hipaa privacy

Insurance & HIPAA Privacy? MITRE-Harris Poll Shows Dark Side of Insurance Privacy Practices


October 23, 2020 | Reading Time: 5 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Here’s a chilling thought: healthcare practitioners, as well as health insurance companies and other employers, routinely search through private and public sources for consumer-generated health data related to client and patient spending and streaming habits. The violation of HIPAA privacy is nothing new. A 2018 article by Politico entitled, Does Your doctor Need to Know What You Buy on Amazon? reported:

Google, Amazon, insurers, and credit card companies have long been able to tell whether you vote, own a dog, spent time in prison or drive a rusty 1997 Chevrolet. Now, that type of information is starting to pop up in front of doctors when you walk into their examination rooms. A small but fast-growing number of technology companies, including data brokers LexisNexis and Acxiom, sell health care providers detailed analyses of their patients, incorporating criminal records, online purchasing histories, retail loyalty programs and voter registration data.

The issue of provider’s search for (“Googling” client or patient data) and the accumulation of information that has not been shared by the client or patient has long been regarded as an ethical issue of hot debate in the behavioral community. Articles have been written on the topic for over a decade, including the call for ethical guidance from the national associations for their members. However, as with many other thorny digital health ethical issues, the rapid expansion of technical capabilities cannot be expected to wait for professional groups to weigh in.

Adding fuel to the existing fire of controversy around digital privacy protection, insurers are now routinely engaging the services of the wholesale compilers of consumer personal information. They reportedly purchase and otherwise collect such information to build profiles to review with analytic software to identify consumer behavior patterns, including the purchasing, membership, and other online activities of unsuspecting consumers. For example, they can collect music or television streaming information about the clients to whom they sell insurance coverage.  Such information is routinely screened to help build profiles of their customers to “predict potential health care costs.”

HIPAA Privacy & MITRE-Harris Poll: What do consumers know?

An estimated 90% of Americans are unaware of the extent to which their personal information is used by their insurance carrier. Only one in ten Americans think health insurance companies access their personal habits.  An organization called MITRE recently conducted a MITRE-Harris Poll to measure consumer awareness of insurance company activities related to the creation of “profiles” to help them “better serve” the people who pay them for services. Called the MITRE-Harris Poll, the June 2020 survey of 2,065 adults (aged 18 and over), found that consumers are “largely unaware” of the extent to which the insurance industry, including health insurers, can acquire common types of Consumer-Generated Data (CGD), such as online shopping history. The information comes from a variety of sources, including data brokers. Unlike Protected Health Information (PHI), CGD is not legally protected from the peering eyes of anyone who cares to pay the price.

The MITRE-Harris Poll report released this month cites Rob Jekielek, Managing Director, Harris Poll, who concluded:

There are clear gaps in attitudes towards, and understanding of, lifestyle data privacy and its use by industry — this trend is also particularly noteworthy when looking at differences based on ethnicity, where the research shows 10% to 20% gaps between white, Black, and Hispanic Americans.

Erin Williams, Executive Director for Biomedical Innovation at MITRE also stated:

These results reinforce that a significant gap exists between what we believe our insurance companies and employers know about us personally, and what they actually do. Americans need more education about the ways third parties are accessing and using their consumer-generated data. But it really shows that companies have an obligation to be more transparent about what data they are collecting from third parties.

On the whole, the MITRE-Harris Poll showed that consumers want to have control over the entities sharing their personal information, but many are willing to exchange privacy for safety or convenience. Responses varied on the basis of the age of the person or their geographic location, as well as ethnicity. Further, responses on the MITRE-Harris Poll varied by sex, with 56% of men being more willing than females to trade privacy for convenience. More than three-quarters of respondents (77%)  don’t believe any data privacy exists currently. Approximately 60% of people on the MITRE-Harris Poll stated they believe the mining of information by insurance companies is acceptable if the information recovered was used to create health promotion activities. However, for the majority of people, it was not acceptable for insurance companies or employers to collect information about them based on social media or binge-watching activities. Despite these clear consumer preferences, these activities will most likely continue unabated because such practices are legal.

MITRE-Harris Poll: What about in national emergencies? Do you care to share?

Interestingly, 70% responded that they think there’s an obligation to share personal health information to stop the spread of diseases. However, when it comes to COVID-19, people were not enthusiastic as much about providing personal information to a National Database related to COVID-19. Notably, 36% of people who participated in the MITRE-Harris Poll would be willing to share their temperatures, whereas only 29% would be willing to share their location. As for sharing chronic illness information, only 25% would be inclined. Yes, sharing is important, but not if I have to do it… These data points are relevant because the success of a COVID-19 contact tracing app is reliant on the eagerness of the public to trust the platform with their health information. HIPAA privacy might not apply to these types of apps.

To review, the key findings from the MITRE-Harris Poll survey include these below:

  • 70% of respondents believe there is an obligation to share personal health information to stop the spread of disease.
  • 77% of those surveyed don’t believe any data privacy exists in today’s world.
  • Consumers want control over who shares personal information.
  • Consumers don’t trust social media companies with their personal health information.

MITRE-Harris Poll: Where does this report leave you?

We at Telehealth.org respectfully submit two questions for your consideration and comment below:

  • What are we obligated to tell our clients or patients about the information we gather about them, without their expressed permission?
  • What is our legal and ethical obligation to inform our patients and clients about the privacy of the information given to insurers not only by us but by others such as data brokers? 

From our experience in training and assessing more than 38,000 professionals over the last 26 years, we can conservatively say that most clinicians that we have encountered have not yet considered the pros and cons of Googling their clients or patients and what it can mean to the therapeutic relationship. We also can say that most practitioners today are not sufficiently aware of HIPAA or HIPAA privacy, let alone how to advise a consumer about how to protect themselves with regard to CGD.

What then is a responsible practitioner to do if a client or patient asks us for guidance regarding these HIPAA privacy/digital privacy issues? By publishing this article, Telehealth.org hereby calls for professional education and training organizations to add this issue to the growing list of topics in digital ethics classes. We encourage everyone reading this article to comment below, and if you are currently taking any of our training courses related to privacy, please bring us this issue for discussion in Telehealth.org’s Community Discussion Forums.


Baker, M. J., George, D. R., & Kauffman, G. L. (2015). Navigating the Google blind spot: an emerging need for professional guidelines to address patient-targeted Googling.

Clinton, B. K., Silverman, B. C., & Brendel, D. H. (2010). Patient-targeted googling: the ethics of searching online for patient information. Harvard Review of Psychiatry18(2), 103-112.

Fisher, C. E., & Appelbaum, P. S. (2017). Beyond Googling: The ethics of using patients’ electronic footprints in psychiatric practice. Harvard review of psychiatry25(4), 170-179.

Gershengoren, L. (2019). Patient-targeted googling and psychiatric professionals. The International Journal of Psychiatry in Medicine54(2), 133-139.

Recupero, P. R., Harms, S. E., & Noble, J. M. (2008). Googling suicide: surfing for suicide information on the Internet. The Journal of clinical psychiatry.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Marlene Talbott-Green PhD
Marlene Talbott-Green PhD
3 years ago

Dear Dr. Maheu: I am one of those people who do not believe that any real privacy exists on the internet. I have known too many people who have been hacking into private medical records for years. For as long as I can remember, especially since the advent of Managed Care, I have been worried for my clients that their information may be hacked into because I know it can, even by amateurs. My own information appears appears, for example, in e-mail and FB posts within a day or so, after I make an inquiry. My computer knows when I need new bras or fire pits and Oh, the advertising that goes on to cover my every exigency.
I have a tiny private practice, and so I have developed some of my own methods of keeping records private, which I don’t want to divulge here (!). However, I do use Hushmail for e-mail and doxy.me for video counseling. I have observed all the HIPAA policies that I know of, and if I don’t know of them, it’s not for trying. I could use some templates for privacy issues such as full disclosure, or other forms I NEED for telebehavioral healthcare etc., if you might recommend some simple forms I am not impressed with some I have seen, especially with the caveat to run them by an attorney. I don’t have an attorney on call. I can’t afford such either for my personal or professional use! Technology just isn’t up to it either. So, I don’t pretend to think that any privacy exists. I worry about cyber security all the time. Thanks for letting me rant. Marlene Talbott-Green PhD.

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
2 years ago

Dr. Talbott-Greene, We have templated telehealth practice forms here at TBHI, but there’s no getting around having a telehealth-informed attorney from your state take a look at them. If someone promises you a one-size-fits-all form, they are lying. every state has its own set of sometimes rather peculiar laws. If you can find a group of colleagues in your state, you might share the expense. Maybe your state association is a good place to find them?

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...