This document contains proprietary and confidential information of Xcertia and shall not be used, disclosed or

reproduced, in whole or in part, for any purpose other than to view this document, without the prior written

consent of Xcertia.

 

2019 Board Approved Xcertia

Guidelines

 

Issued on: August 12, 2019

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 2

 

 

The Xcertia Guidelines History

 

Today’s Xcertia Guidelines were first conceived in 2012. As part of the development process, a panel comprised of

thought leaders in the healthcare industry such as the Association of American Medical Colleges, Mobile Marketing

Association, Healthcare Information and Management Systems Society (HIMSS), the U.S. Food and Drug Administration

(FDA), and other federal agencies, was formed. In the spirit of collaboration, and to seek public input, these guidelines

were published for review and comment to maximize public and interested parties’ input.

In 2015 those same guidelines were updated with input from subject matter experts in the key areas of Operability,

Privacy, Security and Content. Shortly thereafter these guidelines were transferred to the newly formed non-profit.

Today, these guidelines now known as the Xcertia Guidelines, are backed by its founding members, the American

Medical Association (AMA), the American Heart Association (AHA), HIMSS, and the DHX Group, with a shared purpose to

provide a level of assurance to clinicians and consumers alike, that the mobile health apps that comply with the

guidelines are vetted to deliver value to the end user.

Under the Xcertia watch, the guidelines were updated in 2017 and then posted on the Xcertia website for public

comment. At the Connected Health Conference 2018 the Privacy and Security sections of the guidelines were again

updated and issued for public comment following that update by the Xcertia Work Groups in these two disciplines.

In February of 2019 the Xcertia Guidelines will have gone through a complete review and editing process by the

organization’s various work groups. These groups consisted of over forty individuals and contained subject matter

experts from a number of healthcare organizations and disciplines with expertise in the various sections within the

guidelines. As part of that effort the Xcertia Guidelines are divided into five sections, Privacy, Security, Usability,

Operability and Content, reflecting the key areas of guidance to ensure mHealth apps deliver true value in a trusted

environment to improve product adoption and use.

Since their release in February of 2019 the guidelines were available for public comment up until May 15, 2019. Those

comments have been considered by the work group leaders and their teams and where appropriate incorporated into

the Final 2019 Version of the Xcertia Guidelines.

 

 

 

 

 

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 3

 

 

App Privacy Guidelines

App Privacy (P) Guidelines

Privacy will assess whether a mobile health app protects the user’s information, including Protected Health Information

(PHI), Personal Information (PI), Personally Identifiable Information (PII) in full compliance with all applicable laws, rules

and regulations. Where jurisdictions may conflict, the App Designer shall comply with the more rigorous requirements.

It is incumbent upon the developer to understand the scope and full requirements of the Privacy Rules and potential

notification requirements of the region(s) for which they intend to operate. Developers should have relevant procedures

in place and be able to document those procedures.

 

Guideline P1 – Notice of Use and Disclosure

The Privacy Notice is externally facing and describes to an app user how the organization collects, uses, and retains their

data (e.g., PHI, PI, PII). This notice should be unbundled from other information notices regarding the application. The

type(s) of data that the app obtains, and how and by whom that information is used, is disclosed to the user in a Privacy

Notice

Requirements for Guideline P1

• P1.01 Access: The identity of any entities that will have access to, collect and/or use of the user’s personal

information, shall be made available and disclosed to the user on an at least an annual basis and shall disclose use

by any parties as a part of the use chain.

• P1.02 Usage: The app publisher shall disclose any and all ownership, rights or licenses to any data collected about

the app and its usage, including the use of any data for commercial purposes.

• P1.03 Material Changes to Use: The app shall have a section (tab, button or equivalent) or active link to its Privacy

Policy, and owner represents that commercially reasonable efforts are used to notify users of any material

changes to its Privacy Policy.

• P1.04 User Registration: If registration is required to use all or some of the app’s features, the user shall be

provided with an explanation as to the uses of the registration information.

• P1.05 Data Collected and Opt Out: User shall be provided (or have access to) a clear list of all data points collected

and/or accessed by the app, including by the app publisher and all third parties such as in-app advertisers. This

includes personal data pertaining to the usage of the app, including but not limited to browsing history, device

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 4

 

(e.g., unique identifiers), operating system, and IP addresses. How and from where such data points are collected

shall be disclosed. An Option should exist for user to opt-out of passing data to in-app advertisers.

