Background: Cancer patients are increasingly using mobile health (mHealth) apps to take control of their health. Many studies have explored their efficiency, content, usability, and adherence; however, these apps have created a new set of privacy challenges, as they store personal and sensitive data.
Objective: The purpose of this study was to refine and evaluate a scale based on the General Data Protection Regulation and assess the fairness of privacy policies of mHealth apps.
Methods: Based on the experience gained from our previous work, we redefined some of the items and scores of our privacy scale. Using the new version of our scale, we conducted a case study in which we analyzed the privacy policies of cancer Android apps. A systematic search of cancer mobile apps was performed in the Spanish version of the Google Play website.
Conclusions: In this paper, we present a scale for the assessment of mHealth apps that is an improved version of our previous scale with adjusted scores. The results showed a lack of fairness in the mHealth app privacy policies that we examined, and the scale provides developers with a tool to evaluate their privacy policies.
Privacy in Mobile Health Apps
Health care systems are putting a great emphasis on the role of the patient and encouraging people to take control of their health . Mobile health (mHealth) apps are one of the technological breakthroughs that make this possible. There are more than 3 billion smartphone users worldwide, and this number is predicted to grow by several 100 million in the next few years [ ]. This proliferation of smartphones has led to an increase in the availability and abundance of mHealth apps. In 2017, there were more than 300,000 mHealth apps, and this number tends to grow by 25% every year. In 2018, 52% of smartphone users collected health-related information on their smartphones, and 60% of smartphone users downloaded health-related apps [ ].
Among other uses, mHealth apps can provide disease and treatment information; practical tools for avoiding some diseases (prevention and healthy behavior promotion); tools to assist in the identification of symptoms (early detection); practical tools to deal with the medical, behavioral, or emotional aspects of a specific disease (disease management); and access to peer or professional assistance (support) [, ].
Despite the potential impact of mHealth apps on patient health, there is a lack of specific regulations and standards regarding the development of mHealth apps , which may result in potential risks and poor mHealth app quality. For example, some studies have reported problems with existing mHealth apps such as failure to meet the needs of persons with chronic conditions [ ], a lack of cited source material or references [ ], and insufficient testing of mHealth apps with respect to usability and validity [ ]. Such setbacks reduce health care professional and patient confidence in these apps [ , ].
Criteria have been proposed to assess mHealth apps. Stoyanov et al  developed the Mobile Application Rating Scale (MARS) scale to classify and rate the quality of mHealth apps based on a literature review of app evaluations containing explicit quality rating criteria. Llorens-Vernet and Miró [ ] recently proposed criteria to be integrated into a general standard for mHealth app development based on a systematic review, searches on professional organization websites, and standards governing the development of software for medical devices.
Privacy is a major concern for mHealth app users , as some mHealth apps require the collection, storage, and sharing of personal and sensitive patient data. Guidelines and recommendations for health-related apps—such as those developed by the Andalusian Agency for Healthcare Quality (Spain), Tecnologies de la Informació i la Comunicació Salut Social Foundation (Spain), National Health Service (United Kingdom), and European Commission—include several privacy items that highlight its importance in the context of mHealth. Also, privacy is one of the components included in the criteria proposed by Stoyanov et al [ ] and by Llorens-Vernet and Miró [ ].
The GDPR is a regulation (2016/79) passed by the European Parliament and the Council of the European Union (EU). It was published in the Official Journal of the European Union  in 2016 and has been applicable since May 25, 2018. The GDPR applies to all EU member countries plus Iceland, Luxemburg, and Norway. Being a regulation (and not a directive), the GDPR applies directly to all these countries.
The GDPR introduces some important changes that replace previous legislation (Directive 95/46/EC). The first one can be found in Article 3 (territorial scope), as the GDPR applies to any controller or processor in the EU, even if processing does not take place in the EU. Also, the GDPR applies to any controller or processor (regardless the country of origin) if it is related to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or the monitoring of their behavior as far as their behavior takes place within the Union” (Article 3.2). The controller must be able to demonstrate compliance with the GDPR (Article 5.2) and is subject to higher fines than before (Articles 66 and 83). Article 4 of the GDPR includes definitions that clarify relevant concepts. These concepts are summarized in.
Like many legal texts, the GDPR is difficult to understand and comply with, especially when it comes to app developers or users who are not legal experts; reading, interpreting, and understanding 99 articles in 88 pages of legal language is not easy. Our paper helps ordinary people become more familiar with the regulations so they can comply with the laws. We have developed a tool that makes compliance as easy as following simple guidelines such that even small app developers (eg, freelancers) can easily use it.
