People generally think of health data as information in medical or hospital records, but it can include any personal data related to your health or wellness. Today, an individual can continuously monitor his or her heart rate, sleep patterns or glucose levels without ever involving a doctor or medical provider. One can also get detailed information about his or her genetics or ancestry just by swabbing the inside of the cheek and mailing the swab off to a genetic testing company or laboratory.
People use data from all sorts of sources to make health care decisions. Personal health data can come from insurance claims, pharmacy records, many different health care providers, and mobile or other devices, such as fitness trackers and smartwatches. It turns out even information like one’s income, education or where one lives can be remarkably predictive of certain aspects of his or her health. Research has shown health is determined, in part, by access to social and economic opportunities. These social determinants of health can also be considered health information. And so, the term “health data” is much broader than one may think and can include many types of information.
Our ability to access our own data can be inspiring and motivating and has led to an increased interest in tracking measures of our own personal health and wellness. How many of us are using apps and other wearable devices to set activity goals, including beating yesterday’s step count or improving mindfulness with meditation?
But have you ever wondered who else has access to your health data, other than you? Does anyone else see the steps you walk each day? Or if you have an abnormal heartbeat? Or your genetic makeup?
The answer almost certainly is, yes.
By now you have probably heard of the Health Insurance Portability and Accountability Act, or HIPAA, which was enacted in 1996 and led to the establishment of privacy and security rules to help protect health data. HIPAA is a law that restricts access to some personal health information and limits uses and disclosures of that information. For example, under the law, you must provide consent before your identifiable health information can be used or shared for marketing or is sold for commercial purposes or provided to your employer. HIPAA also mandates that patients have rights related to their data. For example, HIPAA provides patients with the right to see and get a copy of their health records for their own use, to seek a second opinion, to share for research or find out if they are eligible for a clinical trial.
But HIPAA has limitations, and the law does not cover all personal health data. It only covers what we think of as traditional ‘medical information’ – information such as blood tests, electrocardiograms, or doctor notes held by medical providers (like doctors, hospitals, pharmacies, and clinical laboratories) and health plans. It does not protect health data collected by entities outside of the medical system. For example, it does not protect health data collected by commercial or pharmaceutical companies or those that provide direct-to-consumer mobile apps or genetic testing. The data tracked by your smart phone or the device on your wrist are likely not protected by HIPAA. Neither is the information you received from the mail-in genetic test you took.
Remember Maya, who you met earlier? Since her breast cancer diagnosis, she’s met with an oncologist, a radiologist, a plastic surgeon, and her primary care physician. She has also been to her local health clinic several times to receive chemotherapy. Maya thought that her genetics could have played a role in her breast cancer, and she wondered about the genetics information from the mail-in kit she bought. She also uses an app to track her daily steps and eating habits, so she can stay strong and healthy during and after her treatment. As she started to collect all of her information, she wondered who else has access to it. She felt confident her medical providers and insurance company were protecting her data under HIPPA but didn’t know if her other personal information was subject to any protections.
In the U.S., the Federal Trade Commission (FTC) enforces a law prohibiting commercial companies from “unfair” and “deceptive” trade practices, especially when it comes to a customer’s personal health data. This means that companies are expected to adopt reasonable security safeguards to protect data of the people they service. It also means that companies are expected to spell out, in their privacy policies and terms of service, how they handle your personal data, including your personal health data.
In Maya’s case, the privacy policy and terms of service are where she can find information about whether the app that tracks her steps and nutrition sells data to advertisers, or whether the genetic testing company she used provides information on her genome to pharmaceutical companies or other researchers. The FTC enforces the commitments made by companies in their privacy policies and terms of service, so if a company says it doesn’t provide data to advertisers but it turns out it does, that would be considered a deceptive trade practice.
Some states, including California and Virginia, have enacted commercial privacy laws to protect the personal information shared by their residents with commercial companies. Maya doesn’t live in a state with additional privacy protections, so the FTC’s protections against unfair and deceptive trade practices provide some legal accountability practices with her personal data. In addition, the Genetic Information Nondiscrimination Act or GINA limits the ability of employers and health insurers to collect and use genetic data, including in ways that could result in discrimination – but GINA doesn’t apply to all genetic information.
Is there anything more Maya can do to protect her personal health data? Congress is considering legislation to protect consumers’ personal data more broadly – but it could be years before a new law is passed and implemented. Consumer and privacy advocates recommend that everyone “be aware before you share” and review a company’s privacy policy and terms of service before sharing personal health information with a commercial company. By engaging with a mobile health app, sharing medical symptoms on a social media website, or using a direct-to-consumer genetic testing company, you are accepting that company’s privacy policy and terms of service. If you don’t feel you have a clear picture of the company’s data practices – or if you are uncomfortable with their data practices – consider whether you trust that company with your personal health data.
See the following links for additional resources:
- Privacy, Identity & Online Security (FTC): https://www.consumer.ftc.gov/topics/privacy-identity-online-security
- Top Tips for Consumers: Internet of Things Security and Privacy (Internet Society): https://www.internetsociety.org/resources/doc/2018/top-tips-for-consumers-internet-of-things-security-and-privacy/
- 66 Ways to Protect Your Privacy Right Now (Consumer Reports): https://www.consumerreports.org/privacy/66-ways-to-protect-your-privacy-right-now/
- How to Protect Your Digital Privacy (New York Times): https://www.nytimes.com/guides/privacy-project/how-to-protect-your-digital-privacy
*This is the second part in a series of pieces by Susan G. Komen and Ciitizen about the importance of data and data sharing.