Apple and the 3 Kinds of Privacy Policies

Screen Shot 2016-02-21 at 8.01.34 PM

Why Are Apple’s Competitors Staying Silent On the iPhone Unlocking Fight? is the question of the day on tech blogs. The answer is hardly technical and may not be legal, it’s all about privacy policies and business strategy and it is very evident in healthcare.

There are three classes of privacy policy in healthcare and everywhere else:

Class 1 – “Apple will not see your data.” This is Apple’s privacy policy for ResearchKit and HealthKit and apparently for whatever data the FBI is hoping to read from the terrorist’s phone. Obviously, in this case the person is in complete control of the data and it can be shared only with third-parties that the person authorizes.

Class 2 – “We will see and potentially use your data but you will have first-class access to your data”. This is the kind of privacy policy we see with Apple’s calendar and many Google services. The personal data is accessible to the service provider but it is also completely accessible via an interface or API. In healthcare, the equivalent would be having the FHIR API equally and completely accessible to patients and to _any_ third-parties authorized by the patient. This is Patient Privacy Rights’ recommendation as presented to the API Task Force.

Class 3 – “We will use your data according to xyz policy and if you don’t like it, take your illness elsewhere.” This is pretty much how healthcare and much of the Web world runs today. We have limited rights to our own data. On the other hand, the services that have our data can sell it and profit in dozens of ways. This includes selling de-identified data. In Class 3, you, the subject of the data are a third-class citizen, at best. In many cases, the subject doesn’t even know that the data exists. See, for example, The Data Map.

We are so completely engulfed by Class 3 privacy policies that we have lost perspective on what could or should be. A Class 1 policy like Apple’s is widely seen as un-American. A Class 2 policy like PPR’s is indirectly attacked as “insurmountable”.

The reality is that technology moves much faster than other parts of our society. Whether it’s encryption to secure iPhones so “Apple will not see your data.” or CRISPR to control Zika Virus, we need to plan for tomorrow’s technology today. In healthcare, that means encouraging businesses and health care services that adopt Class 1 and Class 2 privacy policies.

HIE of One, an open source technology project by Michael Chen, MD and myself, is a current proof of concept of how Class 2 privacy policies could transform healthcare in just a couple of years. This THCB post and this 14-minute video demonstrate that a patient-centered health IT architecture is possible with today’s technology. Turning the HIE of One proof of concept into reality is taking place in our HEART workgroup and will be the subject of many conversations with health industry vendors and regulators at HIMSS next week.

Livongo’s Post Ad Banner 728*90

Categories: OP-ED, Tech, THCB

Tagged as:

Leave a Reply

6 Comment threads
6 Thread replies
Most reacted comment
Hottest comment thread
8 Comment authors
William Palmer MDAndrei PopaEddy RandickAdrian Gropper, MDMargalit Gur-Arie Recent comment authors
newest oldest most voted
William Palmer MD
William Palmer MD

This below is a guess: The usual technique to keep something secret is to force the hacker to factor a huge subprime number. This is a number which is the product of two primes. People can do this in reasonable time–polynomial time it is called–up to about 240 decimal digits. Remember that with PGP–pretty good privacy–that we were using 60 digit numbers? Our most sensitive secrets are kept using this method. The passcode just opens the machine and has nothing to do with this deeper primary hurdle. I think this could be bypassed by going directly to the hardware. I… Read more »

Andrei Popa

Hello All,

What about privacy by design? Class 0.5

I was thinking about it for some time now. Force encrypt data using a unique key whether this comes from touchID or an external token, like banking login.

Phone manufacturer would be prevented by design to access the data. Then strict control over where the data is sent, by confirmation.

When discussing about security there is always a compromise between ease of use and level of security.

Do you think people will invest more time & actions (tokens, logins) for extra security when it comes to their health data?


Adrian Gropper, MD
Adrian Gropper, MD

@Andrei, I don’t see the difference between what you’re proposing and Class 1. Regardless of how they do it, “Apple will not see your data.” is as clear as it gets.

Eddy Randick

Hi Adrian,

Thanks for the great article. You have nicely presented the intricacies in privacy policy, especially pertaining to healthcare. On a somewhat unrelated note, can’t HIPAA guidelines protect a person who uses apps such as Apple’s HealthKit?

Adrian Gropper, MD
Adrian Gropper, MD

Protect a person from what? Seriously, in Class1, there’s no institution that has access to the data other than those that the patient explicitly authorizes. If the patient authorizes a transfer to a HIPAA Covered entity then they are protected. If the patient authorizes a transfer to a research institution covered by the Common Rule (as in IRBs) then they are protected. If the patient authorizes an institution that is only covered by the FTC, then neither HIPAA or Common Rule apply and what matters is the posted privacy policy of the recipient institution. Note that the Class 1, 2,… Read more »

Eddy Randick

Thanks very much for your take on that, Adrian.


Margalit Gur-Arie

Seems to me like there is a Class missing: Class 1.5: Where Apple can “see” your data and you can see your data and you can do whatever you want with it, but Apple is barred by law from using it in any shape or form, under penalty of fines and prison time (preferably for its CEO). I am not opposed to people being able to “donate” data usage rights to Apple or some other corporate vulture, or for “research”. I am however opposed to fine print opt out (or opt in) BS. As to the government’s right to obtain… Read more »

Adrian Gropper, MD
Adrian Gropper, MD

@Margalit – You are describing Class 1. In Class 1, if the FBI (or Apple) wants to access my data, all they need to do is ask me. Whether that data is on my iPhone or on iCloud is a technical difference not a privacy policy class. If Apple wants to and can develop encryption technology that secures data in iCloud as well as they seem to be doing on iPhone, then I think they will and we will all be better off. For your second point, see my answer to John below. “Government” is not a term that technology… Read more »

Rob Lamberts

Concise and accurate summary. Yes, it may over-simplify, but the point is well-made. The reported job of medical records is to provide pertinent information in the clinical setting. The problem is that this has been subverted into data collection and billing support, obfuscating clinical information behind a wall of gibberish. Most of my patients don’t demand access to their records, but they do want their caretakers to all have access to the information over the narrative of their care. I believe that the only valid way to do this is to change records from a physician/hospital centered database into a… Read more »