the Silicon Valley business model has to change. The federal rules need to be modernized, such as to allow medical information to be sent via personal email, but their principles are rock-solid and right. Plus, changing such rules takes years, even decades.

So it’s up to Silicon Valley to find a way to square the health-information circle. It may choose to simply move its attention elsewhere, as Google did when it faced the same dilemma several years ago.

This article, “The mobile health apps gold rush may already be over,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.