Privacy & Security of Health Data in an Age of Risky Digital Business
But, how safe is our information really? Lately, major breaches have occurred from hackers attacking insurance companies. And, HIPAA does not necessarily protect personal health information created by digital health companies such as apps and wearables. This article discusses issues with privacy and security facing health data in an increasingly digital health care system.
Before we begin, sometimes it's nice to review the difference between privacy and security:
- Data security keeping data confidential and involves processes put in place to make sure the information is not accessed or used by unauthorized people. There are three types of security risks associated with the different types of offsite use or remote access of electronic personal health information (EPHI) data: access, storage and transmission.
- Data privacy is appropriately using data entrusted to companies or people according to the agreed purposes. Most of the time this is outlined in privacy policies.
Recently, Anthem Blue Cross experienced a massive data breach when hackers broke into a database using a stolen password. Anthem's access policies failed as did their storage polices. Anthem did not encrypt the information in the files. The consequences of this are staggering:
- Theft of 80 million records of both employees and customers occurred. 3
- Experts expect this to cost over $100 million in damages.3
- In less than a month, over 50 class-action lawsuits were filed.4
Yes, we know it will costs a lot of money to Anthem, but more concerning is what this kind of breach will mean for patients. Medical identity theft and identity theft are not uncommon and all a thieve needs is your name, address, and social security number to open up credit cards in your name and file for health insurance. It's stupidly easy.
Now, if HIPAA covered entities (health plans, health clearinghouses, health care providers, business associates) aren't protecting health information or ensuring privacy standards are upheld, what about companies and products that aren't subject to HIPAA? Can we expect these entities to do a better job? What if you are a doctor interested in prescribing health trackers or apps to your patients (and I am one of them)?
A good piece of advice is: always read the privacy & security policies! If a company makes a promise to protect the information and promises that they will not share it or sell it, you can reasonably expect them to be worth your trust. But, the underlying reality is this, most health apps are free for a reason: the gray market of health information data brokering.
One of the most loved wearable fitness trackers is Misfit. I use this device to track my activity levels and sleep. I read their privacy policy earlier this year and then after they recently updated it. It clearly states that they collect the following personally identifying health information on each user:
- your first and last name, photo, gender, height, weight, date of birth, email address, telephone number, postal addresses, and your mobile device’s geolocation data (if you grant this permission)
- your social network sign-on credentials and contacts from your address book (only if you voluntarily import your contacts from sites like Facebook, Twitter, etc.) and information from your social networks (which depends on your privacy settings on that network)
- detailed physical information including when you are asleep, when you are awake, when you are idle, your activity intensity and duration, the food you’ve eaten (if you track this manually).
But their privacy policy also says,
"We may get personal information about you from other sources. We may add this information to the information we have already collected from you in order to improve the products and services we provide."
Getting personal information about you from other sources is another term for data brokering. Misfit's previous privacy policy recently added a clause to the end of a sentence regarding their policy that described their stance on selling my personal data:
- Previous policy: "Misfit.com does not share, sell, or rent personally identifiable information with independent companies for their own use without providing you a choice."
- New policy: "Misfit does not share, sell, or rent personally identifiable information with independent companies for their own use without providing you a choice other than those stated below." One of those reasons stated is: "Using your personal data to develop and improve marketing and advertising for the Services and partner services."
In case you missed it, this new policy state that the company will not sell your personally identifiable information with independent companies without providing you a choice, but they can and will use your information to develop and improve marketing and advertising for their services and their partner's services.
I wasn't sure who Misfit partnered with, so I did a google search and found this article, which said,
"Initial partnerships include support from Azumio, Betterise, Digifit, Everymove, FitnessSyncer, Fitt, Glow, Humana, HumanAPI, Hyjiya, IFTTT, Jiff, Lose it!, MapMyFitness, MatchUp.io, MedHelp, MyFitnessPal, N-Gine Innovation, Pebble, Pryv, RedBrick, RunKeeper, SK Telecom, Coca-Cola Company, TheThings.io, Tictrac, TRAQS.me, Validic, Virgin Pulse, Visionarity, Walgreens and WeFitter."
If this gray area of privacy makes you nervous, Misfit states that:
"You may send requests about personal information to our contact information below. You can request to change contact choices and marketing choices and to update, review, delete or change your personal information. We will use commercially reasonable efforts to honor your request. We may retain an archived copy of your records as required by law or for legitimate business purposes."
I'm surprised they have not made this available through their privacy settings. At least on Facebook I have some control over my privacy, whereas with a lot of digital health apps, wearables, and devices, most of your control is something that you have to manually flex through contacting the company. This is unfortunate. I can opt out of google ad tracking with a few clicks, but I can't opt out of personal health information data brokering without emailing the company directly.
I am not sure how all of my fitness trackers and apps are profiling me, because I have not checked every privacy policy of every type of technology I have used. I know that for me and many other physicians, the barrier to me adopting certain types of digital health technology in my practice is the uncertainty around privacy and security of my patient's information.
Until privacy and security are clarified for the digital health sector, we're going to continue to see a slow adoption of new and innovative technological advances by mainstream medicine.
There is good news ahead. Companies like Anonos have emerged to tackle this important issue headfirst. What I hope to see is large platforms like Apple, Google, Amazon, Intel, and Microsoft address health data privacy in a transparent and steadfast manner. It's reasonable to expect downsteam app and wearable technology developers to follow the example made by these big technology companies. If this happens, the future of digital health will be much safer and brighter for everyone.
Works Cited:
1 Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
2 Department of Health and Human Services HIPAA Security Guidance
3 Cost of Anthem's Data Breach Likely to Exceed 100 Million
4 Legal liabilities in recent data breach extend far beyond Anthem
5 Information Privacy in the Evolving Healthcare Environment
7 Misfit announces developer toolkit, list of more than 30 initial partners