• P1.06 Data Collected and Disclosed: User shall be provided (or has access to) a clear list of all data points collected

and/or accessed by the app pertaining to the specific user, including user-generated data and data that are

collected automatically about the user through other means or technologies of the app. This includes data points

collected for the purpose of any third-party sharing. How and from where such data points are collected is

disclosed.

• P1.07 Affirmative Consent to Use Data: The app publisher shall obtain affirmative express consent before using

user data in a materially different manner than was previously disclosed when collecting the data or collecting

new data, including for third-party sharing.

• P1.08 Affirmative Consent to Collect Data: The app publisher shall obtain affirmative express consent before

collecting personal data, in particular, Personally Identifiable Information (PII), Personal Health Information (PHI),

financial data or location data, including obtaining HIPAA authorizations where applicable.

• P1.09 Use and Updates of Information: The privacy policy shall inform users how they can get a copy of their

personal information that was collected by the app. A designated individual or toll-free number may be required

to be listed depending on domicile of user. The privacy policy shall also inform users how they can correct and

update information supplied by, or collected about them, held by or on behalf of the owner, or shared with third

parties, including the identity of such third parties, particularly in compliance with the HIPAA Privacy Rule, if

applicable, and any other state or

• international laws, rules, or regulations to the extent applicable.

• P1.10 Do Not Track Mechanism: If not otherwise provided by default, the app shall allow users to control the

collection and use of their in-app browsing data by supporting an online Do Not Track mechanism.

• P1.11 Opt Out or Do Not Contact: If not otherwise provided by default, the app shall allow users to control their

receipt of commercial messages from the app publisher and third parties through an “opt out” option, “do not

contact,” or substantially similar feature.

• P1.12 Sharing of Data: The app publisher shall not share any personal data with third parties, unless the app

publisher: (i) has an agreement with such third party that addresses safeguarding any and all such user data (BAA);

and (ii) takes the necessary measures to anonymize/de-identify all user data in accordance with the Health and

Human Services Safe Harbor guidelines for de-identification.(iii) the user provides an affirmative user consent (iv)

except when expressly disclaimed by app publisher (v) The app publisher has documented this within the Privacy

Policy.

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 5

 

• P1.13 User Ability to Delete Data/Accounts: App publisher should allow a user to delete all personal data from

systems if canceling or deleting accounts. This functionality could be accessed by the user in app or by app owner.

• P1. 14 Changes to Privacy Policy: A mechanism shall be in place to notify users of changes to the Privacy Policy.

• P1.15 Consent to Changes in Privacy Policy: A mechanism shall be provided that enables users to acknowledge

and consent to changes to the Privacy Policy.

• P1.16 Notification in Event of Breach: User will be promptly notified (according to state or federal laws or

contractual obligations) if breach occurs that has compromised their information in accordance with applicable

state, federal and country laws.

 

Guideline P2 – Retention

If data is collected, the user shall be informed about how long the data is retained.

Requirements for Guideline P2

• P2.01 The Privacy Policy shall disclose the retention policy regarding user information. Such statement shall

include policies with respect to data retention under any third-party data sharing arrangement.

• P2.02 Retention and deletion time periods, which are based on clearly defined business needs or legal obligations,

shall be set. If business needs are defined as “in perpetuity,” this shall also be disclosed.

 

Guideline P3 – Access Mechanisms

The app user is informed, through an End User License Agreement, if the app accesses local resources (e.g., device

address book, mobile and/or LAN network interface, system stored credit card information, GPS and other location-

based services, contacts, camera, photos, SMS or MMS messaging, and Bluetooth) or resources from and/or for social

networking platforms, provided with an explanation by any appropriate means (e.g., the “About” section) as to how and

why such resources are used, and opt-in consent is obtained to access such resources.

Requirements for Guideline P3

• P3.01 If the app accesses any of the mobile device’s native hardware (camera, microphone, GPS/location,

Calendar, Address Book, etc.) the express reason for requiring such access shall be disclosed to the user, separate

from any warning/consent present in the mobile operating system.

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 6

 

• P3.02 If the app accesses or uses any Wi-Fi, LAN, or mobile network data connections, an estimate of the amount

of data consumed shall be provided to the user along with a notice that carrier data charges may apply.

• P3.03 If the app accesses social networking sites (such as Facebook, Instagram, or like social media), the reason

why such sites are being accessed is disclosed to the user.

