Difference between data security and privacy, as well as their contemporary regulatory enforcement
Although data privacy and security are interrelated concepts, they are distinct in that data privacy concerns who can access a particular dataset. It also covers how that data is shared and to whom it is shared. Data security, on the other hand, is mostly about preventing unauthorized access and breaches.
Like many aspects of any regulated industry, the health industry in the U.S. is mandated by some laws to uphold these essential concepts. The most prominent is the 1996 Health Insurance Portability and Accountability Act (HIPAA) [1]. Another is the 21st-century Cures Act (2016), which restricts information blocking and ensures patients can access their data.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 encouraged the adoption of the electronic health record(EHR), interconnectivity, and the meaningful use of its data.
Some states have enacted further data protection laws like the California Consumer Privacy Act (CCPA).
On a global scale, the General Data Protection Regulation (GDPR) by the European Union remains the most expansive data privacy and security law covering any entity that interacts with EU population data[1].
What is the big deal about digital health data privacy and confidentiality?
Although data privacy has always been an important issue, the recent COVID-19 pandemic and its consequences for how we conduct healthcare business have rendered data privacy/security as important as an “ankle sprain” that an Olympic sprinter cannot ignore.
The pandemic accelerated the dependence on many digital health tools, which were struggling to gain broad acceptance. Telehealth services, remote patient monitoring devices, and patient-generated data with health apps have mushroomed with their associated data generation.
This increased data comes with more vulnerability, loss of data privacy, and insecurity because we were logistically unprepared for the sudden high dependence on digital health tools.
Landmines for data privacy abuse: Safeguarding health app data privacy is a matter of urgency
The law increases confidentiality and privacy protection for mental healthcare. Due to the sensitive nature of mental health information, there is an extension of protection beyond the HIPAA law. This law, 42 CFR Part 2, seeks to guarantee that the Patient’s treatment records are not used against them.
An analysis of 12 major substance-use-focused virtual health platforms showed they all used technology that identified and shared information about their users with third parties, such as Facebook, Google, and other data brokers, for sale[2].
Apart from diagnosis and prescription data, they also shared granular data with typing, scrolling, and mouse movement trackers, which recorded typed information but did not send it.
The Opioid Policy Institute investigation found that several apps for addiction treatment are accessing personal identifiers and sharing these sensitive data with third parties without patients’ consent[2].
Also, a study of 10 popular opioid treatment apps on Android showed information like user’s location, phone numbers, other apps installed, and IP addresses was assessed and shared with third parties. These apps have been installed at least 180,000 times and have received more than $300 million in funding from investment groups and the federal government[3].
Patient’s health data in pharmacies are commodities to the highest bidder without patient consent.
During the pandemic, CVS Health Corp., Walmart Inc., and Walgreens-Boots Alliance collected data from millions of patients who signed up to get the COVID-19 vaccine through their portal. These retailers “declared” that they are using the information to promote their stores and services, tailor marketing, and “keep in touch with consumers”[4].
Did patients consent to use their data for purposes other than streamlining vaccinations? Your guess is as good as mine.
GoodRx, a discount prescription platform, was forced to pay a $1.5 million civil penalty by the Federal Trade Commission due to a health data privacy violation. They sold sensitive patient information to third parties, including Facebook and Google, for targeted advertising without the patients’ consent[5].
Even more scary was that they shared a list of email addresses, phone numbers, and mobile advertising IDs with Facebook so their profiles could be tagged for health-related advertisements.
The over commoditization of patients as walking dollar bills will fester if we expect the digital health industry to self regulate without guardrails in place
The privacy of your healthcare data shares an inverse relationship with the activities of emerging healthcare data brokers.
Healthcare data brokers quietly traffick Americans’ health data without their knowledge or consent. They acquire millions of patient data from the electronic health record system (EHR)and evade the HIPAA regulation by de-identifying the data[6].
The data becomes “gold” as they link each data to a massive trove of insurance claims and financial details tied to the patient’s medical problems, prescriptions, and doctor’s visits.
This curated patient data is then sold for hefty licensing fees to insurance companies, pharmaceutical companies, marketing agencies, and other businesses for marketing, product development, research, etc. [6]. All this “horse” trading with patients’ data comes at the expense of Patient confidentiality and privacy.
Digital health 360 degrees lens
We are not against targeted advertising. However, a consent process must go beyond the “fine print” with sensitive health data. Third parties can infer far more information about a patient from prescription history, even when it is de-identified data.
These unethical acts appear to be the “industry standard.” Unfortunately, it is almost impossible to prosecute any of the culprits. Although their action is unacceptable, it is borderline legal because browsing history is not precisely medical information and is not covered by HIPAA and Part 2.
The over-commoditization of patients’ existence and the view that they are nothing but “walking dollar bills” is harmful. Are we supposed to fold our arms and wait for the digital health industry, whose sole purpose is profit, to self-regulate?. At the end of the day, until regulators update the laws, patients will continue to be exposed to these risks of lack of privacy/ confidentiality of health data.
The 42CFR part 2 federal regulations addressing sensitive mental health data security are far behind technological advancement: they do not mention “apps” or similar digital health data.Thus, there is a need for quick government regulations and an overhaul of HIPAA.
For starters, the government should mandate essential guardrails for health data privacy and confidentiality when government funding is involved in developing any digital health platform.
For patient and patient representatives, the take-home lesson is that you should take with a grain of salt all those promises of “we keep your data safe” or “we are serious about your privacy.” There is so much $$$ at stake, and it makes these platforms care less about your data privacy.
