* The following article was originally published by Healthcare Informatics. To read it on the Healthcare Informatics website, click here.

Healthcare professionals who are in a position to recommend the use of fitness apps need to be aware that patients’ personal data can be used in ways that HIPAA would prohibit and that will surprise patients who are trying to be smart about fitness in a smartphone world.

The privacy and security requirements of HIPAA, the Health Information Privacy Protection Act, do not apply to fitness app data, which is similar to regulated health data. The exceptions are where regulated health data is collected through an app by a healthcare provider, healthcare clearinghouse or health plan, or the app company is a statutory business associate of one of them. Because these exceptions are infrequent, healthcare professionals and consumers must look to a specific fitness app’s privacy policy to determine which type of data is private as well as the converse—which and how much personal information is disclosed to and used by third parties.

However, the percentage of fitness apps that have privacy policies is in fact less than the percentage of the so-called “top apps” in all categories that have such policies, according to a recent study, “The Future of Privacy Forum’s August 2016 Mobile Apps Study.” The difference is noteworthy, because fitness apps by their nature collect information that is more intimate and sensitive than the information collected by general apps. According to this study, 76 percent of the top apps have a privacy policy while only 70 percent of fitness apps do. Thirty percent of fitness apps have no privacy policy at all.

This article analyzes the risk factors under the privacy policies of 70 percent of the fitness apps that do have some type of privacy policy. We identify the red flags that arise under the policies and make recommendations for selecting a fitness app to maximize privacy protection.

The Customer is Not the User

The consumer is the user, not the customer of the app company. The customer is the advertiser. The user provides data that the app sells to advertisers to generate revenue. This business model goes a long way to understanding the limitations on privacy protection, especially with free apps.

What Fitness Data is Collected and Therefore at Risk?

Fitness data includes a wide range of data, including: (1) archetypal personal data provided by the user, such as name and address; (2) fitness and health-related data provided by the user, such as height, weight, and fitness activities; (3) information collected by the app during use; (4) information shared through the app’s social media component; (4) information measured by sensors on the mobile device, such as heart rate; (5) information provided by the mobile device itself, such as geolocations; (6) aggregated data from the above; (7) behavior tracking data prepared by third party analytics firms; and (8) user data collected by advertisers during use. “Behavior tracking” is a set of online techniques used to collect and interpret the fitness app user activity as they use apps, visit websites, and engage in other Internet activity. Advertising and marketing agencies use behavior tracking to tailor advertisements for specific users.

Privacy Polices Available at App Store vs. Only Within the App

Users can read some privacy policies in the app store listing page before the app is downloaded. Others are available only within the app itself, which means that the privacy policy can be read and assessed only after it is downloaded. The inference is that an in-app only policy will be less protective. Significantly, according to the FPF Study, 71 percent of the top apps have policies accessible from the app store while only 61 percent of fitness app privacy policies are available there.

Long vs. Short Privacy Policies

Perhaps counterintuitively, longer privacy policies are most often less protective of privacy than are shorter ones. Long policies generally protect the app developer more than the user. The length is driven by the need to explain all the ways in which the user’s information will be used and give and get notice and consent to third party use.

Free vs. Paid Apps

Free apps rely more on advertising for revenue than do paid apps. Paid apps receive revenue from direct payments from users, and thus have less need for ad revenue. The more detailed the information about their users that free apps provide, the more attractive the apps’ fitness data is to advertisers. Accordingly, in almost all cases, free apps collect more personal information than do paid apps because the business model of the free apps requires collecting information and selling it.

Research conducted for the Privacy Rights Clearinghouse and reported in the “Technical Analysis of Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications” (the “Technical Analysis”) found that compared with the 45 percent of paid fitness apps, 75 percent of the free apps use behavior tracking, often by multiple analytics services. It also found that most free apps and half of the paid apps sent user data to as many as five different third party analytics sites, often within minutes after the user begins using the app.


“HTTP” means “Hyper Text Transfer Protocol”—the Internet protocol used to send between a user’s browser and the website to which he or she is connecting. In “HTTPS,” the “S” stands for secure, and “secure” means encrypted. HTTPS is an example of the use of “SSL,” or “Secure Socket Layer,” a technology that encrypts data so that it cannot be read while in transit. In contrast, data transferred over plain HTTP is transmitted in the “clear.” As an example, an HTTP transfer allows third parties with access to the data in transit to see the website the user is looking at or the behavioral analytics generated by the fitness app. The encryption vs. non-encryption issues apply whether the app is a free or paid app.

According to the technical analysis, only 6 percent of the free apps and only 15 percent of the paid apps sent behavior tracking information to third party analytics services using HTTPS or some other form of encrypted SSL connections. Thus at least 85 percent—a high percentage indeed—of such data about app users is sent in unprotected form using only HTTP whether a fee or paid app is used.

Key Conclusions

What fitness app should you choose? Even without reading a privacy policy, the following factors indicate the apps likely to provide stronger privacy protection:

(1) A short privacy policy, not a long one;

(2) A paid app, not a free app; and

(3) A privacy policy available on the app store’s listing page, and not only after downloading.

These factors can be used to balance the benefits of a fitness app against a broad use of personal fitness data by companies other than the app company.