Many of the health surveillance activities that we used to do in our doctor’s office have moved to the digital world. Smartwatches and apps follow our to sleep, workouts, diet, and stress levels. We use online portals to check test results, renew prescriptions and make doctor appointments.
Having so much personal health information circulating in cyberspace raises serious privacy concerns. Who has access to our digital health data and what could they do with it?
While nearly two-thirds of Americans say they like being able to manage their health on their devices, most are concerned about the security of their personal data.
While there are good reasons to be concerned, there are also ways to protect your digital health data.
HIPAA and the privacy of your health data
The Health Insurance Portability and Accountability Act (HIPAA) is federal law signed in 1996 to protect the security of personal health information. HIPAA prevents doctors, hospitals and Insurance companies to disclose your private health data without your permission.
Most health plans and healthcare providers that are governed by HIPAA have safeguards in place “to ensure the confidentiality, integrity and security of individuals’ information,” said Maria Garcia, JD, partner and co-chair of the healthcare practice at Kozyak, Tropin, & Throckmorton, a law firm in Coral Gables, Florida.
The problem with HIPAA is that it was written years before health apps and other digital health information sharing tools became mainstream. HIPAA protects the digital information stored in your electronic health record (EHR), including your medical history, diagnoses, medications, and test results. Your EHR is stored in a digital database accessible to you and your doctors and hospitals, but it is ultimately under your control. HIPAA does not cover health information you share on mobile apps or social media websites.
“HIPAA is largely outdated,” says Brendan Parent, JD, director of transplant ethics and policy research and assistant professor of bioethics and surgery at the NYU Grossman School of Medicine. “He assumed that how data is created and who uses it are the only things that matter in terms of how it should be protected.”
How secure is your digital health information?
Health data is “gold,” says Parent. With so much health information available online, it was only a matter of time before anyone tried to exploit it for profit.
In the second half of 2020, hackers broke into more than 21 million patient records, up 177% from a few months earlier. Over 90% of health care organizations have reported at least one data breach in the past 2 years.
Once hackers gain access, they hold patient information for ransom, promising to disclose names, diagnoses, and other sensitive information if hospitals do not respond to their demands for money.
Much less sinister but also worrying are health tracking apps where people share all kinds of personal health information. While there isn’t much risk in revealing how many steps you take each day, sharing information about your menstrual cycle or Mental Health could be a problem. “It’s the kind of stuff that a lot of people give up, frankly, for free,” said Nicholson Price, JD, PhD, professor of law at Michigan Law.
What Kinds of Health Information Do Businesses Collect?
Many of us quickly click through to terms and conditions pages that detail how a tech company plans to use our health information. And even if we read the fine print, we might not understand the whole story.
In one study, 83% of Diabetes The apps the researchers tested had privacy policies on how they collect, store, and use their customers’ personal information. But all of them shared this data with other companies, often without the knowledge of their customers.
We also disclose personal information on our social media pages. “Even a single tweet or Facebook post that at first glance seems unrelated to our personal health and well-being, like ‘I went to the club and enjoyed this song’, can be correlated with d ‘other information that could affect your health,’ says Parent.
This additional information may come from your EHR, published by your doctor for medical research purposes. HIPAA requires that your data be first deleted from 18 key pieces of information that could be used to identify you, such as your name, address, and social security number.
But by using technologies like artificial intelligence and machine learning, computers can now track you down, even without those data points. “With the advent of big data and artificial intelligence, it’s much easier to take a lot of disparate information and put it together into one big picture,” Price explains.
In the worst case scenario, a hacker could gain access to important details about your medical history and threaten to expose them if you don’t pay. It is more likely that a business will sell your health information. While your medical history technically cannot be used to discriminate against you, in theory, a life insurance company could buy it and then use it to “increase your insurance rates,” adds Parent.
How to protect your health data
Some states are getting tougher on companies that use personal health data. The California Consumer Privacy Act gives consumers the right to know what personal information businesses collect about them, and to delete that information or prevent its sale.
No matter where you live, you are ultimately the primary custodian of your own digital health information. Price says he doesn’t have any health apps on his phone. “Part of this is because I don’t know exactly how my data will or could be used,” he says.
If you intend to share health information electronically, be careful. Create a strong password – a password containing letters, numbers, and symbols – to prevent people from accessing through your phone or computer.
Finally, think before you post. Don’t put any health information on social media that you wouldn’t want anyone – and everyone – to read.