It probably comes as no surprise that health data is not equally protected across all industries in the United States. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ─ the federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without your consent or knowledge ─ doesn't cover everything. Many organizations that have health information about you do not have to follow these laws.
Websites and Apps Tracking Your Health Data
Your health data can be used by tech companies to help target advertisements for you when you use their website. For example:
- Facebook/Meta came under fire for accepting patient data from period tracking apps to better target ads on the social media platform.
- A 2019 investigation published in JAMA Open Network found that apps used to support people trying to manage depression and stop smoking were selling personal health data to Facebook and Google. When patients signed up for these apps that they think will help them manage their health, the authors of the study noted that they did not fully understand what can be done with their health data.
- An investigation in June 2022 found a third of top hospitals in the United States sent patient data to Facebook. According to the article, a tracker, called the Meta Pixel, was sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment.
You hold the key to your health information and can send or have it sent to anyone you want. Only send your health information to someone or somewhere you trust, and be careful when sending your health information to a mobile application or other third parties.
How to Protect Your Health Data
There are steps that you can take to protect your health data. For example, if you do not want your health data to be shared, make sure to make this clear to your healthcare provider and/or hospital.
The Office of the National Coordinator for Health Information Technology recommends taking the following to keep health information private and secure:
- Use a password or a password manager that you are the only one who has access to, and make sure your password is not easy to guess.
- Think about what you post on the Internet that you don’t want to be attached to you. Even Facebook groups for health conditions that are “private” are not that private. Do not assume that an online public forum is private or secure.
- Research mobile apps before you download and install them. Be sure to use known app websites or trusted sources – a great way to do this is by just Googling information about the app.
- Read the terms of service and the privacy notice of the mobile app to verify that the app will perform only the functions you approve and think about using a different app if you do not agree with their functions.
- Consider installing or using encryption software for your device. Encryption software is now widely available and increasingly affordable.
As an enterprise, AHIMA is actively advocating for privacy policies to ensure appropriate protections are put in place when health information is gathered and shared by entities not covered by HIPAA.
Sharing Your Health Data for Medical Research
Medical research helps us learn new information about health, illness, and disease and how we can improve health for everyone. An August 2015 study of over 20,000 people found that nearly 90 percent of patients consented to their health data being shared — information that would not have a way to identify them personally.
Even anonymized, the data command premium prices. Every year, for example, Pfizer spends $12 million to buy health data from a variety of sources, according to 2016 reporting published in Scientific American.
If you have a health condition that needs more research, sharing your health data may be beneficial due to advancements in drug research, according to the Brookings Institute.
When participating in clinical research:
If you agree to be in a study after learning about it, the research team will ask you to sign certain important forms. One of these may be an authorization form. This form may ask you to let your healthcare providers give your personal health information to the research team. The authorization form could also ask you to let the research team use or share your personal health information with others for the research study.
Additional Resources:
- Making HIPAA Work for Consumers: Teaching How and Why to Access Health Records (AHIMA.org)
- Health Information & Privacy: FERPA and HIPAA (CDC)
- How HIPAA Supports Public Health through the Sharing of Electronic Health Information (HealthIT.gov)
- You Can Now Make Money Selling Your Own Health Data, But Should You? (Fast Company)
- Your Health Data May Be For Sale (Slate)
Health and wellness apps that do not claim to be HIPAA-compliant are often not, according to research published in the British Medical Journal, and they may be profiting from your information.
Key HIPAA Terms
Covered Entity: A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with transactions for which HHS has adopted standards.
Protected Health Information (PHI): All individually identifiable health
information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Authorization: Detailed document containing the required elements of the Privacy Rule, completed by the individual authorizing a covered entity to disclose specified protected health information to a third party for specified purposes.