For example, there are two items in our scale (items 4 and 5) regarding the information to be provided to the data subject, described in Article 13 with a simple sentence: “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.” This sentence is translated in the definition of our scale into approximately 250 words because this article is connected with several parts of the GDPR: recitals 39, 58, 60, 61, and 63, and articles 4, 5, and 6. These recitals and articles must be read and understood to be clear on the intentions of the GDPR.
|Data subject||A natural person whose personal data are being processed; the GDPRa defines personal data not only as the data related to an identified person, but also as the data that can be used to identify, directly or indirectly, a natural person.|
|Data controller||“The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” .|
|Data processor||“The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller” .|
|Recipient||“The natural or legal person, public authority, agency, or another body, to which the personal data are disclosed” .|
|Representative||A natural or legal person established in the EUb; a representative must be designated by data controllers or processors not in the EU (Article 27).|
|DPOc||A person who must be designated by the controller or processor in certain circumstances (see Article 37 for more details); the duties of the DPOc are defined in Article 39; they include, among others, advising the controller or processor about their duties related to the GDPR and monitoring compliance with GDPR|
aGDPR: General Data Protection Regulation.
bEU: European Union.
cDPO: data protection officer.
There are several studies in the literature that have addressed the availability of privacy policies in mobile apps and the assessment of some aspects of their quality [, - ].
Papageorgiou et al  conducted a privacy and security analysis of 20 mHealth apps. They had a broad scope of analysis including static and dynamic analysis of the apps, permission analysis, and security in communications. They also investigated whether privacy policies complied with the GDPR, focusing on the right to withdraw consent, the right to portability, data protection officer (DPO) contact information, profiling, and transfers of personal data to countries not within the EU. They discussed how many apps complied with these items, but they also did not develop a scoring method.
A total of 29 apps were analyzed by Minen et al , focusing on data storage and privacy policies in headache apps. When analyzing privacy policies, they searched for the presence or absence of information regarding data collection, data sharing, use by children, and certain user rights.
The scientific community has been searching for a way to assess privacy in mHealth apps for the last few years. Many studies have assessed privacy in apps, usually focusing on their user interfaces, privacy in communications, and privacy policies. However, the established criteria used to analyze privacy policies are heterogeneous and subjective. These solutions are based on the researchers’ own experience, the literature, and/or an existing legal framework. The items that are considered for the assessments are very diverse, and the evaluation of these items are, on many occasions, very subjective to the evaluators’ criteria.
It is necessary, therefore, to create tools to evaluate privacy policies and establish privacy scales according to objective criteria that are less open to interpretation. Although some papers considered the GDPR, none of them proposed a set of items that enable GDPR compliance. Our aim is to fill that research gap by proposing of a GDPR-based scale to assess privacy policies in mHealth apps.
Privacy Scale Design
In our previous work , we developed a scale to assess the fairness of the privacy policies of mHealth apps. The objective of our scale was to analyze privacy policies in a systematic way and design a GDPR-based system to assess and improve such policies. Based on Article 13 of the GDPR and the recommendations of the National Data Protection Authority in Spain [ , ], we identified and summarized the information that should be provided in privacy policies (see for a list of the items). We also defined a scoring method to assess each item.
Some discrepancies in the interpretation of how to assign a score to some items were found in the first iteration of the scale design process. In the first iteration, the privacy policies of 9 apps were analyzed, and we obtained Kappa-Cohen indexes for each item. Possible scores for each item and Kappa-Cohen indexes are shown in.
|Identity of data controller||1|
|Identity of the representative||2|
|Data protection officer details||3|
|Purposes for the processing||4|
|Legal basis for the processing||5|
|Legitimate interests from controller||6|
|Recipients (or categories) of the personal data||7|
|Transfers to non–European Union countries||8|
|Period for which data will be stored||9|
|Existence of data subject’s rights||10|
|Existence of right to withdraw consent||11|
|Right to lodge a complaint with a supervisory authority||12|
|Obligation to provide personal data||13|
|Existence of automated decision making or profiling||14|
|Item||Item number||Score||Kappa-Cohen index (n=9)|
|Identity of data controller||1||0: no info; 0.5: partial; 1: full||0.77|
|Identity of the representative||2||0: no info; 1: info provided; N/A: not applicable||1|
|Data protection officer details||3||0: no info; 1: info provided||0.61|
|Purposes for the processing||4||0: no info; 0.5: generic; 1: specific||0.77|
|Legal basis for the processing||5||0: no info; 1: info provided||0.77|
|Legitimate interests from controller||6||0: no info; 1: info provided; N/A: not applicable||0.8|
|Recipients (or categories) of the personal data||7||0: no info; 1: info provided||–0.13|
|International transfers of data||8||0: no info; 0.5: generic; 1: full details or no international transfers||0.53|
|Period for which data will be stored||9||0: no info; 0.5: generic; 1: specific||0.66|
|Existence of data subject’s rights||10||0: no info; 0.5: generic; 1: full||0.49|
|Existence of right to withdraw consent||11||0: no info; 1: info provided; N/A: not applicable||0.08|
|Right to lodge a complaint with a supervisory authority||12||0: no info; 0.5: generic; 1: specific||0.77|
|Obligation to provide personal data||13||0: no info; 1: info provided||–0.17|
|Existence of automated decision making or profiling||14||0: no info; 0.5: generic; 1: specific or no profiling or automated decision making done||0.17|
A refinement of the criteria used to assign those scores was performed to resolve the discrepancies. Also, an error in the definition and description of one of the items was corrected. Items and their possible scores are (re)defined as follows:
- Identity of data controller: 1 point if full information is given. Full information means name, postal address, and electronic address (both email and a contact form are considered valid) of the data controller; 0.5 points if some information is missing; 0 points if the information is omitted. If only an electronic address is provided, the score is 0 points. Also, if the street address is not mentioned, the score is 0 points.
