January/February 2018

Clinical News: Patient Data Safety for Dementia Patients Using Apps
By Lisa Rosenfeld, MD, MPH, and Ipsit Vahia, MD
Today's Geriatric Medicine
Vol. 11 No. 1 P. 8

As medical advances lead to increases in life expectancy, the number of people who are living with dementia is growing rapidly. According to the 2015 World Alzheimer Report, the number of people with dementia is currently 46.8 million, with an expected rise to 74.7 million in 2030 and 131.5 million in 2050.1 Over the course of illness, dementia patients and their caregivers need education about diagnostic tests, symptom management, and prognostic indicators. In an ideal world, patients and their family members would have ready access to in-person consultations with geriatric specialists. In reality, there is a severe paucity of specialists who can educate families and help plan management of the course of illness.2,3 As a result, cost-effective scalable innovations and resources are needed to address the clinical demands of the rapidly expanding population of patients with dementia.

Mobile Technology: One Possible Solution
In recent years, there has been a surge in the number of diagnostic, therapeutic, and monitoring health applications (apps) available on smartphones and tablets. These apps are especially useful for increasing access to certain types of care, including informational resources, peer support, symptom monitoring, and self-reported patient data entry.

Although mobile health apps have generally been associated with younger tech-savvy people, the number of older adults who own smartphones and use them to look up health information is on the rise.4 A recent literature review suggested that mobile health technologies may be used to assess cognitive and mental illness in older adults.5 For this reason, many innovators have concluded that mobile technologies hold great promise for the future of geriatric care, a sentiment that is reflected in the wide array of dementia-focused apps that are available in the Apple App Store.

Patient Privacy: A Potential Pitfall
Many apps that target people with dementia and their caregivers collect user data, including personal health information. Until recently, little was known about the extent of privacy protections on health data entered into dementia apps. Unlike other areas of health care, which are subject to stringent regulations such as HIPAA, health apps are governed only by the restrictions developers place on themselves in their individual privacy policies.

Perhaps for this reason, stakeholders including researchers and policymakers have begun to ask questions about the adequacy of privacy protections for the health data of app users. A recent study of smartphone apps related to diabetes revealed that 81% of apps lack a privacy policy.6 Similarly, the United Kingdom's National Health Service closed its app library in 2015 amid concerns that many of the apps it endorsed did not protect patient data.7

As important as robust privacy protections are for the general population, they are even more critical when it comes to apps that target patients with cognitive impairment. After all, these patients are less likely to search for a privacy policy prior to using an app, more likely to have difficulty interpreting the privacy policies they do review, and at heightened risk of privacy breaches. Before clinicians can point patients toward the plethora of apps targeting adults with dementia, they will need to develop an appreciation for the scope of and limits to privacy these apps afford their users. Not doing so would be akin to prescribing a medication without being aware of its side effects.

An Overview of Current Privacy Policies: The Lay of the Land
With these concerns in mind, the authors of this article set out to answer two main questions. First, how many of the health apps targeting patients with dementia have privacy policies at all? Second, how well do the existing policies protect users' rights to privacy?

To answer these questions, we compiled a comprehensive list of health apps for dementia, downloaded as many of the corresponding privacy policies as we could access, and evaluated these policies using a fixed rubric. What we discovered in the process of conducting this analysis was alarming.

Of the 72 health apps intended for use by patients with dementia and their caregivers, we found that only 46% had a privacy policy. Put another way, people using 54% of dementia health apps have no way of knowing how any data they enter into an app will be used.

Among the 46% of apps with privacy policies, many contained missing information, and the information, where present, pointed to striking gaps in data security. Thirty percent did not explain how user data would be safeguarded, and 24% did not distinguish between how individual and aggregated user data would be handled. For apps that did specify how individual user data would be handled (25 of 72), 80% admitted to the possibility of sharing user data with third parties, 52% admitted to the possibility of selling data in a merger or acquisition, and 36% admitted to the possibility of sharing data with marketers and advertisers.

In summary, despite the potential for health apps to reform dementia care, our review reveals widespread gaps in data security and privacy protections. While these findings would be worrisome in all cases, they are particularly concerning for apps that target dementia patients. After all, these individuals may lack the cognitive capacity to find and interpret convoluted privacy policies, thereby calling into question their ability to consent to giving their health information to an app in the first place. As a result, the trust between app developers and consumers rests upon a tenuous foundation, which, if compromised, could jeopardize the enormous potential that mobile technologies have for enhancing care, improving quality of life, and facilitating aging in place for people with dementia.8,9

Clinical Takeaways
If apps for dementia are a potential mechanism for increasing patients' access to health information and care on the one hand, and a potential threat to data security on the other, what is the well-intentioned clinician to do? For the time being, we believe that physicians have an obligation to learn and provide education to their patients about specific privacy policies for apps they recommend. Failing to do so might be likened to prescribing a medication without knowing or disclosing the side effect profile—in a vulnerable population, no less.

