Every day, millions of Americans relinquish health and genetic data to companies large and small. We check our weight on digital scales; plug food diaries into apps like Lose It! and Noom; search the internet for information about Alzheimer's disease, multiple sclerosis, or rare neurologic conditions; measure our sleep, heart rate, or blood pressure on smartwatches; and send swabs of DNA to companies such as 23andMe and Ancestry.com.
With every click and upload, our data are likely being shared with multiple third parties for a variety of purposes: to help them target their advertising and marketing better, to use for internal research, or to keep track of our whereabouts.
Amid all this data sharing, some of us are asking questions about who has access to this personal information, what it's used for, how secure privacy policies are, and if there's anything we can do to protect this information when using these tools.
The law that protects the privacy of medical information—the Health Insurance Portability and Accountability Act (HIPAA)—applies only to certain “covered entities,” including health care providers, hospitals and pharmacies, health insurers, and health care clearinghouses. Information shared through a doctor's online portal or in claims filed with a health insurer using its proprietary app is protected by HIPAA. So is identifiable health information about participants in clinical trials, as long as it's gathered by a researcher who is a covered health care provider.
If you've participated in a health registry that tracks information about the health of patients with a specific disease or condition such as dementia or multiple sclerosis, the privacy of that information depends on who's running the registry. If it's part of a clinical research study, like the Multiple Sclerosis Surveillance Registry run by the US Department of Veterans Affairs, HIPAA privacy protections apply. But if it's a crowdsourced online network such as PatientsLikeMe, HIPAA does not apply, and registrants must rely on the individual privacy policy of each entity.
Even with HIPAA-protected data, privacy breaches have been reported. Between 2009 and 2021, 4,419 health care data breaches of 500 or more records were reported to the Department of Health and Human Services, resulting in the loss, theft, exposure, or impermissible disclosure of more than 300 million health care records, according to the HIPAA Journal. “Technology exists that allows data aggregators to reidentify personal information even if the hospital or pharmacy exported it as deidentified,” says Adrian Gropper, MD, chief technical officer of Patient Privacy Rights, a national organization based in Austin, TX, representing 10.3 million patients. “If a data aggregator of any size gets information that is deidentified and combines it with data from brokers like credit bureaus that are identified, they can figure out with very good accuracy which record belongs with which patient and then put it all together.”
Information shared with almost all other entities—including smartphone apps, search engines, or DNA-testing companies—is not protected by HIPAA. That lack of protection means these companies can sell and distribute health data they collect from people.
“Technology companies are not legally required to protect your private information from third-party use,” says Dr. Gropper. “Even companies that have a policy that clearly states, ‘We do not sell your data to or share them with third parties,’ still might,” says Benjamin R. Kummer, MD, director of clinical informatics in neurology and assistant professor of neurology at the Icahn School of Medicine at Mount Sinai in New York.
A 2019 article in the BMJ found that 79 percent of the 24 top medicine-related Android apps shared user data with third parties. In the same year, a report in JAMA Neurology showed that the vast majority of highly ranked mental health apps shared data with third parties without disclosing it in privacy policies. And a 2018 study of 14 migraine tracking apps found that although about 80 percent of them had privacy policies, many explicitly permitted the use of user information for marketing and advertising other products to the users.
An exception is Apple, which positions itself as the tech company most focused on privacy. “Apple makes its money from selling hardware, not data,” says Dr. Gropper. “But while the company may not see your data, it's dependent on the App Store and independent [app] developers, who do have an interest in using and possibly selling data. The same is true for companies that make smart scales and blood pressure monitors.”
What that means is that if you use a Bluetooth-connected blood pressure monitor that syncs with your Apple Health app and tracks your vitals, Apple won't see or share the data, but the company that makes the monitor can get that information.
Apple does ask its users for permission to share the data with device manufacturers like these, says Dr. Kummer. “But once that permission is given, these manufacturers can get the data from those devices and use them. Permission can be turned off, but many people forget to do that, or don't understand what permissions mean.”
