Review A Mobile App Using Third Party Guidelines
I am working on this assignment to pick a medical health mobile app and use the Happtique guidelines perform thorough review and validation of the app using a 3rd party guidelines. please pick a good medical health mobile app in the USA to perform the review using the guideline or document attached. There are three different types of apps to be considered such optimized apps, hybrid apps and native apps by using assessment following the Happtique Guidelines or Xcertia guidelines.
Review the Happtique guidelines (now named Xcertia) released back in 2013. Going back to the app you discussed (App I recently discussed is AliveCor KardiaMobile App, but you can use other apps) to conduct a formalized assessment of how the app would perform against the Happtique Standards. You should focus on the four key areas of the Happtique Guidelines (Operability, Privacy, Security, and Content Standards).
You paper should be organized as such. Note that some apps may not fit all the requirements laid out in the guidelines. As such, students are provided a range of latitude in interpreting both the standards and applying the framework against the app selected (the goal is to engage in a rigorous evaluation to inform future decision making). Please use the rubrics to present a solid plagiarism free paper. I will be working of this paper as well while waiting for this one.
This document contains proprietary and confidential information of Xcertia and shall not be used, disclosed or
reproduced, in whole or in part, for any purpose other than to view this document, without the prior written
consent of Xcertia.
2019 Board Approved Xcertia
Guidelines
Issued on: August 12, 2019
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 2
The Xcertia Guidelines History
Today’s Xcertia Guidelines were first conceived in 2012. As part of the development process, a panel comprised of
thought leaders in the healthcare industry such as the Association of American Medical Colleges, Mobile Marketing
Association, Healthcare Information and Management Systems Society (HIMSS), the U.S. Food and Drug Administration
(FDA), and other federal agencies, was formed. In the spirit of collaboration, and to seek public input, these guidelines
were published for review and comment to maximize public and interested parties’ input.
In 2015 those same guidelines were updated with input from subject matter experts in the key areas of Operability,
Privacy, Security and Content. Shortly thereafter these guidelines were transferred to the newly formed non-profit.
Today, these guidelines now known as the Xcertia Guidelines, are backed by its founding members, the American
Medical Association (AMA), the American Heart Association (AHA), HIMSS, and the DHX Group, with a shared purpose to
provide a level of assurance to clinicians and consumers alike, that the mobile health apps that comply with the
guidelines are vetted to deliver value to the end user.
Under the Xcertia watch, the guidelines were updated in 2017 and then posted on the Xcertia website for public
comment. At the Connected Health Conference 2018 the Privacy and Security sections of the guidelines were again
updated and issued for public comment following that update by the Xcertia Work Groups in these two disciplines.
In February of 2019 the Xcertia Guidelines will have gone through a complete review and editing process by the
organization’s various work groups. These groups consisted of over forty individuals and contained subject matter
experts from a number of healthcare organizations and disciplines with expertise in the various sections within the
guidelines. As part of that effort the Xcertia Guidelines are divided into five sections, Privacy, Security, Usability,
Operability and Content, reflecting the key areas of guidance to ensure mHealth apps deliver true value in a trusted
environment to improve product adoption and use.
Since their release in February of 2019 the guidelines were available for public comment up until May 15, 2019. Those
comments have been considered by the work group leaders and their teams and where appropriate incorporated into
the Final 2019 Version of the Xcertia Guidelines.
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 3
App Privacy Guidelines
App Privacy (P) Guidelines
Privacy will assess whether a mobile health app protects the user’s information, including Protected Health Information
(PHI), Personal Information (PI), Personally Identifiable Information (PII) in full compliance with all applicable laws, rules
and regulations. Where jurisdictions may conflict, the App Designer shall comply with the more rigorous requirements.
It is incumbent upon the developer to understand the scope and full requirements of the Privacy Rules and potential
notification requirements of the region(s) for which they intend to operate. Developers should have relevant procedures
in place and be able to document those procedures.
Guideline P1 – Notice of Use and Disclosure
The Privacy Notice is externally facing and describes to an app user how the organization collects, uses, and retains their
data (e.g., PHI, PI, PII). This notice should be unbundled from other information notices regarding the application. The
type(s) of data that the app obtains, and how and by whom that information is used, is disclosed to the user in a Privacy
Notice
Requirements for Guideline P1
• P1.01 Access: The identity of any entities that will have access to, collect and/or use of the user’s personal
information, shall be made available and disclosed to the user on an at least an annual basis and shall disclose use
by any parties as a part of the use chain.
• P1.02 Usage: The app publisher shall disclose any and all ownership, rights or licenses to any data collected about
the app and its usage, including the use of any data for commercial purposes.
• P1.03 Material Changes to Use: The app shall have a section (tab, button or equivalent) or active link to its Privacy
Policy, and owner represents that commercially reasonable efforts are used to notify users of any material
changes to its Privacy Policy.