- Identity of the representative: The representative is a natural or legal person, established in the EU, who must be designated by the data controller if they are not in the EU. In this case, 1 point is given if full information is given (in the same way as with the data controller) and 0 points otherwise.
- DPO details: The GDPR states that a DPO must be designated if the controller processes a large quantity of data in some special categories, such as health data. We assume that a DPO must exist in any given mHealth app. At least an email address must be given to get 1 point. In order to be consistent with the definition of DPO in the GDPR, the DPO must be a different person from the data controller, so the email address should also be different. Otherwise, 0 points are given.
- Legitimate interests from controller: 1 point if this information is given and 0 points otherwise. N/A if legitimate interest is not stated as a legal basis for the processing or if item 5 is 0 points.
- Recipients (or categories of recipients) of the personal data: 1 point if this information is given and 0 points otherwise. We must note that if there are no recipients, this must be explicitly stated. Also, we must keep in mind that in accordance with Article 4 of the GDPR a data processor is considered a recipient.
- Existence of the right to withdraw consent: This is an additional right that only exists if the legal basis for the processing is consent. As such, the score is 1 point if this right is mentioned (along with the way to exercise it) and 0 points if the right is omitted. This item is N/A if consent is not one of the legal bases for the processing or if item 5 is 0 points.
As stated in the introduction, an important objective of our research is to provide a reproducible scale for the assessment of privacy policies in mHealth apps, so schematics and further descriptions of the items with explanatory examples for the scoring system are defined in.
Items 1, 4, 8, 9, 10, 12, and 14 can score 0.5 points, as some items are more complex than others. For example, the item purposes for the processing requires that the data controller be very explicit when defining the app’s purposes for the processing. We found that some data controllers state the purposes for the processing but are not as explicit as they should be. In these cases, the item scores 0.5 points. Other items, such as item 3 (DPO details) are so simple that they can only score 1 point (yes) or 0 points (no). Additional details and examples can be found in.
We have also added new indicators that did not appear in our previous work. They do not directly influence scores, but they add some information that is relevant to the study of privacy policies:
- Data controller’s country: We collect this from the identity of the data controller. We do not consider additional information such as any obtained by the WHOIS tool [ ]. This tool provides information about the domain name, but it might be misleading.
Case Study: Cancer Apps
A systematic search strategy was followed to identify all relevant mHealth apps for the most common types of cancer (breast, prostate, colorectal, and lung cancer) and for cancer in general. We focused on Android apps due to its market dominance, being the most installed operating system among the new smartphones shipped worldwide from 2017 to 2019 . Two researchers (ORR and EDZ) searched the Spanish version of the Google Play website, taking steps to ensure that no previous searches or cookies influenced the results. Five searches were completed on July 25, 2019, using “cancer mama,” “cancer prostata,” “cancer,” “cancer colon recto,” and “cancer pulmon” as search strings.
Apps were included in the screening stage if their title or description contained one of the search strings defined. After duplicates were removed, two researchers (ORR and EDZ) reviewed and assessed the title and description of the resulting mHealth apps for eligibility against the selection criteria. Apps whose titles and/or descriptions met the selection criteria were downloaded and installed. A researcher (ORR) checked that they worked properly and met the selection criteria. Disagreements were resolved by consensus.
The following inclusion criteria were used: the title or description referred to at least one of the search strings, it was intended exclusively for cancer patients or survivors, and the app collected user data or allowed users to share their opinions or data.
The following descriptive characteristics of apps meeting the selection criteria were collected from the Google Play website when available: developer, category, number of ratings, user rating, last update, and number of downloads. Additionally, using the information included in the description, two researchers (ORR and EDZ) independently classified the apps according to main purpose and type of cancer. Discrepancies were resolved by consensus.
Included apps were classified according to main purpose and type of cancer. We used the classification scheme for an app’s main purpose proposed in Giunti et al . We removed the awareness-raising option because the apps designed for this purpose did not meet the selection criteria and were excluded from our study. Therefore, we coded an app’s main purpose as disease and treatment information (DTI), disease management (DM), or support (S).
