HIPAA may not cover personal health data that patients disclose online


Many patients share personal health data when they register and use medical apps and websites or share details about their health conditions with others on social media. Digital medicine companies and social media platforms may track this information and use it to develop targeted advertisements to people with specific medical conditions or generate leads for future marketing purposes. The authors of a recent study published in the journal Grounds say most individuals are not fully aware of how they are being tracked and manipulated by digital medicine companies and social media platforms.

HIPAA rules prohibit “covered entities” such as medical practices and hospitals from disclosing protected health information without patient consent. But for data generated outside the “digital walls” of these covered entities, “patients are mostly on their own to understand how companies use their personal and health data, especially when asking about their health status on social media,” wrote investigators Andrea Downing of The Light Collective, an advocacy group based in Eugene, Oregon, and Eric Perakslis, PhD, Chief Science and Digital Officer at Duke Clinical Research Institute in Durham, North Carolina.

The team explored this question in a study of the health advertising tactics of 5 digital medicine companies, with a focus on 5 clinical services. They recruited 10 patient advocates from the hereditary cancer community and asked them to share data on how their online activities were tracked. Participants uploaded and shared their JavaScript Object Notation (JSON) files, which reveal how data is shared between web servers and web applications. Investigators used these files to determine how information flows from health-related websites and apps to Facebook for targeted advertising.

Downing and Dr. Perakslis reviewed the companies’ websites for third-party ad trackers and whether the use of these ad trackers complied with the companies’ own privacy policies. They also looked at Facebook’s ad library for each participant to determine whether health data obtained through these companies influenced the types of ads participants saw.

“We have demonstrated that personal data and personal health data can be easily obtained without the aid of highly sophisticated cyberattack techniques but with rather mundane third-party advertising tools,” the authors wrote in an article published in the journal Grounds.

They also observed: “While the tools we have identified are neither good nor bad per se, the application of common ad tolls designed for social media marketing can expose sensitive health information in the form of leads. . These marketing tools reveal a dark pattern used to track the journeys of vulnerable patients across platforms as they navigate online, which in some ways is unclear to companies and patient populations engaging through Facebook.

The authors say they hope this new data will spark an overdue dialogue about healthcare privacy and how it affects specific patient populations.

In an interview, Dr. Perakslis pointed out that the role of physicians regarding protected health information is defined by HIPAA, but that is not the case for marketing software designed to disseminate the data as prolifically as possible. “Everyone has to be very careful about the software they use,” Dr. Perakslis said. “Most people don’t know what apps do, and a lot of people have hundreds [of apps].”

The 5 companies included in the analysis provide information or services (including genetic testing) related to hereditary cancer risk. Investigators determined that 2 of the companies’ targeted advertisements complied with their own privacy policies. The other 3 failed to follow their own privacy policies and claims.

Angie Raymond, JD, PhD, director of the Data Management and Information Governance Program at Indiana University and the Department of Business Law and Ethics at the Kelley School of Business, Bloomington, Indiana said the privacy community has done a great job of bringing HIPAA into the common vernacular. However, he did a rather poor job of explaining the limitations of the key terms “health” and “covered entity”. Dr Raymond said this is where things start to fall apart. “It really leaves people and their health data very vulnerable. We need to do much better,” Dr. Raymond said.

Dr. Raymond believes that privacy protections need to be built into the technologies people use. “We need to move existing protections into a digital world,” he said. “We may need to consider creating protections in some new areas that have emerged due to the ubiquitous nature of the digital world and data aggregation. But, without design, we will likely continue to chase our tails.

Michael S. Sinha, MD, JD, MPH, assistant professor at the Center for Health Law Studies at Saint Louis University School of Law in Missouri, said that when HIPAA was created, Congress had not considered the issue of “retrieving” PHI from a patient. online portal or other PHI platform, often without their knowledge or consent, for advertising purposes. Dr. Sinha would like to see new federal legislation passed that specifically addresses patient privacy rights.

“This is an emerging issue in healthcare privacy,” Dr. Sinha said. “Technology has advanced, real problems are emerging and it is time for policy makers to act. Passing comprehensive new health privacy legislation that addresses these critical issues by closing privacy gaps is an important next step.

This article originally appeared on Renal and Urology News


Comments are closed.