Insurance & HIPAA Privacy? MITRE-Harris Poll Examines Dark Side of Insurance Privacy
Here’s a chilling thought: healthcare practitioners, as well as health insurance companies and other employers, routinely search through private and public sources for consumer-generated health data related to client and patient spending and streaming habits. This is nothing new. A 2018 article by Politico entitled, Does Your doctor Need to Know What You Buy on Amazon? reported:
Google, Amazon, insurers, and credit card companies have long been able to tell whether you vote, own a dog, spent time in prison or drive a rusty 1997 Chevrolet. Now, that type of information is starting to pop up in front of doctors when you walk into their examination rooms. A small but fast-growing number of technology companies, including data brokers LexisNexis and Acxiom, sell health care providers detailed analyses of their patients, incorporating criminal records, online purchasing histories, retail loyalty programs and voter registration data.
The issue of provider’s search for (“Googling” client or patient data)and the accumulation of information that has not been shared by the client or patient has long been regarded as an ethical issue of hot debate in the behavioral community. Articles have been written on the topic for over a decade, including the call for ethical guidance from the national associations for their members. However, as with many other thorny digital health ethical issues, the rapid expansion of technical capabilities cannot be expected to wait for professional groups to weigh in.
Adding fuel to the existing fire of controversy around digital privacy protection, insurers are now routinely engaging the services of the wholesale compilers of consumer personal information. They reportedly purchase and otherwise collect such information to build profiles to review with analytic software to identify consumer behavior patterns, including the purchasing, membership, and other online activities of unsuspecting consumers. For example, they can collect music or television streaming information about the clients to whom they sell insurance coverage. Such information is routinely screened to help build profiles of their customers to “predict potential health care costs.”
What do consumers know?
An estimated 90% of Americans are unaware of the extent to which their personal information is used by their insurance carrier. Only one in ten Americans think health insurance companies access their personal habits. An organization called MITRE recently conducted a poll with Harris to measure consumer awareness of insurance company activities related to the creation of “profiles” to help them “better serve” the people who pay them for services. Called the MITRE-Harris Poll, the June 2020 survey of 2,065 adults (aged 18 and over), found that consumers are “largely unaware” of the extent to which the insurance industry, including health insurers, can acquire common types of Consumer-Generated Data (CGD), such as online shopping history. The information comes from a variety of sources, including data brokers. Unlike Protected Health Information (PHI), CGD is not legally protected from the peering eyes of anyone who cares to pay the price.
There are clear gaps in attitudes towards, and understanding of, lifestyle data privacy and its use by industry — this trend is also particularly noteworthy when looking at differences based on ethnicity, where the research shows 10% to 20% gaps between white, Black, and Hispanic Americans.
Erin Williams, Executive Director for Biomedical Innovation at MITRE also stated:
These results reinforce that a significant gap exists between what we believe our insurance companies and employers know about us personally, and what they actually do. Americans need more education about the ways third parties are accessing and using their consumer-generated data. But it really shows that companies have an obligation to be more transparent about what data they are collecting from third parties.
On the whole, the poll showed that consumers want to have control over the entities sharing their personal information, but many are willing to exchange privacy for safety or convenience. Responses varied on the basis of age of the person or their geographic location, as well as ethnicity. Further, the responses varied by sex, with 56% of men being more willing than females to trade privacy for convenience. More than three-quarters of respondents (77%) don’t believe any data privacy exists currently. Approximately 60% of people polled stated they believe the mining of information by insurance companies is acceptable if the information recovered was used to create health promotion activities. However, for the majority of people, it was not acceptable for insurance companies or employers to collect information about them based on social media or binge-watching activities. Despite these clear consumer preferences, these activities will most likely continue unabated because such practices are legal.
What about in national emergencies? Do you care to share?
Interestingly, 70% responded that they think there’s an obligation to share personal health information to stop the spread of diseases. However, when it comes to COVID-19, people were not enthusiastic as much about providing personal information to a National Database related to COVID-19. Notably, 36% of people would be willing to share their temperatures, whereas only 29% would be willing to share their location. As for sharing chronic illness information, only 25% would be inclined. Yes, sharing is important, but not if I have to do it… These data points are relevant because the success of a COVID-19 contact tracing app is reliant on the eagerness of the public to trust the platform with their health information. HIPAA might not cover these types of apps.
To review, the key findings from the MITRE-Harris Poll survey include these below:
- 70% of respondents believe there is an obligation to share personal health information to stop the spread of disease.
- 77% of those surveyed don’t believe any data privacy exists in today’s world.
- Consumers want control over who shares personal information.
- Consumers don’t trust social media companies with their personal health information.
Where does report this leave you?
We at the Telebehavioral Health Institute (TBHI) respectfully submit two questions for your consideration and comment below:
- What are we obligated to tell our clients or patients about the information we gather about them, without their expressed permission?
- What is our legal and ethical obligation to inform our patients and clients about the privacy of the information given to insurers not only by us but by others such as data brokers?
From our experience in training and assessing more than 38,000 professionals over the last 26 years, we can conservatively say that most clinicians that we have encountered have not yet considered the pros and cons of Googling their clients or patients and what it can mean to the therapeutic relationship. We also can say that most practitioners today are not sufficiently aware of HIPAA, let alone how to advise a consumer about how to protect themselves with regard to CGD.
What then is a responsible practitioner to do if a client or patient asks us for guidance regarding these digital privacy issues? By publishing this article, TBHI hereby calls for professional education and training organizations to add this issue to the growing list of topics in digital ethics classes. We encourage everyone reading this article to comment below, and if you are currently taking any of our training courses related to privacy, please bring us this issue for discussion in TBHI’s Community Discussion Forums.
Your TBHI Professional Training Options
TBHI specializes in teaching you how to relax when delivering telehealth. It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.
- Telehealth Group Therapy — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.
Baker, M. J., George, D. R., & Kauffman, G. L. (2015). Navigating the Google blind spot: an emerging need for professional guidelines to address patient-targeted Googling.
Clinton, B. K., Silverman, B. C., & Brendel, D. H. (2010). Patient-targeted googling: the ethics of searching online for patient information. Harvard Review of Psychiatry, 18(2), 103-112.
Fisher, C. E., & Appelbaum, P. S. (2017). Beyond Googling: The ethics of using patients’ electronic footprints in psychiatric practice. Harvard review of psychiatry, 25(4), 170-179.
Gershengoren, L. (2019). Patient-targeted googling and psychiatric professionals. The International Journal of Psychiatry in Medicine, 54(2), 133-139.
Recupero, P. R., Harms, S. E., & Noble, J. M. (2008). Googling suicide: surfing for suicide information on the Internet. The Journal of clinical psychiatry.