The regulatory scrutiny on telemedicine and digital health companies continues to tighten, whether it is privacy warning shots, new direct-to-consumer (DTC) advertising limits, a wave of reimbursement audits, or multistate DOJ investigations. Now, any company that wants to be listed on Apple’s App Store must give users the ability to delete their account.
Apple just announced all apps that allow for a user to create an account must also give that user the ability to delete their account from within the app itself. The new rule is effective January 31, 2022, so product development teams may want to order some extra cold brew and prepare for a programming sprint.
The announcement also reminds companies that Apple Guidelines require the app to have a privacy policy that details how the app collects, shares, uses, maintains, and deletes user data. This privacy policy must be publically accessible and will be reviewed by Apple upon the app’s submission to the Apple Store. In addition to federal and state law privacy requirements and Federal Trade Commission (FTC) guidelines, Apple’s rules also require that the privacy policy clearly and explicitly:
- Confirm with any third party with whom the app shares user data, such as analytics companies, advertising networks, and third-party software development kits, that they will provide the same or equal protection to the user data;
- Explain its data retention and deletion policies; and
- Describe how a user can revoke consent or request deletion of the user’s data.
Under the Apple rules, Apps in the digital health space that collect health, fitness, and medical data must not disclose any of this sensitive data to third parties for advertising, marketing, or use-based data-mining purposes unless the disclosure is with permission and for improving health management or health research purposes. Failure to abide by these guidelines may result in the app’s removal from the App Store.
This is just the start, and telemedicine and digital health companies should expect to see more rules from Big Tech and social media platforms designed to ensure the accuracy and privacy of health-related content and data. Therefore, entrepreneurs can take the following actions now to anticipate these forthcoming restrictions and therefore minimize disruption and friction among patient-users (as well as ensure regulatory compliance):
- Conduct, under attorney-client privilege, a risk assessment of health data maintained and transmitted by the organization.
- Review all privacy policies to ensure they actually reflect your real use cases and business practices of what you do with patient-user data. The privacy policy must be accurate, transparent, and comply with applicable laws, guidelines, and best practices. If you have not updated your privacy policy in a year or have simply copypasted it from another company‘s website, we strongly urge you to undertake this review immediately.
- Survey your company’s website and app to understand its data collection and use practices by reviewing the user experience and workflow to ensure the user experience matches the company’s expectations, external policies, and procedures.
- Review all third-party vendors that manage and collect data to ensure their compliance with your privacy practices and policies by requesting and reviewing their privacy policies.