As new technologies become integrated into the healthcare system, data collection and use are raising concerns about patient privacy. Though the Health Insurance Portability and Accountability Act (HIPAA) regulates how information about patients can be shared, the scope of the policy means that many newer channels fall outside of its purview. The challenges of data availability and privacy were outlined in a recent perspective in Circulation.
Though some assume that HIPAA covers all health-related data, it does not protect deidentified information, or data from entities not covered by the act. This excludes a large amount of health data from the scope of HIPAA, including data that could be reidentifiable. Smartphone apps are one example of this. A recent study showed that 19 medically related apps shared data with 55 individual entities. Users may not realize that, for instance, a nutrition app combined with smartphone location tracking could be used to infer food choices and make health predictions.
Similarly, patients’ online activity could play a part in how data is dispersed. A combination of search terms, sites visited for symptom or disease information, and even personal health stories shared online could be used by third parties to triangulate patient information. Because much of the data that travel via mobile device or online is unregulated, stakeholders including advertisers, search engines, and credit card companies could seek patients’ data for sale to third parties. A potential concern stemming from this is the creation of “health scores” built on patient data, which could inform insurance coverage or even employment. Because much of this could be correlated using nonhealth data, it may not be covered under nondiscrimination laws.
The researchers identified 2 main areas of concern that should be addressed by healthcare professionals. Clinicians should educate themselves on how to safely use digital data to educate patients on the topic. For instance, patients should understand which kinds of data are covered by HIPAA and which are not. Healthcare providers can also advocate for better legislation surrounding the use of health information, which might resemble the General Data Protection Regulation that is present throughout the European Union. Though policies like HIPAA have been in place for some time, the United States should create additional, updated regulations on the protection of health data. Overall, concerns around data sharing should be taken into account when it comes to health-related data to ensure patients’ safety and privacy. If used with care, ease of data collection and sharing can be of great benefit to both patients and providers.
Golbus JR, Price WN, Nallamothu BK. Privacy gaps for digital cardiology data: big problems with big data. Circulation. 2020;141:613-615. https://doi.org/10.1161/CIRCULATIONAHA.119.044966.