Finally, type of cancer was coded as general, colorectal, breast, prostate, lung, or other. General was used to code included apps that pertained to cancer in general without identifying any specific type. Other was assigned to apps that pertained to a specific type of cancer other than colorectal, breast, prostate, or lung cancer.
App Selection and Extracted Features
Google Play searches resulted in 1249 mHealth apps. After duplicates were removed, 831 mHealth apps were assessed for eligibility; 41 of those apps met the selection criteria and were downloaded and installed on an Android smartphone (Moto G7, Motorola Mobility, LLC) to check if they worked properly. Finally, 31 mHealth apps met the selection criteria and were included in the analysis.shows the flow diagram of the described procedure, while shows the selected apps considering the selection criteria. For convenience when analyzing the results, apps were tagged from App1 to App31. For the statistical analysis below, five more features were added to : Google Play app ratings, number of reviews, number of downloads, app type, and cancer type. contains a list of the apps that were found in Google Play search and those included in the case study.
|App name||Developer||Rating (stars)||# Ratings||# Downloads||App type||Cancer type||Label|
|BECCA: Breast Cancer Support||Breast Cancer Care||4.5||63||10,000+||Sa||Breast||App1|
|EmotionSpace cáncer de mama||Pfizer Inc||2.5||2||100+||S||Breast||App2|
|ChemoWave: For Cancer Patients||Treatment Technologies & Insights||4.4||20||1000+||DMb||General||App3|
|OWise Breast Cancer||Px HealthCare BV||4.4||10||1000+||DM||Breast||App4|
|My Cancer Coach||Genomic Health Inc||4.5||86||10,000+||DM||General||App5|
|Breast Advocate||Toliman Health||5||1||100+||DTIc||Breast||App6|
|Breast Cancer Support||MyHealthTeams||4.1||47||1000+||S||Breast||App7|
|Triple Negative Breast Cancer||Kognito||5||2||100+||DTI||Breast||App9|
|Breast Cancer: Others Like Me||Eli Malki||0||0||5+||S||Breast||App10|
|Boobytrapp: The Breast Cancer App||Boobytrapp||3.7||3||100+||S||Breast||App12|
|The BAPS App Wales||The Orchard Media & Events Group Ltd||0||0||100+||DM||Breast||App13|
|BELONG Beating Cancer Together||BelongTail||4.7||1,151||100,000+||DM||General||App14|
|Diana||F Hoffmann–La Roche||5||7||1000+||DM||Breast||App15|
|Got Boobs?||Got Boobs||0||0||100+||S||Breast||App16|
|Adrenal Cancer: Others Like Me||Eli Malki||5||6||1000+||S||Other||App20|
|How Are You Today? PC||Intelesant||0||0||100+||DM||Prostate||App21|
|Cancer.Net Mobile||American Society of Clinical Oncology||4.2||227||10,000+||DM||General||App22|
|TNM Cancer Staging||International Atomic Energy Agency||4.6||323||10,000+||DTI||General||App23|
|Untire: Beating cancer fatigue||Tired of Cancer BV||4.5||60||5000+||DM||General||App24|
|Self-Care During Cancer||NearSpace Inc||4.7||6||1000+||S||General||App25|
|CanDi: Cancer Diet App||Faculty of Health Sciences UniSZA||4.7||60||500+||DM||General||App26|
|CancerAid||CancerAid PTY LTD||3.7||25||1000+||DM||General||App27|
|GRYT Health Cancer Community||GRYT Health||3.9||7||100+||S||General||App28|
|Target Ovarian Cancer Symptoms Diary||Brandwave Marketing||3.6||8||1000+||DM||Other||App29|
|Pancreatic Cancer Action: Symptom Tracker||Healthbit Ltd||5||3||100+||DM||Other||App30|
|My Care Plan (cancer survivor)||NearSpace Inc||4||4||1000+||DM||General||App31|
bDM: disease management.
cDTI: disease and treatment information.
|App name||Label||Data controller’s location||Last update||GDPRa aware||Score|
|BECCA: Breast Cancer Support||App1||UKb||03/2019||No||76.9|
|EmotionSpace cáncer de mama||App2||Germany||05/2018||No||75|
|ChemoWave: For Cancer Patients||App3||USc||10/2018||No||53.6|
|OWise Breast Cancer||App4||UK||N/Ad||Yes||31.8|
|My Cancer Coach||App5||US||02/2015||No||23.1|
|Breast Cancer Support||App7||US||09/2019||Yes||78.6|
|Triple Negative Breast Cancer||App9||US||02/2019||No||34.6|
|Boobytrapp: The Breast Cancer App||App12||Singapore||06/2018||No||29.2|
|The BAPS App Wales||App13||UK||N/A||Yes||69.2|
|BELONG Beating Cancer Together||App14||Israel||09/2018||Yes||75|
|Untire: Beating Cancer Fatigue||App24||Netherlands||N/A||Yes||66.7|
|Self-Care During Cancer||App25||US||03/2014||No||29.2|
|GRYT Health Cancer Community||App28||US||12/2018||No||46.2|
|Target Ovarian Cancer Symptoms Diary||App29||UK||04/2018||Yes||80.8|
|Pancreatic Cancer Action: Symptom Tracker||App30||UK||06/2018||Yes||75|
aGDPR: General Data Protection Regulation.
bUK: United Kingdom.
cUS: United States.
dN/A: not applicable.