• P1.04 User Registration: If registration is required to use all or some of the app’s features, the user shall be
provided with an explanation as to the uses of the registration information.
• P1.05 Data Collected and Opt Out: User shall be provided (or have access to) a clear list of all data points collected
and/or accessed by the app, including by the app publisher and all third parties such as in-app advertisers. This
includes personal data pertaining to the usage of the app, including but not limited to browsing history, device
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 4
(e.g., unique identifiers), operating system, and IP addresses. How and from where such data points are collected
shall be disclosed. An Option should exist for user to opt-out of passing data to in-app advertisers.
• P1.06 Data Collected and Disclosed: User shall be provided (or has access to) a clear list of all data points collected
and/or accessed by the app pertaining to the specific user, including user-generated data and data that are
collected automatically about the user through other means or technologies of the app. This includes data points
collected for the purpose of any third-party sharing. How and from where such data points are collected is
disclosed.
• P1.07 Affirmative Consent to Use Data: The app publisher shall obtain affirmative express consent before using
user data in a materially different manner than was previously disclosed when collecting the data or collecting
new data, including for third-party sharing.
• P1.08 Affirmative Consent to Collect Data: The app publisher shall obtain affirmative express consent before
collecting personal data, in particular, Personally Identifiable Information (PII), Personal Health Information (PHI),
financial data or location data, including obtaining HIPAA authorizations where applicable.
• P1.09 Use and Updates of Information: The privacy policy shall inform users how they can get a copy of their
personal information that was collected by the app. A designated individual or toll-free number may be required
to be listed depending on domicile of user. The privacy policy shall also inform users how they can correct and
update information supplied by, or collected about them, held by or on behalf of the owner, or shared with third
parties, including the identity of such third parties, particularly in compliance with the HIPAA Privacy Rule, if
applicable, and any other state or
• international laws, rules, or regulations to the extent applicable.
• P1.10 Do Not Track Mechanism: If not otherwise provided by default, the app shall allow users to control the
collection and use of their in-app browsing data by supporting an online Do Not Track mechanism.
• P1.11 Opt Out or Do Not Contact: If not otherwise provided by default, the app shall allow users to control their
receipt of commercial messages from the app publisher and third parties through an “opt out” option, “do not
contact,” or substantially similar feature.
• P1.12 Sharing of Data: The app publisher shall not share any personal data with third parties, unless the app
publisher: (i) has an agreement with such third party that addresses safeguarding any and all such user data (BAA);
and (ii) takes the necessary measures to anonymize/de-identify all user data in accordance with the Health and
Human Services Safe Harbor guidelines for de-identification.(iii) the user provides an affirmative user consent (iv)
except when expressly disclaimed by app publisher (v) The app publisher has documented this within the Privacy
Policy.
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 5
• P1.13 User Ability to Delete Data/Accounts: App publisher should allow a user to delete all personal data from
systems if canceling or deleting accounts. This functionality could be accessed by the user in app or by app owner.
• P1. 14 Changes to Privacy Policy: A mechanism shall be in place to notify users of changes to the Privacy Policy.
• P1.15 Consent to Changes in Privacy Policy: A mechanism shall be provided that enables users to acknowledge
and consent to changes to the Privacy Policy.
• P1.16 Notification in Event of Breach: User will be promptly notified (according to state or federal laws or
contractual obligations) if breach occurs that has compromised their information in accordance with applicable
state, federal and country laws.
Guideline P2 – Retention
If data is collected, the user shall be informed about how long the data is retained.
Requirements for Guideline P2
• P2.01 The Privacy Policy shall disclose the retention policy regarding user information. Such statement shall
include policies with respect to data retention under any third-party data sharing arrangement.
• P2.02 Retention and deletion time periods, which are based on clearly defined business needs or legal obligations,
shall be set. If business needs are defined as “in perpetuity,” this shall also be disclosed.
Guideline P3 – Access Mechanisms
The app user is informed, through an End User License Agreement, if the app accesses local resources (e.g., device
address book, mobile and/or LAN network interface, system stored credit card information, GPS and other location-
based services, contacts, camera, photos, SMS or MMS messaging, and Bluetooth) or resources from and/or for social
networking platforms, provided with an explanation by any appropriate means (e.g., the “About” section) as to how and
why such resources are used, and opt-in consent is obtained to access such resources.
Requirements for Guideline P3
• P3.01 If the app accesses any of the mobile device’s native hardware (camera, microphone, GPS/location,
Calendar, Address Book, etc.) the express reason for requiring such access shall be disclosed to the user, separate
from any warning/consent present in the mobile operating system.
