- There are an increasing amount of potential patient data privacy risks as technology continues to evolve, meaning policymakers need to strengthen privacy rules, according to a recent contribution on The Century Foundation.
Patient health information can be anonymously sold and traded to third parties for numerous reasons, some of which – such as research purposes – can be beneficial to the larger population, wrote Adam Tanner of Harvard University's Institute for Quantitative Social Science.
However, there are also more potential threats to patient data. For example, social media platforms, fitness devices, and health applications can supply advertisers with extra data that can be openly traded and sold, without having to remove patient names or details.
“Online retailers selling health care products, such as books on back pain, or arm braces, can sell user profiles listing these items,” Tanner explained. “It is no accident that a person with, say, carpal tunnel syndrome may see more Internet ads for products that match their specific medical condition: marketers may either know, or infer, someone is a receptive audience for their pitch.”
Even if organizations claim to have anonymized data, as that information is gathered over time, enough clues could be put together to re-identify individuals.
While HIPAA regulations have restrictions on data sharing and dictate how information must be de-identified, HIPAA only applies to covered entities and business associates, Tanner noted. Furthermore, patient data could potentially be sold to outside organizations in situations unrelated to patient care.
“For example, a doctor or a lab performing tests on a cancer patient can sell the findings to a commercial company, provided they remove eighteen types of identifiers or have a statistician determine that there is a ‘very small risk’ that the person could be re-identified.,” he wrote. “Few patients have any idea about this exception, which has allowed a multi-billion-dollar trade to evolve.”
Tanner also addressed the issue of data brokers, which will assemble and sell access to individuals’ information. This data can be exempt from HIPAA rules as it is gathered outside of healthcare providers, health plans, and any intermediaries. The data can be gathered through public records, surveys, loyalty programs, social media, and commercial data such as magazine subscription lists.
“Consumers feed their information to these data brokers unwittingly because they do not understand the implications of health-related information shared outside a doctor’s office,” Tanner pointed out.
In terms of policy recommendations, Tanner suggested that protections broader than HIPAA regulations are now necessary. Patients should be granted more control in how their data is handled.
Specifically, Tanner recommended the following ways to improve patient data security:
- Extend privacy protections to anonymized data
- Broaden protections to more types of health-related data
- Explain sharing choices in plain English
- Empower patients to decide on sharing data
- Support non-commercial research using patient-consented data
- Encourage public discussion of this complicated issue
Patients need to be confident that the nation’s health system will keep their data secure. The threat of a healthcare data breach is just one way that sensitive data could fall into the wrong hands.
“Patients need to gain control over the fate of their medical information, whether identified or anonymized, and they should be able to determine whether or not to share such data for science or commerce,” Tanner stated. “People must feel assured that what they tell health practitioners behind closed doors will stay private and not become a commercial product without their consent.”
Several of Tanner’s proposals have previously been discussed by federal agencies. For example, the Office of the National Coordinator (ONC) urged better regulatory adherence in 2016 with mobile applications.
Technologists, clinicians, or even patients work on developing healthcare applications need to ensure that they are keeping mobile application security a top priority, ONC maintained.
The agency also collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR) to create an informative online tool.
“This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users,” ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN explained in a blog post.