Lucy Van Kleunen, PhD Student, University of Colorado Boulder

Stephen Voida, Professor, University of Colorado Boulder

Controlling Disclosure of Personal Health Data

Features that improve how patients with chronic disease manage access to personal health data from self-tracking applications



The problem:

Many individuals monitor chronic health conditions using self-tracking applications and smartwatches or fitness bands. These tools can enable people to share biometric or self-reported health data with their healthcare providers and members of their informal support networks.

Sharing data can help individuals managing chronic health conditions receive support. However, applications have to be carefully designed to prevent accidental disclosure of sensitive data points, and to allow individuals with chronic health conditions to negotiate data access in the context of their various relationships. For example, an individual might choose to share more fine-grained or behaviorally revealing data with only a small, trusted circle of family members. They might make some data available to a dynamic group of close friends whose membership shifts as levels of trust and closeness change over time. They might make sure that their medical providers, who need to allocate sparse time and attention to interpreting data for diagnostic or ongoing wellness assessment purposes, receive only necessary and non-extraneous data.

Application designers cannot make assumptions about how data should be shared from health applications because users have varying privacy preferences and contexts. Health applications and services of the future will require thoughtful design and policy.

The solution:

One solution is to allow a user to have fine-grained control over what data types and data points are shared. The user can control who their data is shared with, at what frequency, at what level of aggregation, and whether each disclosure requires their explicit consent. The user can decide not to share sensitive data types or specific data points that are sensitive due to when or where they were logged.

Their data is securely stored on a personal device or in cloud storage associated with a personal account, rather than in a centralized medical database. Disclosure of this data is entirely in the individual’s control, whether it is shared with medical providers, members of their informal support network, the application developers, or third parties. Medical providers can then use this data to speed up the intake process for appointments, confirm diagnoses, or adjust care plans. Family members and friends can help monitor an individual’s condition and offer them support.

Who is this for?

  • Individuals managing chronic health conditions, including conditions that are laden with stigma for which accidental disclosure is a major risk

  • The family members and friends of individuals monitoring chronic health conditions

  • Healthcare professionals and caregivers

  • This solution might also be extended to individuals who track health data for reasons other than monitoring chronic health conditions, such as for monitoring progress towards a fitness goal


Itoro is a young man with bipolar disorder. He uses HealthApp to keep track of biometric and sleep data from a smart watch, as well as to self-report his mood level and medication compliance. His clinician, Dr. Moreno, works with Itoro to manage his care plan and will often request to see Itoro's recent data before they meet. Itoro also gives access to some of his health data to Xavier, his close friend, who helps him monitor his condition.

Use Case:

Itoro receives a request from his doctor to share data before their next appointment. He reviews the request. He decides to exclude his Heart Rate data because he knows that his smartwatch wasn’t working for the last week and there are some data errors.

Itoro edits his Mood Level data for the past two weeks in more detail. He adjusts the time windows for which data is reported on some days. He is also able to add data points for days that he forgot to log. When he is done, he returns to the request and approves it.

Dr. Moreno receives the data from Itoro. She is able to see that Itoro has excluded his Heart Rate data and made some modifications to the Mood Level data. She plans to discuss the data with Itoro in their next appointment, as well as to ask him about what modifications he made to the data and why.


Itoro also adds his friend Xavier in HealthApp. He gives Xavier access to daily summaries of some of his data and indicates that he wants to review the data each day before it is sent.

Related Research

  • Elizabeth L. Murnane, Tara G. Walker, Beck Tench, Stephen Voida, and Jaime Snyder. 2018. Personal Informatics in Interpersonal Contexts: Towards the Design of Technology that Supports the Social Ecologies of Long-Term Mental Health Management. Proc. ACM Hum.-Comput. Interact.2, CSCW, Article 127 (November 2018), 27 pages. DOI: