In 2018, the tech industry found itself in the hard spotlight amid a scandal involving a company called Cambridge Analytica, which had collected and used data from millions of Facebook users, apparently without their consent. It resulted in a public outcry, Congressional hearings, a $ 5 billion fine, and permanently altered the discourse on how social media companies use data.
In the wake of a Supreme Court decision that overturned Roe v. Wade, health data privacy is getting its Cambridge Analytica moment.
With viral calls to eliminate period tracking apps and fears that medical records could be used to prosecute people seeking abortions residing in states where it is now illegal, several experts have relied on Cambridge Analytica as a benchmark for l ‘examination of the health data practices that they might rightfully draw. They expressed hope that health care companies will look into their practices, but also said that lasting change will require changes to federal policies and the teeth to enforce them.
“We have seen Facebook do better in terms of privacy policies and in terms of clarity and in terms of individuals’ ability to dictate which data is shared and which not,” said Megan Ranney, professor at Brown University and director of Brown-Lifespan. Center for Digital Health. “And I think it might be time for that kind of showdown for us in the health sphere. I’d say he’s late, but maybe now is the time. “
The 26-year-old Health Insurance Portability and Accountability Act, or HIPAA, generally regulates how healthcare organizations can and cannot use patient data and how they should protect it. But experts say HIPAA now has obvious weaknesses in the modern world of medical data. Kristen Rosati, a lawyer and former president of the American Health Law Association, noted that the law does not protect sensitive data from disclosure to law enforcement, nor does it cover countless health devices, apps, or online searches, where people unknowingly share information about the intimate health that can be shared, sold or aggregated.
“It’s a really chaotic environment,” said Lisa Bari, CEO of Civitas Networks for Health. “And the lack of a national data privacy protection law is damaging everything. It is bad for people’s health. It is harming people’s privacy. It is making it difficult to exchange data for permitted purposes. “
Consumer data is currently governed by a mixture of state laws and the Federal Trade Commission, which has rules prohibiting misleading claims. A bipartisan bill currently being drafted in Congress would help provide some consumer empowerment rules for data collected by health apps. The Civil Rights Office of the Department of Health and Human Services also oversees the use of health data covered by HIPAA and has already published guidelines on when reproductive health data should be disclosed to law enforcement.
The wild west of health data has led to numerous small-scale scandals over the years – Google’s effort to build its health business with millions of Ascension medical records has drawn criticism. Flo, who once again puts a period tracking app in the spotlight, settled with the Federal Trade Commission last year on allegations of misleading users about their data privacy. And just a few weeks ago, an investigation revealed that major hospital systems were sending health information to Facebook, which experts say may be in breach of HIPAA.
But health data privacy has never been so closely linked, or so publicly, to an event with such widespread consequences.
It is essential that companies that collect data or make health products carefully consider the potential consequences, said Christine Lemke, co-CEO of Evidation Health, which helps companies conduct consumer health research. He said there are analogues in healthcare to how Facebook’s algorithms prioritized incendiary content that may contain misinformation during the latest national elections.
“It will lead to unintended secondary consequences. Someone using data from a pregnancy app to put a woman in jail, “she said. Today the problem is reproductive health, but in the future, information leaking from apps or health services could be used in other discriminatory ways. . “We should be considerate about these things.”
Andrea Downing, president and co-founder of the Light Collective, puts it more bluntly. He said that companies that collect data should “immediately think about how this can be used as a weapon against someone? How can it be used in the hands of the most evil person who does the worst things with it? … And then when we design something, that yes Whether it’s a studio or a technology, we need to be in a place where we protect against that damage from the start.
The fact that companies do not think more often about how their data or products are used could be attributed to naivety, negligence and commercial reasons. For some space companies, most of their business comes from buying and selling data to pharmaceutical or adtech companies for marketing purposes.
In the absence of a change in federal policy, experts said there are immediate steps organizations could take to improve privacy practices – for some, it’s as simple as doing the bare minimum to ensure the developers they work with don’t submit. unintentionally private health information to third parties.
Even companies that aren’t covered by HIPAA can voluntarily submit to its rules, Ranney suggested. Rosati said consumer apps could provide people with a way to delete their data immediately, an option already required by some state-level privacy laws and that could be included in a national effort. Apps that send data to third parties may carefully consider whether this is necessary and closely examine all partners with whom they share data. Some services may leave all data on devices or hide it behind user-controlled end-to-end encryption. Some sources have suggested that voluntary privacy certifications from a trusted nonprofit or guidelines from the Food and Drug Administration could help encourage better behavior.
Michelle Dennedy, who is developing PrivacyCode, a new startup to help companies manage these issues and has worked for decades on privacy in technology companies, said that in light of the legal responsibility created by data, healthcare organizations should “invest in a way that proactive in some projects ”to investigate what data they are collecting, how they are using it, and what is really needed for compliance and positive health outcomes.
There is already evidence that the gears could trigger the voluntary change: Flo announced it would work in an “anonymous mode” that would protect user data.
But while public pressure may encourage some companies to step forward, privacy experts have said that many companies will simply choose the path of least resistance, which means ignoring privacy until they can.
“Whenever it’s a question of profits, they’re not doing the right thing,” Downing said. “We don’t need rules for good actors. We need regulation for when no one is watching. “
Even with a national privacy law in the works, experts say there is a lot to be done. Enforcement of existing laws remains light, and HIPAA still needs substantial reform to reflect the advent of big data, information sharing, and research that the lawmakers who made it simply did not anticipate.
Lucia Savage, head of privacy and regulation at Omada Health, said that while she has seen consumer interest in privacy “swell” by the Cambridge Analytica scandal, such discussions are usually relegated to “Beltway discussing privacy.” If more people start bringing their fears directly to their elected officials, however, that could affect lasting change.
“Congressmen don’t like anything better than a voter telling them a personal story,” he said. “This is literally the most precious thing that can happen.”
