Hidden Threats to Healthcare Data Privacy Outside of HIPAA Protections

As the digital world rapidly expands, personal data has come to be considered a new class of valuable assets. This detailed information on consumers’ daily activities, transactions, and movements can be used to build predictive models and profiles of individuals. However, the collection and storage of personal data by healthcare providers and third party vendors has raised widespread public concerns about data privacy.

Particularly in healthcare, a growing amount of personal data, such as health-related web searches, credit card payments, and pharmacy visits, is being generated outside of protections found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is a standardized legal framework that regulates patient data usage during and after treatment, payment, and other healthcare-related activities.

Sharing personal data can sometimes support the public good—for example, mining digital medical records for previously unobserved trends can contribute to important healthcare research and innovation. However, the increasing amount of data generated outside of HIPAA protections introduces new threats to data confidentiality and privacy, potentially undermining the trust between doctors and patients.

In a new study, Tasha Glenn and Scott Monteith discuss the major sources of healthcare data generated outside of HIPAA regulations. The researchers then examine the analysis and trading of this data by third party data brokers, and consider how this affects data privacy and traditional doctor-patient relationships.

The authors first provide an example of how a patient might disclose personal data outside of HIPAA protection while undertaking routine healthcare activities. For instance, when a patient looks up driving directions to a health facility, the visit website information will be collected by the navigation website content provider. Other sources of personal health data include credit card payments for physician visit co-pays, over-the-counter medications, home testing products, tobacco products, health foods, items related to disabilities, and visits to alternative medical practitioners. Additionally, less tech-savvy patients may volunteer medical information unintentionally online, for instance when registering with pharmaceutical websites for drug discount coupons. About 75 percent of consumers use the Internet to search for health information, and about 75 percent of health websites contain third party tracking elements.

There are many other sources of outside-of-HIPAA data. Employers that do not fall under HIPAA can also collect personal healthcare data. These employers include gyms, fitness clubs, wellness providers, banks, medical researchers, health fairs, transit companies, companies with fewer than 50 employees, and state and government employers. There has also been an explosion of self-management mobile applications that help patients monitor their health status. However, the vast majority of these applications are controlled by software vendors outside of HIPAA regulations that are able to freely collect sensitive data like heart rates.

Data brokers link these personal health data with other available records to create and sell a variety of products. However, as Glenn and Monteith note, consumers are unable to control what personal information is collected, used, and shared by data brokers. They are also unable to realistically trace the sources of these data, since data brokers routinely trade data with one another. Furthermore, patients may not even be aware that their health information has been leaked by a third party and used for commercial purposes. In addition to these privacy concerns for non-HIPAA-protected data, data breaches of medical information actually protected by HIPAA, such as confidential medical records, are also increasing. As the authors point out, the fragmented nature of the US healthcare system makes data breaches particularly difficult to control, since a breach usually involves many organizations.

According to Glenn and Monteith, there are serious consequences when patients fear that their privacy is at risk. Patients may feel reluctant to share personal data with physicians, or become selective about the information they provide and offer only an incomplete description of their conditions. According to national survey findings, 48 percent of the respondents reported they would hide information from their doctors if it was shared through an Electronic Health Record (EHR), and 25 percent would withhold information or postpone seeking care if they had a sensitive medical condition. As public awareness of the large amount of health and medical data collected outside of HIPAA increases so will public concern about data security and privacy. This may make people more reluctant to reveal information to, or seek help from, physicians.

To facilitate better protections for healthcare data collected outside of HIPAA, there is a pressing need for collaborations of medical, legal, consumer, and technical expertise. The first step is to recognize the scope of the data outside of HIPAA protections. In the meantime, it is necessary to ensure that both physicians and patients are aware of this problem in order to reduce further data leakages.

Article Source: Glenn, T., & Monteith, S. (2014). “Privacy in the Digital World: Medical and Health Data Outside of HIPAA Protections.” Current Psychiatry Reports, 16(11), 1-11.

Feature Photo: cc/(benben)