Dan JellinekEditorFriday 25 January 2013

Big grey area: how will we regulate m-health?

The complex, rapidly-expanding world of mHealth - the use of smartphones and other mobile devices for health care purposes - is creating big challenges for governments, patients and technology manufacturers when it comes to privacy, security and device regulation, a new report finds.

In mHealth applications an internet-enabled device such as a smartphone will often connect wirelessly to wearable, portable, or embeddable sensors to track or measure a patient's health or movements. Data may be shared with clinicians, carers or researchers.

The privacy implications of data leaking out and the sheer potential quantity of sensitive data collected about an individual sets mHealth apart from previous care models, according to the report, "Evaluating mHealth adoption barriers: privacy and regulation", published by mobile provider Vodafone Global Enterprise.

"If contact with patients is more flexible and frequent, can it always be kept confidential?" it says.

Apart from strong security and audit trails, in the new mobile world "there is a growing body of evidence suggesting that many systems of individual consent to use of personal data are not particularly well-constructed", the report finds. "Until now it has been a one-off commitment made at the start of the relationship, but we may now need a rethink, moving towards an ongoing dialogue."

One example quoted in the guide illustrates the pointlessness of one-off initial granting of data consent. On 1 April 2010 the retailer Gamestation temporarily altered its terms and conditions for customers as an April Fool's Day prank. It included the statement: "By placing an order via this web site... you agree to grant us a non transferable option to claim, for now and for evermore, your immortal soul". Of the 7,500 customers who made purchases that day, none clicked on a link to nullify this Faustian pact. No-one, in other words, reads the small print.

In any case, the report says, at installation the user may have little idea of what a mobile application does, and may have difficulty making an informed decision when confronted with a list of data access choices. Possible new approaches include a shift of emphasis towards an ongoing dialogue about privacy between user and application.

There are also major regulatory challenge thrown up by mHealth applications, which straddle the boundary between medical and telecommunications regulation. Regulators are faced with a basic question, the report says: between sensors and apps handling lifestyle, fitness and clinical data - what constitutes a medical device?

For many purposes, the distinction is made between systems and devices created for medical purposes and more general systems and devices put to medical uses. But there are many grey areas, such as fitness apps or devices that track information such as the number of steps people take, the number of stairs they climb and the number of hours they sleep. Features which need to be assessed include whether such applications might be used as the basis for decisions that will directly impact the user's health; or whether a user could unwittingly harm themselves.

One piece of research which looked at 100 downloadable health and fitness apps from iTunes fond that while most were clearly non-regulatable, eight fell into regulatable categories; and a full third of the apps surveyed fell into the grey area.

"Given the number of downloadable mobile apps being published to smart phone app stores, this scale of uncertainty could present a real problem for this particular kind of mobile application," the report finds.
"Yet, while the policymakers labour over rule sets, the market continues to innovate at a breakneck pace."

Evaluating mHealth adoption barriers: privacy and regulation:

The Vodafone report was edited by UKAuthority.com writer Dan Jellinek