Assessment of Privacy Policies
Assessment of Privacy Policies by App Type
Assessment of Privacy Policies by Type of Cancer
Assessment of Privacy Policies by Number of Downloads
Assessment of Privacy Policies by Data Controller’s Country
Assessment of Privacy Policies by General Data Protection Regulation Awareness
Assessment of Privacy Policies by Last Update
Assessment of Privacy Policies by Popularity
|App label||Stars||Ratings||Downloads||Privacy score|
Analysis of Item Compliance
Three items showed varied behavior. For item 10, 45% (10/22) of apps showed the existence of data subject’s rights, with 2 more apps giving partial information. For both items 8 and 9, 36% (8/22) of apps disclosed transfers to other countries and about the period of personal data storage. Some apps gave partial information about them.
A negative behavior was observed for the rest of the items. Only 27% (6/22) of apps satisfied items 3 and 13. Item 3 regarded the DPO’s contact details, while item 13 dealt with the obligation of providing personal data and the possible consequences of not providing such data. A total of 6 apps did not comply with item 11, which regarded the right of withdrawing consent at any time. However, item 11 was not applicable in 8 apps, as consent was not a legal basis for data processing. We determined that 23% (5/22) of apps satisfied item 12, the right to lodge a complaint with a supervisory authority, with 3 more apps giving partial information. Item 6 is quite particular, as it is only applicable when the legitimate interests of the data controller constitute the legal basis for the processing. Only 33% (3/9) of apps complied with it, while it was not applicable in 13 apps. Item 14 was satisfied by only 9% (2/22) of apps. Information about profiling was not available in most of the cases. Last, none of the 13 apps outside the EU complied with item 2. The apps outside the EU should provide the identity of a representative inside the EU. This item was not applicable to the 9 apps in the EU.
|Item number||Full information||Partial information||No information||Not applicable|
In the literature, there are two ways to assess privacy. Some articles evaluated the different apps according to several items, eventually obtaining a score [, , ], while others checked if the analyzed apps met the criteria they had defined [ , , ].
The most complied-with items were the following: item 1 (identity of data controller), item 4 (purposes for the processing) and item 7 (recipients or categories of the personal data). Still, only 45% (5/22) of apps fully informed users about their rights (item 10) and only 5 fully informed users about their right to lodge a complaint with a supervisory authority. Finally, it is interesting that none of the 13 apps whose data controller was not within the EU informed users of the identity of their representative in the EU.
It is difficult to find such a complete analysis in the literature, but some of the items were assessed by different articles. Item 1 was evaluated in Hutton et al  and Papageorgiou et al [ ], which were complied with by 75% and 63% of apps, respectively. Results were similar to our study, where 77% of apps satisfied this item. Item 1 was also analyzed in Huckvale et al [ ], but results were very different. Only 25% of apps identified the data controller. Item 3 was also evaluated in Papageorgiou et al [ ], with none of the apps having a DPO. Our study showed that 27% of apps had a DPO. Item 4 was assessed in Hutton et al [ ] and Minen et al [ ]: 61% and 64% of apps complied with this item, respectively, whereas a better result (91%) was obtained in this paper. Item 7 was assessed in Hutton et al [ ], with 61% of apps stating the recipients of personal data; 96% of apps makes item 7 the most complied-with item in our study. Item 9 was evaluated in Huckvale et al [ ]: 32% of apps stated the period for which personal data will be stored, compared with 36%. In Minen et al [ ], item 10 was analyzed: 36% of apps informed users about their rights, whereas we obtained a result of 46%. Item 11 was assessed in Hutton et al [ ] and Papageorgiou et al [ ]: 55% and 37% of apps complied with this item, respectively. In our study, 43% of apps informed users about the right to withdraw consent. Items 12 and 13 were assessed in Huckvale et al [ ]: 32% of apps complied with item 12, and 36% of apps satisfied item 13; 23% and 27% complied with these items in our study. Finally, Papageorgiou et al [ ] evaluated item 14: 58% of apps informed users about profiling. This result was quite different from ours: 9% satisfied item 14.
