The law should do more to regulate how companies, particularly those in the emerging information technology field, can collect and transfer personal health data, according to a viewpoint article published in JAMA.
People often reveal detailed, sensitive data about their health via new technologies. Wearable devices, social media, web searches, and online patient communities all contribute to the large volume of health data that companies then have access to. Although many people believe their privacy and data are protected, this is untrue.
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to regulate the collection, storage, and disclosure of identifiable health data. However, HIPAA only applies to certain entities, such as health plans, clearinghouses, healthcare entities, and clinicians. It does not apply to social media and apps.
With no laws to protect the health data collected online, it can be solicited, aggregated, analyzed, shared, and sold without regulation. Companies, the authors argue, should not be able to use these data without the person’s informed consent.
To protect these sensitive data, new data protection laws need to go beyond the entities covered by HIPAA.
“Doing so would allow individuals to share their information with greater awareness of downstream uses. At the same time, it would permit companies to use that information for everything from advertisements to wellness apps. The increased transparency would also foster public trust in emerging information technologies,” the authors wrote.
Gostin LO, Halabi SF, Wilson K. Health data and privacy in the digital era [published online June 20, 2018]. JAMA. doi: 10.1001/jama.2018.8374