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 6
• P3.02 If the app accesses or uses any Wi-Fi, LAN, or mobile network data connections, an estimate of the amount
of data consumed shall be provided to the user along with a notice that carrier data charges may apply.
• P3.03 If the app accesses social networking sites (such as Facebook, Instagram, or like social media), the reason
why such sites are being accessed is disclosed to the user.
Guideline P4 – Health Insurance Portability and Accountability Act (HIPAA) Entity or
Business Associate
If the app, on behalf of a Covered Entity or a Business Associate (each as defined by HIPAA and the rules thereunder),
collects, stores, and/or transmits information that constitutes Protected Health Information (as defined by HIPAA and
the rules thereunder), it does so in full compliance with HIPAA and all applicable state and international laws, rules and
regulations.
Requirements for Guideline P4
• P4.01 The user can affirmatively opt in or out (at any time) of information shared with or given access by third
parties.
• P4.02 The app publisher certifies that a Business Associate Agreement (BAA) has been executed pursuant to
HIPAA with any and all necessary third parties.
• P4.03 The user can access or request any of his/her Protected Health Information (PHI) collected, stored and/or
transmitted by the app.
• P4.04 The app publisher uses requisite efforts to limit the use and disclosure of PHI, including ePHI, to the
minimum necessary to accomplish the intended purpose (e.g., “need-to- know”).
• P4.05 The publisher must demonstrate that procedures are in place so that in the event of a breach the app
publisher shall notify affected individuals, HHS, and in some cases, the media (news agencies, print, radio, etc.) of
a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60
days following the discovery of a breach.
Guideline P5 – Children’s Online Privacy Protection Act (COPPA)
The app has measures in place to protect children in accordance with applicable laws and regulations if website is
directed at children (see specific guidance Children’s Online Privacy Protection Act).
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 7
Requirements for Guideline P5
• P5.01 The app provides clear notice of the content that will be made available and its suitability for specific age
groups.
• P5.02 The app includes a clear and conspicuous Privacy Notice/Policy that addresses use by any child under the
age of 13 and prevents usage without verifiable parental authority (please note state laws may have additional
carve out regulations for children).
• P5.03 The app provides for an age verification process—either automatic or self-reported—to control access to
age-restricted content and to minimize the inappropriate collection, use, or disclosure of personal information
from a child.
• P5.04 The app does not, without obtaining verifiable parental/legal guardian consent, collect, use, or disclose data
from any child under the age of 13.
• P5.05 The app enables a parent/legal guardian who becomes aware that the child has provided information
without his/her consent to contact the app publisher and eliminate account/delete that data.
• P5.06 The Privacy Policy provides that the app publisher will delete any child’s personal information upon notice,
or if the App publisher becomes aware or has knowledge, that such information was provided without the
consent of a parent/legal guardian, including information that was shared with a third party.
• P5.07 Apps that are intended for children must have a location default setting that enables parents/legal
guardians to prevent the app from automatically publishing their child’s location.
• P5.08 Apps that are directed at children under the age of 13 will have a default setting that prevents in-app
purchases.
• P5.09 Apps that are directed at children under the age of 13 will have a default setting that prevents usage of
camera and microphone.
Guideline P6 – General Data Protection Regulation (GDPR)
The app has measures in place to comply with applicable laws and regulations related to the European Union General
Data Protection Regulation (GDPR).
Requirements for Guideline P6
• P6.01 Provide Privacy Notice at the time user is providing information to the app. The Privacy Notice should be
available in search feature.
Xcertia mHealth App Guidelines 2019
2019 Proprietary & Confidential 8
• P6.02 The Privacy Notice must be concise (plain language), transparent and accessible. For the Privacy Notice to be
easily readable, key information is at front of notice and in a layered notice approach links are available for
additional information in full version.
• P6.03 The Privacy Notice must include the name of the organization, processor, name and contact details of the
representative, and contact details of the Data Protection Officer (DPO) if a DPO is required.
• P6.04 The Privacy Notice must state the lawful basis, legitimate purposes, and rights available to individuals in
respect of processing.
• P6.05 The user must be informed of the categories/source of personal data obtained if it is obtained from third party
sources. This must be provided within a reasonable period of obtaining the personal data and no later than one
month. Notice must be provided of the recipients of categories of personal data, whether the individuals are under a
statutory or contractual obligation to provide personal data and the details of transfers of personal data to any third
countries or international organizations.
• P6.06 The details and existence of automated decision-making including profiling (if applicable) and the retention
periods for personal data must be provided.
• P6.07 Unexpected uses of user data should be posted on the front page of the Privacy Notice and there must be
separate consent for different uses. A user must be given a simple way to consent to all types of uses listed (e.g. opt
in/opt out boxes for each). If the app is requesting the user to receive direct marketing materials, then there should
be a separate opt out box.