Recovery Record: Eating Disorder Management

Aviso: *privacidade não incluída neste produto

Recovery Record: Eating Disorder Management

Data da avaliação: 11 de Maio de 2022

|
A Mozilla investigou por 10 horas
|

Opinião da Mozilla

|
Votos das pessoas: Não é assustador

Recovery Record makes two separate apps to help people manage eating disorders. The first is targeted at patients and is free to download and use. Called Recovery Record: Eating Disorder Management, this apps helps users keep track of their meals, create customized meal plans and eating schedules, send and receive anonymous encouraging messages with other users, and share their recovery journey with their treatment team.

The second app, called Recovery Record for Clinicians, is designed to let eating disorder treatment professionals engage with their patients between visits to help keep them on track in their recovery. The app for clinicians requires a subscription, costing between $9 - $80.

How do these apps look from a privacy perspective? Well, when we first published our review of Recovery Record, users could sign in using the weak password "111111", we couldn't determine if they used encryption or had a way to manage security vulnerabilities, and their privacy policy raised a number of concerns for us. After publishing our review, Recovery Record reached out to us and worked to to better their password requirement to now require a strong password, clarified their use of encryption and how they manage security vulnerabilities, so we can now confirm they meet our Minimum Security Standards. And they updated and clarified some parts of their privacy policy. We appreciate the work they did to make their app better. We still have a few concerns based on their privacy policy, but Recovery Record seems willing to improve and we like that.

O que pode acontecer se algo der errado?

Recovery Record updated their privacy policy in May, 2022 after we published our review. They have since clarified some things in their privacy policy that help us feel better about some of the concerns we have. We still have a few questions about their privacy practices, but less than before.

Recovery Record can collect a fair amount of personal and usage data, including name, age, gender, city/town, and email address. They also say "clinicians and support persons involved in your care may provide us information, including protected health information, about you." They do say US HIPAA privacy laws requires them "to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of this information." This is a fine line it seems many mental health apps walk -- the line between the privacy protections therapists are required to follow under HIPAA laws and the current data economy apps operate under that leads to the collection of personal information to provide and market their paid services.

Recovery Record also may collect anonymized or aggregate data and "use it for any purpose." That's a pretty broad statement. Especially because it's been shown to be pretty easy to re-identify user data.

Another line from Recovery Record's privacy policy that leaves us just a little worried "From time to time, we may desire to use information about you for uses not previously disclosed in this Privacy Policy. If our practices change regarding previously collected information in a way that would be materially less restrictive than stated in the version of this Privacy Policy in effect at the time we collected the information, we will make reasonable efforts to provide notice and obtain consent to any such uses as may be required by law." All that sounds like it could be fine. However, as The Verge pointed out, mental health apps can change their privacy policies at any time and they don't always make a lot of effort to let users know when their privacy practices have changed. Hopefully Recovery Record will ensure all users know when and if their privacy polices changes.

We'll end with one more statement from Recovery Record's privacy policy that serves as a warning for everything shared on the internet, "Unfortunately, the Internet and mobile networks over which our Services are delivered cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure. " What's the worst that could happen. Well, we worry that your very sensitive eating disorder information could wind up in the hands of someone you really don't want to have that information and that doesn't sound healthy at all. Hopefully that will never happen.

Dicas para se proteger

  • Do not provide consent for sharing personal data with third parties, whenever possible.
mobile Privacidade aviso Segurança Inteligência artificial

Pode me bisbilhotar? informações

Câmera

Dispositivo: Não aplicável

Aplicativo: Sim

Microfone

Dispositivo: Não aplicável

Aplicativo: Não

Rastreia localização

Dispositivo: Não aplicável

Aplicativo: Não

O que pode ser usado para se inscrever?

Que dados a empresa coleta?

Como a empresa usa esses dados?

After we published our review of Recovery Record, they updated their privacy policy on May 2, 2022 to clarify some of the concerns we had.

Recovery Record said in their privacy policy published in 2019 they "do not rent, sell, or share information about you with other people or non affiliated companies for their direct marketing purposes, unless they have your permission." In May, 2022 they updated that to say they, "do not rent, sell, or share information about you with other people or non affiliated companies for their direct marketing purposes." We appreciate this clarification.

"Except as otherwise described in this Privacy Policy, we will not disclose information that we collect about you on the Services to third parties without your consent." We're unsure what this consent looks like.