Benefits and Risks
There are many advantages of using online health tools, including convenience and the ability to keep track of medical conditions like migraine, high blood pressure, and seizures. And better management of those conditions may potentially keep people out of emergency departments or hospitals. A seizure tracker, for example, allows people with epilepsy to log auras, seizures, and medication side effects; set reminders to take medication; see progress over time; and receive customized content.
The biggest downside of these apps for some people is not knowing if their privacy is protected. A 2020 analysis in the Journal of Neuropsychiatry and Clinical Neurosciences of apps for the top five disabling neuropsychiatric conditions—stroke, migraine, depression, Alzheimer's disease and dementia, and anxiety—found that many of them “did not have a privacy policy that was easy to understand…and clearer regulation and transparency are needed on how user information is being collected, used, stored, and potentially sold.”
There are several ways data collected by apps, wearables, and cookies embedded in websites could be misused. Say a friend has Parkinson's disease, and you want to learn more about the condition, so you look up symptoms and treatments. Soon you may see ads targeting you as if you had Parkinson's. “Not only is this kind of information harvested invisibly, it also can be inaccurate, and you could be labeled as having a condition you don't have,” says Neil A. Busis, MD, FAAN, professor of neurology at NYU Langone Health in New York City and director of telehealth for the department.
Many employer wellness programs use apps and wearables to collect data on employees' health. For employees, using these tools can result in lowered insurance premiums, discounts on wellness products, and vouchers or points that can be spent on things like movie tickets or coffee. But that information could potentially be used for other purposes as well. “Currently, companies can work with employer wellness firms to gain deep insights about a company's workers,” notes a 2017 article in the California Law Review.
Insurance rates also could be affected by shared data. “Consider a person who's had a stroke,” says Dr. Busis. “To prevent another one, they've bought a smart scale and blood pressure cuff. If an insurance company knows about that through an employer wellness program, it may raise or lower the rates depending on what the data reveal. Insurance companies may know more about people than people realize.”
“Data could be used to penalize policyholders with higher premiums or to deny insurance,” note the authors of a 2020 JAMA Network Open article on privacy and digital technology. “Wearables can collect information on physical activity, calorie intake, blood pressure, and weight. Insurance companies are now using these data for rewards programs, but no regulations stop them from doing the opposite.”
And then there is the risk of theft. In September 2021, an independent cybersecurity researcher identified a data breach that exposed the data of 61 million Apple fitness tracker and Fitbit users. Subsequently, the Federal Trade Commission issued a policy statement affirming that apps and devices that collect personal health information must notify users when their health data are breached.
Legal Implications
Genetic information could be used to link people to someone who has committed a crime, even if they have never submitted spit samples to an online DNA service like 23andMe. “Genetic data can connect you to your whole family tree, including people you don't even know about,” says Katie Hasson, PhD, associate director of the Center for Genetics and Society in Berkeley, CA. “Law enforcement uses forensic genetic genealogy to investigate suspects in crimes, looking way up the family tree to find a common relative generations ago and then tracing back down to potential suspects.”
“European countries have privacy laws that allow you to request that your data be erased, but we have nothing like that in the United States,” says Dr. Busis. “In Germany, for example, you can prevent your house being shown on Google Maps. You can't do that here, at least not easily.”
Some states have tried to take on this issue. In 2018, the California Consumer Privacy Act (CCPA), the nation's first comprehensive law of its kind, passed. The CCPA, which went into effect in January 2020, applies to most for-profit companies that do business in California and allows state residents to access the personal information that companies collect on them, to request that data be deleted, and to seek legal options for data misuse or a breach. (HIPAA-protected information is explicitly exempted.)
In June 2022, five US senators, led by Democrat Elizabeth Warren of Massachusetts, introduced the Health and Location Data Protection Act, which would prohibit brokers from selling health and location data. It's expected to meet fierce opposition from the third-party data industry.
“People don't have a lot of power in controlling what happens to their data,” Dr. Hasson says. “The problem needs to be addressed at the legislative level, not by people figuring out where their data are going and how to keep that information under their control.”
Read More
7 Ways to Protect Your Digital Privacy
To minimize how much of your information gets into the hands of those who might misuse it, follow this advice.