Here’s a chilling thought: healthcare practitioners, as well as health insurance companies and other employers, routinely search through private and public sources for consumer-generated health data related to client and patient spending and streaming habits. The violation of HIPAA privacy is nothing new. A 2018 article by Politico entitled, Does Your doctor Need to Know What You Buy on Amazon? reported:
Google, Amazon, insurers, and credit card companies have long been able to tell whether you vote, own a dog, spent time in prison or drive a rusty 1997 Chevrolet. Now, that type of information is starting to pop up in front of doctors when you walk into their examination rooms. A small but fast-growing number of technology companies, including data brokers LexisNexis and Acxiom, sell health care providers detailed analyses of their patients, incorporating criminal records, online purchasing histories, retail loyalty programs and voter registration data.
The issue of provider’s search for (“Googling” client or patient data) and the accumulation of information that has not been shared by the client or patient has long been regarded as an ethical issue of hot debate in the behavioral community. Articles have been written on the topic for over a decade, including the call for ethical guidance from the national associations for their members. However, as with many other thorny digital health ethical issues, the rapid expansion of technical capabilities cannot be expected to wait for professional groups to weigh in.
Adding fuel to the existing fire of controversy around digital privacy protection, insurers are now routinely engaging the services of the wholesale compilers of consumer personal information. They reportedly purchase and otherwise collect such information to build profiles to review with analytic software to identify consumer behavior patterns, including the purchasing, membership, and other online activities of unsuspecting consumers. For example, they can collect music or television streaming information about the clients to whom they sell insurance coverage. Such information is routinely screened to help build profiles of their customers to “predict potential health care costs.”
HIPAA Privacy & MITRE-Harris Poll: What do consumers know?
An estimated 90% of Americans are unaware of the extent to which their personal information is used by their insurance carrier. Only one in ten Americans think health insurance companies access their personal habits. An organization called MITRE recently conducted a MITRE-Harris Poll to measure consumer awareness of insurance company activities related to the creation of “profiles” to help them “better serve” the people who pay them for services. Called the MITRE-Harris Poll, the June 2020 survey of 2,065 adults (aged 18 and over), found that consumers are “largely unaware” of the extent to which the insurance industry, including health insurers, can acquire common types of Consumer-Generated Data (CGD), such as online shopping history. The information comes from a variety of sources, including data brokers. Unlike Protected Health Information (PHI), CGD is not legally protected from the peering eyes of anyone who cares to pay the price.
There are clear gaps in attitudes towards, and understanding of, lifestyle data privacy and its use by industry — this trend is also particularly noteworthy when looking at differences based on ethnicity, where the research shows 10% to 20% gaps between white, Black, and Hispanic Americans.
Erin Williams, Executive Director for Biomedical Innovation at MITRE also stated:
These results reinforce that a significant gap exists between what we believe our insurance companies and employers know about us personally, and what they actually do. Americans need more education about the ways third parties are accessing and using their consumer-generated data. But it really shows that companies have an obligation to be more transparent about what data they are collecting from third parties.
On the whole, the MITRE-Harris Poll showed that consumers want to have control over the entities sharing their personal information, but many are willing to exchange privacy for safety or convenience. Responses varied on the basis of the age of the person or their geographic location, as well as ethnicity. Further, responses on the MITRE-Harris Poll varied by sex, with 56% of men being more willing than females to trade privacy for convenience. More than three-quarters of respondents (77%) don’t believe any data privacy exists currently. Approximately 60% of people on the MITRE-Harris Poll stated they believe the mining of information by insurance companies is acceptable if the information recovered was used to create health promotion activities. However, for the majority of people, it was not acceptable for insurance companies or employers to collect information about them based on social media or binge-watching activities. Despite these clear consumer preferences, these activities will most likely continue unabated because such practices are legal.
MITRE-Harris Poll: What about in national emergencies? Do you care to share?
Interestingly, 70% responded that they think there’s an obligation to share personal health information to stop the spread of diseases. However, when it comes to COVID-19, people were not enthusiastic as much about providing personal information to a National Database related to COVID-19. Notably, 36% of people who participated in the MITRE-Harris Poll would be willing to share their temperatures, whereas only 29% would be willing to share their location. As for sharing chronic illness information, only 25% would be inclined. Yes, sharing is important, but not if I have to do it… These data points are relevant because the success of a COVID-19 contact tracing app is reliant on the eagerness of the public to trust the platform with their health information. HIPAA privacy might not apply to these types of apps.
To review, the key findings from the MITRE-Harris Poll survey include these below:
- 70% of respondents believe there is an obligation to share personal health information to stop the spread of disease.
- 77% of those surveyed don’t believe any data privacy exists in today’s world.
- Consumers want control over who shares personal information.
- Consumers don’t trust social media companies with their personal health information.
MITRE-Harris Poll: Where does this report leave you?
We at Telehealth.org respectfully submit two questions for your consideration and comment below:
- What are we obligated to tell our clients or patients about the information we gather about them, without their expressed permission?
- What is our legal and ethical obligation to inform our patients and clients about the privacy of the information given to insurers not only by us but by others such as data brokers?
From our experience in training and assessing more than 38,000 professionals over the last 26 years, we can conservatively say that most clinicians that we have encountered have not yet considered the pros and cons of Googling their clients or patients and what it can mean to the therapeutic relationship. We also can say that most practitioners today are not sufficiently aware of HIPAA or HIPAA privacy, let alone how to advise a consumer about how to protect themselves with regard to CGD.
What then is a responsible practitioner to do if a client or patient asks us for guidance regarding these HIPAA privacy/digital privacy issues? By publishing this article, Telehealth.org hereby calls for professional education and training organizations to add this issue to the growing list of topics in digital ethics classes. We encourage everyone reading this article to comment below, and if you are currently taking any of our training courses related to privacy, please bring us this issue for discussion in Telehealth.org’s Community Discussion Forums.