Medical Data & Patient Privacy: An Update

When it comes to the handling and dissemination of patient information, is it possible that a free market and data privacy are incompatible? The short answer, unfortunately, is yes.

To be more specific, without regulation and government oversight, the health insurance market in this country has become essentially free to do whatever they want with our information — regardless of whether that information is directly or indirectly tied to our medical health.

Beyond the obvious problem of data breaches, how is our information being willingly used by insurance marketers without our consent? (Does that question make you mad? It should: That’s “free market capitalism” applied to healthcare for you.)

Inference vs. Fact

NPR’s recent expose on health-related companies such as health insurance firms, data brokers working for wearable technology companies, etc., are making a profit off our personal health information.

Think of those instant alerts that show up on your phone whenever you enter a restaurant or store these days. That’s one example of targeted marketing. But health insurance companies are doing the same thing — or attempting to do so, at least — with our predicted healthcare costs. Notice I wrote predicted rather than actual.

According to data scientist Cathy O’Neil, “[Drawing] conclusions about health risks on such data could lead to a bias against some poor people. It would be easy to infer they are prone to costly illnesses based on their backgrounds and living conditions … ” O’Neil’s book, Weapons of Math Destruction, examines algorithms and their potential to increase inequality.

Marshall Allen, the NPR journalist who reported on these findings, decided to look into his personal data file by inquiring via LexisNexis here. And speaking of the internet, according to Dr. Marco Huesch, you might want to go Incognito next time you do a Google search for healthcare-related information — due to the whole third-party data detection thing.

But it’s not just health insurance companies you need to watch out for, in addition to retail marketers. Now medical and healthcare-related resource websites are potential culprits too!

HIPAA vs. GDPR

You may be asking, “What’s the difference between the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR)? One notable characteristic of GDPR is its emphasis on purpose limitation and demonstrable compliance, according to Robert Lord. One interesting reason the differences are so prominent — as reflected in the flood of GDPR-related security and privacy policy emails we all received last month — is related to the fact that GDPR is an EU-related regulation.

Though the U.S. and the EU differ greatly in many ways, perhaps the biggest difference is the presence of more government regulation when it comes to healthcare in the EU — largely because healthcare is controlled by state-sponsored providers rather than private companies.

Because of the value of patient data to companies hoping to appeal to patients with specific health concerns such as diabetes, the strategies healthcare professionals use to protect data — such as using firewalls, installing pop-up blockers, and backing up data — are of no use once that data is out in the world through the use of the latest medical app or wearable device.

Personal Safeguards

So how can we be more vigilant about protecting our personal data? First, be careful to note what you need to opt out of so as not to be noticed — for example, your location data on your phone, or your search strings (hint: use Incognito). Also, be careful of “Liking” or sharing posts on Facebook and Instagram — since social media sites track every online decision and app download we make.

Also — and again, most importantly — there’s this little problem of lack of regulation, especially when it comes to the internet. With a more laissez-faire congress in office, the recent reversal of privacy regulations affecting internet service providers allows ISPs to sell consumer data without asking for their permission.

This is why new GDPR regulations sent a flurry of emails into our inboxes: Because any corporation handling data belonging to citizens of the EU — which is, in this era of globalization, most of them — must disclose their privacy policies and alert customers to their rights as consumers to retract their permissions.

Unfortunately, all this usually amounts to is a new jargon-full privacy policy that we never read. Ryan Kh cites a recent global survey that found 15 percent of computers out of 2,935 health organizations were running older or outdated operating systems — making them more vulnerable to malware and cyberattacks.

Mobile healthcare apps still have catching up to do, as well — needing to solidify their data encryption and user-based access to information. Since app developers are often more interested in developing new technologies than heightening app security, it’s up to users to either delete apps after use or diligently install updates and VPN encryption programs on their mobile devices.

*   *   *

Ultimately, it’s up to consumers to safeguard their own personal data. We need to be extremely careful of how and where we share any personal information — even details that seem innocuous and unrelated to our physical or mental health.

Until there are more vigilant government regulations of data brokers and marketing analysts, we should keep information “close to the chest,”
so to speak, to avoid seeing negative effects in our health insurance premiums or public records.

What is your experience with data sharing either as a consumer or as a healthcare provider? Share your thoughts in the comments section below.