As concern grows about data collection by mobile apps, Apple and companies involved with its new ResearchKit software development framework for medical studies say users of the first five apps have nothing to worry about.
Access to health data collected by the apps will be restricted to approved medical researchers and barred from commercial use, and the apps won't delve into the personal contents stored on a smartphone, according to the companies.
Sage Bionetworks, a nonprofit biomedical research organization in Seattle, handles collecting, de-identifying and storing of the health data gathered from the five apps developed with ResearchKit, Christine Suver, principal scientist, head of open science data governance at Sage, said in an email interview.
"We are as careful as we can be about keeping data as confidential as possible," said Suver. An independent review board has looked over the protocols for each study and the consent process and weighed the risks of participating in this research against the benefits, she said.
Apple announced ResearchKit on Monday during an event that centered on the Apple Watch. ResearchKit allows developers to create apps that can be used for medical research studies, essentially turning a smartphone into a diagnostic device. A person downloads the app from the iTunes store, consents to participate in the study and performs the functions asked by the app, which include completing tests and entering medical history information
The first five apps developed with ResearchKit debuted Monday. The framework will be generally available in April. For now, ResearchKit can only be used to develop iPhone apps. But Apple is making ResearchKit available as open source, meaning someone could extend it so that it could be used to build apps for other mobile OSes, like Android.
While Apple spoke enthusiastically about the potential of ResearchKit to help with medical studies, it also addressed concerns over the handling of health data by mobile apps. Nothing is more sensitive than a person's medical data, said Jeff Williams, Apple's senior vice president of operations, adding that people will determine how to share their medical data. "Apple will not see your data," he said.
Sage serves as a central hub for the data collected by the apps, Suver said. Sage helped develop two of the five apps, one for Parkinson's disease, called Parkinson mPower and the other, Share the Journey, for studying symptoms after breast cancer treatment.
The data Sage receives from the medical research apps contains health and personal information including a person's name, email address and date of birth. Sage then strips out the personal information, encrypts it and stores the data on a server. A randomly generated code is associated with the person's study data, "and maintains an encrypted mapping between participant account and participant study data," said Suver.
Only study organizers and IT staff can access the research data, which is stored on a secure cloud server, said Suver, reiterating that the information is even off limits to Apple.
HIPAA (Health Insurance Portability and Accountability Act) regulations don't apply to data that is acquired and shared for research, said Suver. HIPAA is a U.S. law designed to protect people's health care information.
"Instead, the informed consent that a participant agrees to governs how the data can be used," she said.
Still, the data is encrypted when it is transmitted to Sage and the cloud systems storing the information are HIPAA compliant, said Eric Schadt, director of the Icahn Institute at Mount Sinai. "We meet or exceed industry standards regarding the secure communication and storage of sensitive data," he said.
Personal details like first and last names, signatures and email addresses are required in any medical study, said Alan Yeung, a cardiologist at Stanford Medicine who was involved with the development of the hospital's app, MyHeart Counts, which deals with heart health. A signature shows people have agreed to take part in the research and an email address is necessary to send participants the study's results, he added.
Signing the consent form gives Stanford Medicine researchers access to the health data. Stanford Medicine may share aggregated data with other approved researchers who request it, said Yeung. Participants, though, have the option of opting out of having their data included in the aggregate data set.
In cases where the data is shared with researchers outside of Stanford Medicine, it does not contain personal information since it is compiled, said Yeung. Researchers, for example, could ask to see the aggregate data on the average distance a person walks when exercising.
The health data collected by the medical study app can't be linked to a phone number nor shared with for-profit organizations or insurance companies, said Yeung.
However, Stanford Medicine will have the key to identify people who participate in the smartphone medical research studies. The hospital would only identify a person if it needed to contact them because of a problem, said Yeung.
"That key is only sitting with us. Nobody else has it. Not Apple, not Sage," Yeung said. He emphasized that people must opt-in to these studies and sign a consent form that explains how their data is being used and shared.
The app developed by Mt. Sinai doesn't "access your personal contacts, other applications, phone use habits, text message content, personal photos, or websites visited," according to the program's privacy policies. The two apps Sage helped create have similar privacy guidelines and don't "access personal contacts, other applications, text message content, or Web sites visited."
Asked what entity will be in charge of ResearchKit going forward, Apple only said that the open-source framework would be added to over time, and declined to be more specific.
Yeung would like to see ResearchKit ported to Android so that studies aren't limited to participants with iPhones. "Apple agreed with that as well," he said.
Sage will handle the data generated by the five apps for the "forseeable future," said Schadt. Stanford Medicine's Yeung said the hospital could manage the data, but since ResearchKit just launched, Sage is handling that function for each app.
"Eventually, will that be the case? I'm not quite sure," he said.
Sage isn't tied to Apple and there aren't technical reasons preventing the organization from eventually supporting Android, said Sage's Suver, who declined to comment on future plans.
Apps developed with ResearchKit aren't required to use Sage and Apple isn't endorsing the nonprofit's data collection services, said Suver. The institutions behind the first set of apps agreed to use Sage.
"Sage would be happy to discuss how our services could be used by other groups wanting to build mobile study apps," she said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.