Like other privacy scales [, , ], our scale considers each item to be equally important. In further research, we will work on the next iteration of the scale, wherein this approach will be reconsidered. We will evaluate whether using weighted scores provides a better assessment of the privacy policies of mHealth apps or only makes the scale more complex without any additional benefit.
This study has some limitations. Some relevant apps may have been missed during our searches due to limitations of the Google Play search algorithm. Also, it is possible that developers may not have included some relevant information in the app description. As the eligibility assessment was based on app descriptions in the first search, this lack of information might have resulted in app exclusion. Only the Spanish version of the Google Play website was used during the search, and potentially relevant apps published on other versions of Google Play might have been excluded. Our study focused on Android apps, and this restriction also could have introduced a selection bias.
In this paper, we presented an improved version of our GDPR-based scale for the assessment of the fairness of privacy policies of mHealth apps. This new version has been successfully applied in a case study where the privacy policies of 31 cancer apps were analyzed, yielding results in line with similar studies. This analysis uncovered a surprising lack of fairness in these policies. The nature of the data and the concerns that patients have regarding privacy suggest that it should be a major concern for developers, users, and data controllers. Thus, the proposed scale seems to be suitable for evaluating the fairness of mHealth app privacy policies and for use by developers to ensure compliance with the GDPR.
This work was partially funded by the Cátedra de Telefónica Inteligencia en la red of the Universidad de Sevilla. This work was partially funded by the Cátedra Indra Sociedad Digital of the Universidad de Sevilla. ED-Z receives funding from and is supported by the V Plan Propio de Investigación de la Universidad de Sevilla, Spain.
JB directed the study and took the lead in defining the scale as well as applying it in the case study. JB also supported the data analysis and interpretation of the data. JR took the lead in drafting the manuscript, supported by JB, OR-R, ED-Z, and AC. JR also participated in study direction, contributed to the scale definition and its application in the case study, and supported the data analysis and interpretation of the data. OR-R took the lead in data collection and participated in study direction, data analysis, and interpretation of the data. ED-Z participated in study direction, data collection, analysis, and interpretation of the data and reviewed the final version of the manuscript. AC resolved discrepancies, acquired funding through a research project, participated in the interpretation of data, and reviewed the final version of the manuscript.
Conflicts of Interest
User's guide.DOCX File , 71 KB
List of mHealth apps.DOCX File , 108 KB
- Ham C, Dixon A, Brooke B. Transforming the delivery of health and social care: the case for fundamental change. London: The King's Fund URL: https://www.kingsfund.org.uk/sites/files/kf/field/field_publication_file/transforming-the-delivery-of-health-and-social-care-the-kings-fund-sep-2012.pdf [accessed 2020-07-06]
- Wyatt K, Finley A, Uribe R, Pallagi P, Willaert B, Ommen S, et al. Patients' experiences and attitudes of using a secure mobile phone app for medical photography: qualitative survey study. J Med Internet Res 2020 May 12;22(5):e14412 [FREE Full text] [CrossRef] [Medline]
- Collado-Borrell R, Escudero-Vilaplana V, Calles A, Garcia-Martin E, Marzal-Alfaro B, Gonzalez-Haba E, et al. Oncology patient interest in the use of new technologies to manage their disease: cross-sectional survey. J Med Internet Res 2018 Oct 23;20(10):e11006 [FREE Full text] [CrossRef] [Medline]
- Bender JL, Yue RYK, To MJ, Deacken L, Jadad AR. A lot of action, but not in the right direction: systematic review and content analysis of smartphone applications for the prevention, detection, and management of cancer. J Med Internet Res 2013;15(12):e287 [FREE Full text] [CrossRef] [Medline]
- Giunti G, Giunta DH, Guisado-Fernandez E, Bender JL, Fernandez-Luque L. A biopsy of breast cancer mobile applications: state of the practice review. Int J Med Inform 2018 Dec;110:1-9 [FREE Full text] [CrossRef] [Medline]
- Llorens-Vernet P, Miró J. Standards for mobile health-related apps: systematic review and development of a guide (preprint). JMIR mHealth uHealth 2019. [CrossRef]
- Giunti G, Guisado Fernández E, Dorronzoro Zubiete E, Rivera Romero O. Supply and demand in mhealth apps for persons with multiple sclerosis: systematic search in app stores and scoping literature review. JMIR Mhealth Uhealth 2018 May 23;6(5):e10512 [FREE Full text] [CrossRef] [Medline]
- de la Vega R, Miró J. mHealth: a strategic field without a solid scientific soul—a systematic review of pain-related apps. PLoS One 2014 Jul;9(7):e101312 [FREE Full text] [CrossRef] [Medline]
