December 6, 2022

Volume XII, Number 340


December 05, 2022

Subscribe to Latest Legal News and Analysis

Digital Health Apps Must Allow Users to Delete Accounts, Per New Apple App Store Rules

The regulatory scrutiny on telemedicine and digital health companies continues to tighten, whether it is privacy warning shots, new direct-to-consumer (DTC) advertising limits, a wave of reimbursement audits, or multistate DOJ investigations. Now, any company that wants to be listed on Apple’s App Store must give users the ability to delete their account.

Apple just announced all apps that allow for a user to create an account must also give that user the ability to delete their account from within the app itself. The new rule is effective January 31, 2022, so product development teams may want to order some extra cold brew and prepare for a programming sprint.

The announcement also reminds companies that Apple Guidelines require the app to have a privacy policy that details how the app collects, shares, uses, maintains, and deletes user data. This privacy policy must be publically accessible and will be reviewed by Apple upon the app’s submission to the Apple Store. In addition to federal and state law privacy requirements and Federal Trade Commission (FTC) guidelines, Apple’s rules also require that the privacy policy clearly and explicitly:

  • Confirm with any third party with whom the app shares user data, such as analytics companies, advertising networks, and third-party software development kits, that they will provide the same or equal protection to the user data;

  • Explain its data retention and deletion policies; and

  • Describe how a user can revoke consent or request deletion of the user’s data.

Under the Apple rules, Apps in the digital health space that collect health, fitness, and medical data must not disclose any of this sensitive data to third parties for advertising, marketing, or use-based data-mining purposes unless the disclosure is with permission and for improving health management or health research purposes. Failure to abide by these guidelines may result in the app’s removal from the App Store. 

This is just the start, and telemedicine and digital health companies should expect to see more rules from Big Tech and social media platforms designed to ensure the accuracy and privacy of health-related content and data. Therefore, entrepreneurs can take the following actions now to anticipate these forthcoming restrictions and therefore minimize disruption and friction among patient-users (as well as ensure regulatory compliance):

  • Conduct, under attorney-client privilege, a risk assessment of health data maintained and transmitted by the organization.

  • Review all privacy policies to ensure they actually reflect your real use cases and business practices of what you do with patient-user data. The privacy policy must be accurate, transparent, and comply with applicable laws, guidelines, and best practices. If you have not updated your privacy policy in a year or have simply copypasted it from another companys website, we strongly urge you to undertake this review immediately.

  • Survey your company’s website and app to understand its data collection and use practices by reviewing the user experience and workflow to ensure the user experience matches the company’s expectations, external policies, and procedures.

  • Review all third-party vendors that manage and collect data to ensure their compliance with your privacy practices and policies by requesting and reviewing their privacy policies.

© 2022 Foley & Lardner LLPNational Law Review, Volume XI, Number 284

About this Author

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

Nathaniel Lacktman, Health Care Attorney, Foley and Lardner Law Firm

Nathaniel (Nate) Lacktman is a partner and health care lawyer with Foley & Lardner LLP, and a Certified Compliance & Ethics Professional (CCEP). His practice focuses on health care compliance, counseling, enforcement and litigation, as well as telemedicine and telehealth. Mr. Lacktman is a member of the firm’s Health Care Industry Team which was named “Law Firm of the Year — Health Care Law” for three of the past four years on the U.S. News – Best Lawyers® “Best Law Firms” list.