HIPAA May Not Cover Personal Health Data Patients Disclose Online

A young woman scans drugs with her mobile phone at a pharmacy
Credit: Getty Images
HIPAA protects patients from unauthorized disclosure of personal information by covered entities such as medical practices and hospitals, but out from under the HIPAA umbrella, patients are mostly on their own, according to the authors of a recent report.
Personal health information that patients divulge to digital medical companies and on social media is used to generate targeted ads.

Many patients share personal health data when they sign up for and use medical apps and websites or share details of their health issues with others on social media. Digital medicine companies and social media platforms may be tracking this information and using it to develop targeted ads aimed at individuals with specific medical problems or generate leads for future marketing purposes. The authors of a recent study published in the journal Patterns say most individuals are not fully aware of how they are being followed and manipulated by digital medicine companies and social media platforms.

HIPAA rules bar “covered entities” such as medical practices and hospitals from disclosing protected health information without patients’ consent. But for data generated outside of “the digital walls” of these covered entities, “patients are mostly on their own with respect to understanding how companies utilize their personal and health data, especially when asking questions about their health conditions on social media,” wrote investigators Andrea Downing of The Light Collective, an advocacy group based in Eugene, Oregon, and Eric Perakslis, PhD, Chief Science and Digital Officer at the Duke Clinical Research Institute in Durham, North Carolina.

The team explored this issue in a study of health-advertising tactics of 5 digital medicine companies, with a focus on 5 clinical services. They recruited 10 patient advocates in the hereditary cancer community and asked them to share data on how their online activities were being tracked. The participants downloaded and shared their JavaScript Object Notation (JSON) files, which reveal how data are shared between web servers and web apps. The investigators used these files to determine how information flows from health-related websites and apps to Facebook to target advertising.

Downing and Dr Perakslis reviewed the companies’ websites for third-party ad trackers and looked at whether use of these ad trackers complied with the companies’ own privacy policies. They also looked at Facebook’s ad library for each participant to determine whether health data obtained through these companies influenced the types of ads that the participants were seeing.

While tools we identified are not inherently good or bad, applying commonplace advertising tolls designed for social media marketing can expose sensitive health information in the form of leads.

“We demonstrated that personal data and personal health data can be easily obtained without the aid of highly sophisticated cyberattack techniques but with rather commonplace third-party advertising tools,” the authors wrote in a paper published in the journal Patterns.

They also observed, “While tools we identified are not inherently good or bad, applying commonplace advertising tolls designed for social media marketing can expose sensitive health information in the form of leads. These marketing tools reveal a dark pattern used to track vulnerable patient journeys across platforms as they browse online, in some ways unclear to the companies and patient populations who are engaging through Facebook.”

The authors say they hope these new data trigger an overdue dialogue about health privacy and how it affects specific patient populations.

In an interview, Dr Perakslis pointed out that physicians’ role regarding protected health information is spelled out under HIPAA, but this is not the case for marketing software designed to spread data as prolifically as possible. “Everyone needs to be really careful about what software they use,” Dr Perakslis said. “Most people don’t know what the apps do, and many people have hundreds [of apps].”

The 5 companies included in the analysis provide information or services (including genetic testing) related to inherited cancer risk. The investigators determined that 2 of the companies’ targeted ads were consistent with their own privacy policies. The other 3 did not comply with their own policies and claims of privacy.  

Angie Raymond, JD, PhD, Director of the Program on Data Management and Information Governance at Indiana University and with the Department of Business Law and Ethics at Kelley School of Business, Bloomington, Indiana, said the privacy community did a great job of moving HIPAA into the common vernacular. However, it did a rather poor job of explaining the limitations of the key terms “health” and “covered-entity.” Dr Raymond said this is where things begin to fall down. “It is really leaving people and their health data very vulnerable. We need to do much better,” Dr Raymond said.

Dr Raymond believes privacy protections need to be designed into the technologies that people use. “We do need to move existing protections into a digital world,” he said. “We may need to consider building protections in some new areas that have emerged because of the ubiquitous nature of the digital world and aggregation of data. But, without design we will likely keep chasing our tails.”

Michael S. Sinha, MD, JD, MPH, Assistant Professor in the Center for Health Law Studies at Saint Louis University School of Law in Missouri, said when HIPAA was established, Congress had not contemplated the issue of “mining” PHI from a patient’s online portal or other PHI platform—often without their knowledge or consent—for advertising purposes. Dr Sinha would like to see new federal legislation passed that specifically addresses patient privacy rights.

“This is an emerging problem in health privacy,” Dr Sinha said. “Technology has advanced, real problems are manifesting, and it is time for policymakers to act. Passing new comprehensive health privacy legislation that addresses these critical issues by closing privacy loopholes is an important next step.”

This article originally appeared on Renal and Urology News