At a seminar hosted by the Federal Trade Commission earlier this month, speakers discussed the privacy implications of consumer-controlled health records and apps.

The overarching message from the agency: companies need to increase privacy protections for consumers in the health data ecosystem and improve transparency, particularly as data is shared with entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).

Jared Ho, an attorney in the FTC’s Mobile Technology Unit, spoke about a recent survey of 12 mobile health and fitness apps. According to the agency’s findings, the apps shared user data with 76 different third parties; one app alone passed on information to 18 other entities. “In a few instances we found names and e-mail addresses being transmitted,” Ho said.

Other research cited by the agency documented that 30 states are selling or sharing personal health data with third parties outside the boundaries of HIPAA. FTC chief technologist Latanya Sweeney said consumers need to be told their data is being shared and where it is going. “Transparency establishes trust,” Sweeney told attendees. “The goal here isn’t to shut down the apps; it’s to jointly move forward with the benefits while addressing the risks.”

Speakers, who included members of the FTC and the U.S. Department of Health and Human Services and representatives from the private sector, expressed concern that consumers are unaware of the scope of data sharing from apps and wearable devices. While some consumer information is deleted before being sold or shared, the potential remains that the information could be re-identified. If so, consumers could face adverse consequences when their identifiable health information has been shared.

To read a transcript of the seminar, click here

Why it matters: Speakers at the panel noted that no overarching regulation governs the use of consumer-controlled health data. While some groups (like the American Medical Association) have enacted self-regulatory guidelines or codes and HIPAA regulates specifically enumerated entities like doctors, insurers, and their business associates, those not covered by the statute can collect and store information without restrictions. That may change, particularly as the FTC continues to shine a light on the issue.