By Diane Harrison Of healthpsa.info
Whether it's an app that promises to help you sleep better or a genetic testing company offering insights into your health and heritage, it seems like there's a new health-based tech company emerging every day. But have you ever stopped to think about how these helpful companies make their money? While buying apps and DNA test kits generates revenue for health tech companies, for some, the real profit is in selling the health data they collect to third-party companies.
Companies like Hu-manity.co are stepping in and offering consumers the opportunity to reap the profits of their personal health data themselves, but what if you'd rather not put your personal data out into the world at all? If you're concerned about the security of your health information, here's what you need to know.
Who Is and Isn't Required to Protect My Personal Health Information?
- The HIPAA Security Rule "creates a series of guidelines for making sure that healthcare organizations, other covered entities, and business associates safeguard the confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted." Read more.
- According to The Department of Health and Human Services, the entities that must adhere to HIPAA regulations include health plans, healthcare providers, healthcare clearinghouses, in addition to businesses associated with these covered entities. Read more.
- HIPAA Journal: "Patients should be aware that just because health data is collected, stored, transmitted, or used by an organization, it does not necessarily mean that health and personal data will be subject to HIPAA Rules. Also, breaches of health data at non-HIPAA-covered entities will only require notifications to be issued if the breached information is covered under state breach notification laws." Read more.
- "Medical information you share with apps and websites is not protected under HIPAA. Carefully read the privacy policy before using any electronic health and wellness tools. It's also wise to refrain from posting personal information in online support groups or on social media," states Pinnacle Care. Read more.
Why Should I Be Worried?
- Huffington Post: "Here's the reality of life as a wearable device owner: There's no doctor/patient privacy or patient privacy or any privacy for that matter. Monitoring your health and collecting data is like publishing your own medical autobiography online," Mark Weinstein, Leading Privacy Advocate, CEO of MeWe. Read more.
- "When Google or Facebook combines its troves of non-health-related consumer data with highly sensitive medical data, it creates digital health profiles with no external validation of accuracy, without consumers' consent or ability to opt out. As tech companies move into health care, these digital profiles will become part of our medical records, with the potential to shape the care we receive, the resources we can access, and the bill we pay at the end," Slate says. Read more.
- "Although companies say the data being shared has been anonymized, 'it's not that hard to combine data from a number of sources to figure who you are,' ... said Jennings Aske, senior VP and CSO, NewYork-Presbyterian Hospital," explains Reuters. Read more.
How Can I Protect Myself?
- "Do your research before you buy. Devices become smart because they collect a lot of personal data. While collecting data isn't necessarily a bad thing, you should know about what types of data these devices collect, how it's stored and protected, if it is shared with third parties, and the policies or protections regarding data breaches," recommends Norton LifeLock. Read more.
- In a Spectrum interview, Guillermo Sapiro, professor of electrical and computer engineering, Duke University says that it's typical for developers to collect data through apps, but the onus is on them to explain to the users that specific information is being collected and what they plan to do with it. If a third party is going to have access to that information but the disclosure "is buried in 75 pages of consent" ... "I would call it dishonesty from the provider." Read more.
What Medical Practices Can Do to Protect My Personal Information
- Health IT Security: "The HIPAA Privacy Rule states that health plans and healthcare providers need to have a notice of privacy practices (NPP). This is information explaining to patients how their PHI is going to be used and disclosed at a particular organization, and specifically what their individual privacy rights are."
"The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity's obligations with respect to that information," HHS explains on its website. "Most covered entities must develop and provide individuals with this notice of their privacy practices." Read more.
- "Experts recommend that healthcare organizations perform risk assessment sessions on a regular basis to determine the vulnerabilities of their systems. By identifying weak links within their data security systems, healthcare organizations can effectively fix any issues before they arise. HIPAA compliance rules mandate for healthcare organizations to conduct a security risk assessment annually or as changes to electronic systems occur," explains The Doctor Weighs In. Read more.
Unfortunately, there's not currently a way for consumers to take advantage of the services offered by health tech companies without exposing their data to third parties. However, by understanding which organizations are and are not bound by HIPAA and reading terms and conditions before agreeing to them, consumers can avoid exposing their personal data without their knowledge or consent.