 

Guideline P4 – Health Insurance Portability and Accountability Act (HIPAA) Entity or

Business Associate

If the app, on behalf of a Covered Entity or a Business Associate (each as defined by HIPAA and the rules thereunder),

collects, stores, and/or transmits information that constitutes Protected Health Information (as defined by HIPAA and

the rules thereunder), it does so in full compliance with HIPAA and all applicable state and international laws, rules and

regulations.

Requirements for Guideline P4

• P4.01 The user can affirmatively opt in or out (at any time) of information shared with or given access by third

parties.

• P4.02 The app publisher certifies that a Business Associate Agreement (BAA) has been executed pursuant to

HIPAA with any and all necessary third parties.

• P4.03 The user can access or request any of his/her Protected Health Information (PHI) collected, stored and/or

transmitted by the app.

• P4.04 The app publisher uses requisite efforts to limit the use and disclosure of PHI, including ePHI, to the

minimum necessary to accomplish the intended purpose (e.g., “need-to- know”).

• P4.05 The publisher must demonstrate that procedures are in place so that in the event of a breach the app

publisher shall notify affected individuals, HHS, and in some cases, the media (news agencies, print, radio, etc.) of

a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60

days following the discovery of a breach.

 

Guideline P5 – Children’s Online Privacy Protection Act (COPPA)

The app has measures in place to protect children in accordance with applicable laws and regulations if website is

directed at children (see specific guidance Children’s Online Privacy Protection Act).

 

 

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 7

 

Requirements for Guideline P5

• P5.01 The app provides clear notice of the content that will be made available and its suitability for specific age

groups.

• P5.02 The app includes a clear and conspicuous Privacy Notice/Policy that addresses use by any child under the

age of 13 and prevents usage without verifiable parental authority (please note state laws may have additional

carve out regulations for children).

• P5.03 The app provides for an age verification process—either automatic or self-reported—to control access to

age-restricted content and to minimize the inappropriate collection, use, or disclosure of personal information

from a child.

• P5.04 The app does not, without obtaining verifiable parental/legal guardian consent, collect, use, or disclose data

from any child under the age of 13.

• P5.05 The app enables a parent/legal guardian who becomes aware that the child has provided information

without his/her consent to contact the app publisher and eliminate account/delete that data.

• P5.06 The Privacy Policy provides that the app publisher will delete any child’s personal information upon notice,

or if the App publisher becomes aware or has knowledge, that such information was provided without the

consent of a parent/legal guardian, including information that was shared with a third party.

• P5.07 Apps that are intended for children must have a location default setting that enables parents/legal

guardians to prevent the app from automatically publishing their child’s location.

• P5.08 Apps that are directed at children under the age of 13 will have a default setting that prevents in-app

purchases.

• P5.09 Apps that are directed at children under the age of 13 will have a default setting that prevents usage of

camera and microphone.

 

Guideline P6 – General Data Protection Regulation (GDPR)

The app has measures in place to comply with applicable laws and regulations related to the European Union General

Data Protection Regulation (GDPR).

 

Requirements for Guideline P6

• P6.01 Provide Privacy Notice at the time user is providing information to the app. The Privacy Notice should be

available in search feature.

 

 

Xcertia mHealth App Guidelines 2019

 

2019 Proprietary & Confidential 8

 

• P6.02 The Privacy Notice must be concise (plain language), transparent and accessible. For the Privacy Notice to be

easily readable, key information is at front of notice and in a layered notice approach links are available for

additional information in full version.

• P6.03 The Privacy Notice must include the name of the organization, processor, name and contact details of the

representative, and contact details of the Data Protection Officer (DPO) if a DPO is required.

• P6.04 The Privacy Notice must state the lawful basis, legitimate purposes, and rights available to individuals in

respect of processing.

• P6.05 The user must be informed of the categories/source of personal data obtained if it is obtained from third party

sources. This must be provided within a reasonable period of obtaining the personal data and no later than one

month. Notice must be provided of the recipients of categories of personal data, whether the individuals are under a

statutory or contractual obligation to provide personal data and the details of transfers of personal data to any third

countries or international organizations.

• P6.06 The details and existence of automated decision-making including profiling (if applicable) and the retention

periods for personal data must be provided.

• P6.07 Unexpected uses of user data should be posted on the front page of the Privacy Notice and there must be

separate consent for different uses. A user must be given a simple way to consent to all types of uses listed (e.g. opt

in/opt out boxes for each). If the app is requesting the user to receive direct marketing materials, then there should

be a separate opt out box.