In practice, this would require physicians to perform the following steps for apps they are interested in recommending:

• Review the description of or download the app to determine whether it collects personal, diagnostic, or clinical data from its users. If it does not, there should be no risk to privacy and the app should be considered safe for use.

• If the app does collect user-generated content, determine whether it has a corresponding privacy policy.

• If there is no privacy policy, carefully weigh the benefits of the app against the sensitivity of the information being collected. For guidance on this process, consider referring to the American Psychiatric Association's "App Evaluation Model," which provides recommendations for how to gather background information, evaluate evidence, and determine ease of use for a given an app.10 If the risk/benefit ratio is clearly favorable, consider recommending the app, but make sure to alert patients and their caregivers to the risk of privacy breaches.

• In cases where a privacy policy does exist, review the policy with an eye for the following features: Is the app explicitly covered? Are electronic or physical safeguards on data mentioned? Does the policy explain how individual user data rather than aggregated data might be used? Specifically, might individual-level information be shared with third parties or marketers? Might it be sold? Can it be amended or deleted upon request?

A combination of the answers to these questions, the sensitivity of the data being collected, and the consumer's level of risk tolerance will enable a thoughtful clinician to facilitate informed decision-making on the part of patients and their caregivers. Moreover, by raising patient awareness, physicians may indirectly motivate app developers to bolster safeguards and improve communication about privacy protections, all in an effort to engender consumer trust and thereby maximize their impact on dementia care.

— Lisa Rosenfeld, MD, MPH, is a second-year resident in psychiatry at the MGH/McLean Adult Psychiatry Residency Program. Her interests include population health, innovative delivery systems, and increasing access to mental health care.

— Ipsit Vahia, MD, is a geriatric psychiatrist, clinician, and researcher. He is the medical director of the geriatric psychiatry outpatient services, as well as the medical director of the Institute for Technology in Psychiatry, at McLean Hospital in Belmont, Massachusetts. His research focuses on the use of technology and informatics in the assessment and management of older adults.

References
1. Prince M, Wimo A, Guerchet M, Ali G, Wu Y, Prina M; Alzheimer's Disease International. World Alzheimer Report 2015, the global impact of dementia: an analysis of prevalence, incidence, cost and trends. https://www.alz.co.uk/research/WorldAlzheimerReport2015.pdf. Published August 2015. Accessed September 17, 2017.

2. Boult C, Counsell SR, Leipzig RM, Berenson RA. The urgency of preparing primary care physicians to care for older people with chronic illness. Health Aff (Millwood). 2010;29(5):811-818.

3. Bragg EJ, Warshaw GA, Cheong J, Meganathan K, Brewer DE. National survey of geriatric psychiatry fellowship programs: comparing findings in 2006/07 and 2001/02 from the American Geriatrics Society and Association of Directors of Geriatric Academic Programs' Geriatrics Workforce Policy Studies Center. Am J Geriatr Psychiatry. 2012;20(2):169-178.

4. Smith A. U.S. smartphone use in 2015. Pew Research Center: Internet & Technology website. http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/. Published April 1, 2015. Accessed May 1, 2017.

5. Moussa, Y, Mahdanian AA, Yu C, et al. Mobile health technology in late-life mental illness: a focused literature review. Am J Geriatr Psychiatry. 2017;25(8):865-872.

6. Blenner SR, Kollmer M, Rouse AJ, et al. Privacy policies of Android diabetes apps and sharing of health information. JAMA. 2016;315:1051-1052.

7. Huckvale K, Prieto JT, Tilney M, et al. Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment. BMC Med. 2015;13:214-226.

8. Narasimha S, Chalil Madathil K, Agnisarman S, et al. Designed telemedicine systems for geriatric patients: a review of the usability studies. Telemed J E Health. 2017;23(6):459-472.

9. Rugerri K, Maguire A, Andrews JL, et al. Are we there yet? Exploring the impact of translating cognitive tests for dementia using mobile technology in an aging population. Front Aging Neurosci. 2016;8:21.

10. App evaluation model. American Psychiatric Association website. https://www.psychiatry.org/psychiatrists/practice/mental-health-apps/app-evaluation-model. Accessed November 7, 2017.