Can I trust a healthcare app with my data? It depends.

By: Lucia Savage, Chief Privacy Officer & Carolyn Bradner Jasik, Chief Medical Officer

Since the release of the iPhone in 2008, health care has been wrestling with how to incorporate digital health apps into traditional models.  This is especially true in the privacy space where regulations have been clear for decades via HIPAA about how to both safeguard and provide access to patient data.  But with recent controversy over how tech companies safeguard consumer data, our confidence is a bit shaken in tech companies and their capacity to protect privacy.   With more than eight in 10 U.S. adults now using digital health tools it is more important than ever for us to ensure that health data is secure.  And one of the best ways to do that is if digital health companies start to think of themselves more as health companies vs. tech companies.  

In addition to increased regulation of the consumer health app space to protect user data from unintended use (an important first step), we also need to stop lumping all digital health applications together.  Companies like Omada that operate as a healthcare provider, deliver evidence-based care, and are staffed with personnel trained and credentialed to deliver services operate in a different space entirely than an app that simply tracks data.  Here we review key questions to ask when considering using a mobile health application for your health to maximally ensure that your data is being managed properly.

  1. Is it just an app or a “real” medical provider?

The vast majority of digital health solutions that are available today operate as consumer-facing solutions that are accessed via the app store.  These solutions do not operate as HIPAA-covered entities and (for the most part) do not safeguard data according to federal health care privacy protections.  Mature digital health companies (like Omada) operate as healthcare providers and digitally deliver care.  This is a key distinction as this set-up incurs regulatory requirements for the storage and release of health records.  This is a responsibility we welcome. We’ve invested heavily in clinical, privacy, and security standards, with the hope that they might set a standard for others in the industry.  As one example, every Omada employee - from our CEO to our newest employees - receives HIPAA privacy training just as any employee at a hospital would to ensure the protection of our user data.

2.  Is app data treated as “user” data or “patient” data?

Omada delivers its healthcare services under the same standards and rules that apply to doctors offices and hospitals throughout the United States.  Our participants’ data is treated exactly like the data of a patient held by a doctor or hospital. We backup that regulatory adherence via industry-leading security controls independently validated by HITRUST and SOC2.  And most importantly, we never sell the health information of our participants.  Consumer apps depend on advertising dollars as a source of revenue and they fuel that by monetizing user data - often sensitive health information.  Omada does not allow third parties to use our data to sell products. Just as your doctor’s office would not sell your medical data to a pharmaceutical company.  Our privacy practices and our HIPAA Notice are published on our website.

3. Does the company get paid via ads or medical claims?

Omada’s revenue does not depend on app downloads or getting paid via ads.  We bill through medical claims like any doctor’s office would - with one key difference.  Omada takes it to the next level by embracing value-based reimbursement; that is, whether our participants achieve specific clinical indicators of improved health impacts how much we are paid for our healthcare services. In contrast, “free” health or fitness applications are incentivized to drive user engagement regardless of outcomes because they get paid with advertising “eyeballs.” There are few healthcare providers, let alone health apps , that link their revenue to clinical improvement of their population.

4. Is the in-app programming dictated by user engagement, clinical outcomes, or both?

The healthcare services we deliver are evidence-based, just like the best practices of in-person physicians and health systems. Our flagship diabetes prevention program (DPP) is adapted from long standing protocols first developed by the National Institutes of Health, with decades of literature on effectiveness. We’ve published 11 peer-reviewed studies, and launched the largest-ever randomized controlled trial of digital diabetes prevention to demonstrate outcomes for our DPP program.

For our chronic disease self-management program, we utilize clinical protocols validated by the American Diabetes Association, and all of our coaches are Certified Diabetes Educators. We also integrate best practice recommended by the American Medical Association, the American Heart Association, and the American College of Cardiology. Educational and behavioral materials are delivered to participants on their smartphones, when and where they need them most. With the integration of digital glucometers, the Omada program helps individuals understand in real time how their lifestyle choices impact their blood glucose.

5. Does the app treat all data the same?

We’ve also begun to offer health care services to support those dealing with anxiety and depression. Our recent move into the mental health space has reinforced how seriously we take the privacy of our patients.  Under HIPAA rules and clinical best practice, data that relates to mental health is stored and accessed separately from other health data. Historically, additional privacy regulations have been implemented to prevent discrimination against those who seek these services. We’ve embraced these additional rules, so individuals who receive our services can be secure in using Omada.  

After $41 billion dollars invested in digital health in the past 10 years, we have yet to see a substantial impact on disease burden or costs.  A likely reason for this is that we still do not have enough companies who are serving consumers as a health care provider vs. a consumer app.  If digital health is really going to move the needle in health care, we need to get past “is there an app for that?” toward “is there a digital care provider for that?”