Privacy At Risk

Ask the DOC

For most of recorded human history, personal health information has been collected, maintained, and analyzed mostly by healthcare professionals within the scope of diagnosis and treatment. This has been codified in our laws, especially by the Health Insurance Portability and Accountability Act, better known as HIPAA. The law governs the use, storage, and sharing of health records and it applies only to healthcare providers, insurance plans, and the plans’ “business associates.” Unfortunately, recent technological advances have shattered this sphere of protection of personal health information. Take, for example, last year’s Facebook fiasco involving Cambridge Analytica. The company used private data from millions of Facebook users, allegedly without their consent. Most people were not aware that Cambridge Analytica’s client list included the political campaigns of Donald Trump, Ted Cruz, NYU’s Langone Hospital, and another major insurance provider, London-traded Hiscox Ltd. The public remains largely unaware of the threats to their personal health information from new and developing technologies.

Many people, especially younger people, use fitness trackers, smartphones, and smartwatches that collect and record biometric data. Direct-to-consumer genetic testing is available, and these services analyze and sell our entire family history. Software applications and websites are used by consumers to motivate, monitor, and share their progress toward a healthy lifestyle. All these internet-based devices and services share one thing in common – namely that HIPAA does not apply to them. There is essentially no protection from their collecting and sharing of personal health information. We are increasingly sharing our most sensitive personal information with corporations, governments, and neighbors—sometimes know­ingly, often unwittingly—without any of the protections we previously demanded when the same data was in the hands of licensed medical experts.

There are a number of risks and potential harms included in this phenomenon. The first type of harm is the very act of privacy violation itself. Confidentiality is a cornerstone of our healthcare system. Without it, patients lose trust in physicians and medical institutions and shy away from participating in research studies. Secondly, firms may have greater opportunities to discriminate against employees and job applicants based on preexisting conditions, disabilities, or genes. While this discrimination is prohibited under the Affordable Care Act, the Americans with Disabilities Act, and the Genetic Information Nondiscrimination Act, these laws share one exception. Employers are allowed to collect data from “voluntary” workplace programs, many of which use digital devices and websites that track private behavior. Even if the data is used illegally, it will be hard to prove it wasn’t obtained legally. Thirdly, new technologies may have adverse health impacts if they are used without medical oversight, construed as a medical device, or are tied to a medical diagnosis or treatment without demonstrating necessary efficacy.

By one estimate, 70 percent of these devices share user information without encryption. Also, the digital health movement may wind up penalizing those who do not use or understand it. Employers may reward those who use it to the detriment of those who do not. Instead of starting endless investigations, Congress needs to start doing its job and update existing laws or write new ones that will protect the people they are supposed to represent from harm from emerging and new technologies.

Questions and comments may be sent to This email address is being protected from spambots. You need JavaScript enabled to view it..


Sign up via our free email subscription service to receive notifications when new information is available.