The data Sage receives from the medical research apps contains health and personal information including a person's name, email address and date of birth. Sage then strips out the personal information, encrypts it and stores the data on a server. A randomly generated code is associated with the person's study data, "and maintains an encrypted mapping between participant account and participant study data," said Suver.
Only study organizers and IT staff can access the research data, which is stored on a secure cloud server, said Suver, reiterating that the information is even off limits to Apple.
HIPAA (Health Insurance Portability and Accountability Act) regulations don't apply to data that is acquired and shared for research, said Suver. HIPAA is a U.S. law designed to protect people's health care information.
"Instead, the informed consent that a participant agrees to governs how the data can be used," she said.
Still, the data is encrypted when it is transmitted to Sage and the cloud systems storing the information are HIPAA compliant, said Eric Schadt, director of the Icahn Institute at Mount Sinai. "We meet or exceed industry standards regarding the secure communication and storage of sensitive data," he said.
Personal details like first and last names, signatures and email addresses are required in any medical study, said Alan Yeung, a cardiologist at Stanford Medicine who was involved with the development of the hospital's app, MyHeart Counts, which deals with heart health. A signature shows people have agreed to take part in the research and an email address is necessary to send participants the study's results, he added.
Signing the consent form gives Stanford Medicine researchers access to the health data. Stanford Medicine may share aggregated data with other approved researchers who request it, said Yeung. Participants, though, have the option of opting out of having their data included in the aggregate data set.
In cases where the data is shared with researchers outside of Stanford Medicine, it does not contain personal information since it is compiled, said Yeung. Researchers, for example, could ask to see the aggregate data on the average distance a person walks when exercising.
The health data collected by the medical study app can't be linked to a phone number nor shared with for-profit organizations or insurance companies, said Yeung.
However, Stanford Medicine will have the key to identify people who participate in the smartphone medical research studies. The hospital would only identify a person if it needed to contact them because of a problem, said Yeung.
Sign up for CIO Asia eNewsletters.