"We use the information we collect about and from you for a number of purposes, including: providing, supporting, and improving the services we offer, analyzing how you use the Services, and better tailoring features." According to this statement, it seems Recovery Record could use your data for personalization and targeted advertising purposes. However, the company told us currently, "Our services do not include advertising so we wouldn’t be able to share data relating to advertising." It does seem their privacy policy leaves them room to change that in the future.

The provider may send you promotional emails or other information about the products or services they offer.

"To the extent permitted by applicable law, we may de-identify your information and process it in an anonymous and/or aggregated form."

If your account is linked to the clinicians' organizations, the organizations may see information, including protected health information, about you. Linked organizations may use the information available through the Services for medical diagnosis, treatment, and general analysis reporting purposes. An organization will not be able to view any message like text such as clinician messages, team chat messages, linking messages.

Como você pode controlar seus dados?

Recovery Record says, "If you would like to update or correct any information that you have provided to us through your use of the Services or otherwise, you may use the functionality of the Services to change or delete such information."

No data retention details are provided. Which means we don't know how long Recovery Record will hold onto any data you provide them. They mentioned to us they will possibly add this into their privacy policy in the future.

Qual é o histórico conhecido da empresa na proteção de dados dos usuários?

Médio

No known privacy or security incidents discovered in the last 3 years.

Informações de privacidade infantil

Recovery Record do not knowingly collect, maintain, or use personal information from children under 13 years of age, and no part of the Services are directed to children under the age of 13.

Este produto pode ser usado offline?

Não

Informações de privacidade fáceis de entender?

Não

Links para informações de privacidade

Este produto atende aos nossos padrões mínimos de segurança? informações

Sim

Criptografia

Sim

Data is encrypted in transit (TLS). PHI and PII are encrypted in the database (AES). A KMS is used to manage keys. EBS (disks) partitions are encrypted. Backups are encrypted.

Senha forte

Sim

When we first reviewed Recovery Record, the weak password "11111111" is allowed. Since we published our review, Recovery Record has updated their password requirements to now require a strong password which we love to see.

Atualizações de segurança

Sim

Gerencia vulnerabilidades

Sim

While Recovery Record doesn't have a bug bounty program, they do say they have policies and procedures that have been reviewed by third party assessors as part of the HITRUST certification process. Anyone can contact them through https://www.recoveryrecord.com/contact to report a security vulnerability.

Política de privacidade

Sim

O produto usa inteligência artificial? informações

Não


Novidades

The Best Eating Disorder Recovery Apps for 2022
Healthline
If properly vetted and used as a supplement to appropriate medical care, technology can be helpful in eating disorder recovery. There are apps that can help you understand how to monitor your habits, improve your mental health, and take positive steps toward a stronger mind and body.
Mental health app privacy language opens up holes for user data
The Verge
Even if you do a close, careful read of a privacy policy before signing up for a digital mental health program, and even if you feel really comfortable with that policy — sike, the company can go back and change that policy whenever they want. They might tell you — they might not.
Eating Disorders: How mHealth Apps May Improve Treatment Adherence
Psycom Pro
How do mHealth apps work for eating disorder management? In general, mobile health apps can easily replace pen-and-paper methods of implementing the CBT concept of self-monitoring, and that removes the possibility of a patient forgetting to bring their journal to a session. These apps allow users to engage in self-monitoring by logging meals, thoughts, feelings, and behaviors and gives them easy access to coping tactics. Additional features are included in some apps.
Recovery Record app
Health Navigator
This app is designed for people dealing with eating disorders. It allows users to record their meals, thoughts, feelings and behaviours. Users can set customised goals and track their progress towards achieving these. It provides ‘rewards’ for goals achieved. Users also have the option to share their information with their treatment providers. Clinicians can download a matching app.
Researchers spotlight the lie of ‘anonymous’ data
TechCrunch
Researchers from two universities in Europe have published a method they say is able to correctly re-identify 99.98% of individuals in anonymized data sets with just 15 demographic attributes. Their model suggests complex data sets of personal information cannot be protected against re-identification by current methods of “anonymizing” data — such as releasing samples (subsets) of the information.
How to Create a Mental Health App to Track Anxiety and Depression
aimprosoft
Because of isolation caused by the pandemic, people cannot always visit a psychologist, which has increased demand for helpful digital solutions and made the number of mental health applications skyrocket, topping over 20,000 mental health applications in the App Store and Play market
Summary of the HIPAA Privacy Rule
U.S. Department of Health and Human Services
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

Comentários

Tem um comentário a fazer? Nos diga.