The Data and Privacy section of the Framework focuses on data privacy, usage, storage, transmission and clear communications to the user. Examples of items looked for in the privacy policy include:
- Does the privacy policy clearly state that user data will not be used or shared with other parties except as described in the privacy policy, without express consent of the user?
- Does the privacy policy inform the user of where the data is stored and how it is protected in storage and transmission?
- Is the user given the option to withdraw consent at any time?
In addition the Framework assesses whether there is explicit statement of compliance with HIPAA requirements. Understanding that many digital health apps do not need to comply with HIPAA, the Framework rewards those who do comply with those requirements.
Although GDPR (General Data Protections Regulations) is not legally applicable to the United States, a number of related questions are included as it is considered a higher standard for data privacy and appropriate for measures of assessment.