Digital Health Apps Must Allow Users to Delete Accounts, Per New Apple App Store Rules
The regulatory scrutiny on telemedicine and digital health companies continues to tighten, whether it is privacy warning shots, new direct-to-consumer (DTC) advertising limits, a wave of reimbursement audits, or multistate DOJ investigations. Now, any company that wants to be listed on Apple’s App Store must give users the ability to delete their account.
Apple just announced all apps that allow for a user to create an account must also give that user the ability to delete their account from within the app itself. The new rule is effective January 31, 2022, so product development teams may want to order some extra cold brew and prepare for a programming sprint.
Confirm with any third party with whom the app shares user data, such as analytics companies, advertising networks, and third-party software development kits, that they will provide the same or equal protection to the user data;
Explain its data retention and deletion policies; and
Describe how a user can revoke consent or request deletion of the user’s data.
Under the Apple rules, Apps in the digital health space that collect health, fitness, and medical data must not disclose any of this sensitive data to third parties for advertising, marketing, or use-based data-mining purposes unless the disclosure is with permission and for improving health management or health research purposes. Failure to abide by these guidelines may result in the app’s removal from the App Store.
This is just the start, and telemedicine and digital health companies should expect to see more rules from Big Tech and social media platforms designed to ensure the accuracy and privacy of health-related content and data. Therefore, entrepreneurs can take the following actions now to anticipate these forthcoming restrictions and therefore minimize disruption and friction among patient-users (as well as ensure regulatory compliance):
Conduct, under attorney-client privilege, a risk assessment of health data maintained and transmitted by the organization.
Survey your company’s website and app to understand its data collection and use practices by reviewing the user experience and workflow to ensure the user experience matches the company’s expectations, external policies, and procedures.
Review all third-party vendors that manage and collect data to ensure their compliance with your privacy practices and policies by requesting and reviewing their privacy policies.