154 journal of law, medicine & ethics The Journal of Law, Medicine & Ethics, 47 S2 (2019): 154-158. © 2019 The Author(s) DOI: 10.1177/1073110520917041 Privacy and Security Issues with Mobile Health Research Applications Stacey A. Tovino Introduction This article examines the privacy and security issues associated with mobile application-mediated health research, concentrating in particular on research con- ducted or participated in by independent scientists, citizen scientists, and patient researchers. Building on other articles in this issue that examine state research laws and state data protection laws as possible sources of privacy and security protections for mobile research participants, 1 this article focuses on the lack of appli- cation of federal standards to mobile application- mediated health research. As discussed in more detail below, the voluminous and diverse data collected by some independent scientists who use mobile appli- cations to conduct health research may be at risk for unregulated privacy and security breaches, 2 leading to dignitary, psychological, and economic harms for which participants have few legally enforceable rights or remedies under current federal law. 3 Federal law- makers may wish to consider enacting new legislation that would require otherwise unregulated health data holders to implement reasonable data privacy, secu- rity, and breach notification measures. Background Privacy and security are fundamental aspects of the ethical conduct of research involving human partici- pants. Adopted by the World Medical Association (WMA) in 1964, the Declaration of Helsinki estab- lished a duty of physicians who are involved in medi- cal research to protect “privacy … and confidentiality of personal information of research subjects.” 4 Consis- tent with the mandate of the WMA, the Declaration of Helsinki is addressed primarily to physician-research- ers, 5 but it also “encourages others who are involved in medical research involving human subjects to adopt these principles.” 6 First prepared by the Council for International Organizations of Medical Sciences (CIOMS) in col- laboration with the World Health Organization in 1982, the International Ethical Guidelines for Health- Related Research Involving Humans (Guidelines) address the use of “data obtained from the online envi- ronment and digital tools.” 7 In particular, the current (2016) Guidelines provide: When researchers use the online environment and digital tools to obtain data for health-related research they should use privacy-protective measures to protect individuals from the possibility that their personal information is directly revealed or otherwise inferred when datasets are published, shared, combined or linked. Researchers should assess the privacy risks of their research, mitigate these risks as much as possible and describe the remaining risks in the research protocol. They should anticipate, control, monitor and review interactions with their data across all stages of the research. 8 The Guidelines also state that researchers should, through an “opt-out procedure,” inform persons whose data may be used in the context of research in the online environment of the purpose and context of the intended data uses, the privacy and security mea- sures used to protect such data, and the limitations of the measures used and the privacy risks that may Stacey A. Tovino, J.D., Ph.D., is the Judge Jack and Lulu Lehman Professor of Law at the William S. Boyd School of Law, University of Nevada-Las Vegas.