- Huckvale K, Prieto JT, Tilney M, Benghozi P, Car J. Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment. BMC Med 2015;13:214 [FREE Full text] [CrossRef] [Medline]
- Germanakos GP, Mourlas C, Samaras G. A mobile agent approach for ubiquitous and personalized ehealth information systems. 2005. URL: https://cgi.csc.liv.ac.uk/~floriana/UM05-eHealth/Germanakos.pdf [accessed 2020-07-06]
- Stoyanov SR, Hides L, Kavanagh DJ, Zelenko O, Tjondronegoro D, Mani M. Mobile app rating scale: a new tool for assessing the quality of health mobile apps. JMIR Mhealth Uhealth 2015;3(1):e27 [FREE Full text] [CrossRef] [Medline]
- Giunti G, Kool J, Rivera Romero O, Dorronzoro Zubiete E. Exploring the specific needs of persons with multiple sclerosis for mhealth solutions for physical activity: mixed-methods study. JMIR Mhealth Uhealth 2018 Feb 09;6(2):e37 [FREE Full text] [CrossRef] [Medline]
- Zhou L, Bao J, Watzlaf V, Parmanto B. Barriers to and facilitators of the use of mobile health apps from a security perspective: mixed-methods study. JMIR Mhealth Uhealth 2019 Apr 16;7(4):e11223 [FREE Full text] [CrossRef] [Medline]
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN [accessed 2020-07-06]
- Hutton L, Price BA, Kelly R, McCormick C, Bandara AK, Hatzakis T, et al. Assessing the privacy of mhealth apps for self-tracking: heuristic evaluation approach. JMIR Mhealth Uhealth 2018 Oct 22;6(10):e185 [FREE Full text] [CrossRef] [Medline]
- Sunyaev A, Dehling T, Taylor PL, Mandl KD. Availability and quality of mobile health app privacy policies. J Am Med Inform Assoc 2014 Aug 21:E28-E33. [CrossRef] [Medline]
- Leigh S, Ouyang J, Mimnagh C. Effective? Engaging? Secure? Applying the ORCHA-24 framework to evaluate apps for chronic insomnia disorder. Evid Based Ment Health 2017 Nov;20(4):e20. [CrossRef] [Medline]
- Knorr K, Aspinall D, Wolters M. On the privacy, security and safety of blood pressure and diabetes apps. Proc Int Conf ICT Syst Security Privacy Protection 2015. [CrossRef]
- O'Loughlin K, Neary M, Adkins EC, Schueller SM. Reviewing the data security and privacy policies of mobile apps for depression. Internet Interv 2019 Mar;15:110-115 [FREE Full text] [CrossRef] [Medline]
- Papageorgiou A, Strigkos M, Politou E, Alepis E, Solanas A, Patsakis C. Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 2018;6:9390-9403. [CrossRef]
- Minen MT, Stieglitz EJ, Sciortino R, Torous J. Privacy issues in smartphone applications: an analysis of headache/migraine applications. Headache 2018 Jul;58(7):1014-1027 [FREE Full text] [CrossRef] [Medline]
- Huckvale K, Torous J, Larsen ME. Assessment of the data sharing and privacy practices of smartphone apps for depression and smoking cessation. JAMA Netw Open 2019 Apr 05;2(4):e192542 [FREE Full text] [CrossRef] [Medline]
- Scott K, Richards D, Adhikari R. A review and comparative analysis of security risks and safety measures of mobile health apps. AJIS 2015 Nov 22;19. [CrossRef]
- Brüggemann BT, Hansen J, Dehling T, Sunyaev A. Privacy technologies and policy. In: Schiffner S, Serna J, editors. An Information Privacy Risk Index for mHealth Apps. Cham: Springer; 2016.
- Mense A, Steger S, Sulek M, Jukic-Sunaric D, Mészáros A. Analyzing privacy risks of mhealth applications. Stud Health Technol Inform 2016;221:41-45. [Medline]
- Zapata B, Hernández Niñirola A, Fernández-Alemán J, Toval A. Assessing the privacy policies in mobile personal health records. Conf Proc IEEE Eng Med Biol Soc 2014;2014:4956-4959. [CrossRef] [Medline]
- Baumel A, Faber K, Mathur N, Kane JM, Muench F. Enlight: a comprehensive quality and therapeutic potential evaluation tool for mobile and web-based ehealth interventions. J Med Internet Res 2017 Mar 21;19(3):e82 [FREE Full text] [CrossRef] [Medline]
- Bachiri M, Idri A, Fernández-Alemán JL, Toval A. Evaluating the privacy policies of mobile personal health records for pregnancy monitoring. J Med Syst 2018 Jun 29;42(8):1-14. [CrossRef] [Medline]
- Robustillo Cortés MDLA, Cantudo-Cuenca MR, Morillo-Verdugo R, Calvo-Cidoncha E. High quantity but limited quality in healthcare applications intended for HIV-infected patients. Telemed J E Health 2014 Aug;20(8):729-735. [CrossRef] [Medline]
- Quevedo Rodríguez A, Wägner AM. Mobile phone applications for diabetes management: a systematic review. Endocrinol Diabetes Nutr 2019 May;66(5):330-337. [CrossRef] [Medline]
- Zapata B, Niñirola A, Fernández-Alemán J, Toval A. [Privacy and security in mobile personal health records for Android and iOS]. RISTI 2014 Jun 01(13):35-50. [CrossRef]
- Bondaronek P, Alkhaldi G, Slee A, Hamilton FL, Murray E. Quality of publicly available physical activity apps: review and content analysis. JMIR Mhealth Uhealth 2018 Mar 21;6(3):e53 [FREE Full text] [CrossRef] [Medline]
- Adhikari AR, Richards D, Scott K. Security and privacy issues related to the use of mobile health apps. 2014 Presented at: Proceedings of the 25th Australasian Conference on Information Systems; 2014; Auckland p. 8-10.
