Privacy and Security in Health Tech: Improving Transparency About Practices

By Daniel J. Solove

Posted on June 16, 2017

Image: Person Using Tablet

Many app developers overlook privacy and security by failing to do one of the most basic first steps of data protection – informing consumers of their practices. For example, in a study published in 2016 in the Journal of the American Medical Association, 80% of diabetes apps surveyed didn’t have a notice informing consumers about privacy practices. Another recent study of thousands of apps involving all topics revealed that nearly 50% lacked a privacy notice. A study by the Future of Privacy Forum in 2016 revealed that “only 70% of top health and fitness apps had a privacy policy.”


These numbers are very problematic. Having a privacy notice is such a fundamental step for protecting privacy. Beyond informing the consumer, the process of creating a privacy notice forces developers to think about the privacy implications of their technology, and it informs experts, NGOs, and regulators about what the technology is doing. This is essential for accountability.


To help address this problem, in 2011, the Federal Trade Commission (FTC) and the HHS Office of the National Coordinator for Health Information Technology (ONC) joined forces to create a Model Privacy Notice for designers of technology involving data to health.


This year, the U.S. Department of Health and Human Services (HHS) held a competition called the Privacy Policy Snapshot Challenge. According to HHS: “The Privacy Policy Snapshot Challenge is a call for designers, developers, and health data privacy experts to create an online Model Privacy Notice (MPN) generator. The MPN is a voluntary, openly available resource designed to help health technology developers who collect digital health data clearly convey information about their privacy and security policies to their users.”


I entered this competition with R. Jason Cronk. Jason is the founder of Enterprivacy Consulting Group, a boutique privacy consulting firm focused on Privacy by Design. He holds a JD from Florida State University and has been recognized by the International Association of Privacy Professionals as a Fellow of Information Privacy. He is a frequent blogger and speaker on privacy issues and tweets through @privacymaverick.


I’m delighted to announce that we have produced the winning MPN tool!


We collaborated on developing this tool because we wanted to help health technology developers generate privacy notices easily and in a way that is understandable to a wide audience. We designed the generator to produce policies that are clear, comprehensible, and visually appealing. We also built the generator so that it would be easy to use by developers.

Image: Privacy Notice Generator

With our tool, as developers input information about their privacy practices in a form on the left side, the tool generates the privacy notice on the right side, showing how it will look to the consumer. The generator tool breaks down the MPN in a simple and visual way and takes developers through it step by step.


The tool also generates raw HTML that the developers can copy and paste into their website for displaying their finalized notice to consumers, allowing for further customization as desired by the developer. The tool uses open source jQuery UI and Bootstrap CSS and the images are provided under the open MIT license. It is available on GitHub or on


We hope to put the concept and architecture of this tool to other uses. We believe it can be of help in many other contexts, and we welcome ideas and suggestions.


As we hope we have demonstrated, technology and design can be used to enhance privacy, making it easier for organizations to improve their privacy practices and better communicate about privacy with consumers.


* * * *


This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.



The preceding is republished on TAP with permission by its author, Professor Daniel Solove. “Privacy and Security in Health Tech: Improving Transparency About Practices” was originally published June 6, 2017 on Professor Solove’s TeachPrivacy blog.