- Aliasgari AM, Black M, Yadav N. Security vulnerabilities in mobile health applications. 2018 Presented at: Proceedings of the IEEE Conference on Applications, Information & Network Security Nov ; Langkawi, Malaysia; AINS; 2018; Langkawi p. 21-22. [CrossRef]
- Mense MA, Urbauer P, Sauermann S, Wahl H. Simulation environment for testing security and privacy of mobile health apps. 2016 Presented at: Modeling and Simulation in Medicine Symposium; 2016; Pasadena p. 3-6. [CrossRef]
- Powell AC, Singh P, Torous J. The complexity of mental health app privacy policies: a potential barrier to privacy. JMIR Mhealth Uhealth 2018 Jul 30;6(7):e158 [FREE Full text] [CrossRef] [Medline]
- Robillard JM, Feng TL, Sporn AB, Lai J, Lo C, Ta M, et al. Availability, readability, and content of privacy policies and terms of agreements of mental health apps. Internet Interv 2019 Sep;17:100243 [FREE Full text] [CrossRef] [Medline]
- Benjumea J, Dorronzoro-Zubiete E, Ropero J, Rivera-Romero O, Carrasco A. Privacy in mobile health applications for breast cancer patients. 2019 Presented at: Proceedings of the IEEE 32nd International Symposium on Computer-Based Medical Systems; 2019; Córdoba. [CrossRef]
- Informe sobre políticas de privacidad en internet. URL: https://www.aepd.es/media/estudios/informe-politicas-de-privacidad-adaptacion-RGPD.pdf [accessed 2019-11-01]
- Decálogo para la adaptación al RGPD de las políticas de privacidad en Internet. URL: https://www.aepd.es/media/estudios/decalogo-politicas-de-privacidad-adaptacion-RGPD.pdf [accessed 2020-07-06]
- El deber de informar y otras medidas de responsabilidad proactiva en apps para dispositivos móviles. URL: https://www.aepd.es/media/notas-tecnicas/nota-tecnica-apps-moviles.pdf [accessed 2019-11-01]
- Fielding R, Reschke J. IETF request for comments. Hypertext transfer protocol (HTTP/1.1): conditional requests. 2014. URL: http://www.ietf.org/rfc/rfc7232.txt [accessed 2020-07-09]
- About WHOIS. URL: https://whois.icann.org/en/about-whois [accessed 2019-11-01]
- Smartphone market share. IDC Corporate. 2020 Jun 22. URL: https://www.idc.com/promo/smartphone-market-share/os [accessed 2019-11-01]
- Ubaid Ur Rehman M, Aleem M, Islam MA, Ahmed S. Smart applications for diabetes management: a comprehensive survey and ranking. Health Informatics J 2019 Sep 30:1460458219869159. [CrossRef] [Medline]
- Mojica Ruiz IJ, Nagappan M, Adams B, Berger T, Dienst S, Hassan AE. An examination of the current rating system used in mobile-app stores. IEEE Softw 2016 Nov;33(6):86-92. [CrossRef]
|Cat1: category 1|
|Cat2: category 2|
|Cat3: category 3|
|Cat4: category 4|
|DPO: data protection officer|
|EU: European Union|
|GDPR: General Data Protection Regulation|
|MARS: Mobile Application Rating Scale|
|mHealth: mobile health|
|N/A: not applicable|
Edited by G Eysenbach; submitted 20.11.19; peer-reviewed by B Richardson, B Brumen; comments to author 20.01.20; revised version received 27.05.20; accepted 22.06.20; published 28.07.20Copyright
©Jaime Benjumea, Jorge Ropero, Octavio Rivera-Romero, Enrique Dorronzoro-Zubiete, Alejandro Carrasco. Originally published in JMIR mHealth and uHealth (http://mhealth.jmir.org), 28.07.2020.
This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mHealth and uHealth, is properly cited. The complete bibliographic information, a link to the original publication on http://mhealth.jmir.org/, as well as this copyright and license information must be included.