What you don’t know about your health data will make you sick
▻https://www.fastcompany.com/90317471/what-you-dont-know-about-your-health-data-privacy-will-make-you-sick
Chances are, at least one of you is being monitored by a third party like data analytics giant Optum, which is owned by UnitedHealth Group, Inc. Since 1993, it’s captured medical data—lab results, diagnoses, prescriptions, and more—from 150 million Americans. That’s almost half of the U.S. population.
“They’re the ones that are tapping the data. They’re in there. I can’t remove them from my own health insurance contracts. So I’m stuck. It’s just part of the system,” says Joel Winston, an attorney who specializes in privacy and data protection law.
Healthcare providers can legally sell their data to a now-dizzyingly vast spread of companies, who can use it to make decisions, from designing new drugs to pricing your insurance rates to developing highly targeted advertising.
Yet not all health-related information is protected by privacy rules. Companies can now derive insights about your health from growing piles of so-called “alternative” data that fall outside of HIPAA. This data—what some researchers refer to as your “shadow health record”—can include credit scores, court documents, smartphone locations, sub-prime auto loans, search histories, app activity, and social media posts.
Your health data can be deployed in alarming ways, privacy experts say. Insurance companies can raise your rate based on a photo on your Instagram feed. Digital advertisers can fold shadow health data into ads that target or discriminate against you. It can even seem invasive and predatory. One trend among personal injury lawyers, for example, is geo-targeted ads to patients’ phones in emergency rooms.
Uniquely valuable health data is also increasingly the target of hackers, ransomware attacks, breaches, or what some patients call just plain shadiness, which has led to litigation and can ultimately further undermine trust in the healthcare system. A 2017 breach at a New York hospital leaked sensitive information about more than 7,000 patients, including addiction histories, medical diagnoses, and reports of sexual assault and domestic violence. Criminals can use that kind of data to commit identity and insurance fraud.
“There’s a great deal of trust that’s placed in our interactions with doctors and healthcare institutions,” says Mary Madden, research lead at Data & Society, who studies consumer and health privacy. “The current process of seeking consent for data collection and use in many health settings is often treated as an administrative afterthought, rather than a meaningful exchange that makes patients feel empowered and informed.”
Your health-related data are compiled into a specialty report akin to the consumer credit reports made famous—or infamous—by Experian, Equifax, and TransUnion. Insurers claim these reports are crucial to evaluating and pricing risk, and they can use this data to raise your rate, or to deny your application entirely. If your application is rejected—it’s called an “adverse event”—you are legally entitled to receive a copy of your specialty report and to potentially dispute an error.
“Many people don’t understand that the data from a Fitbit or other health wearable or health device can actually be sold and is, in fact, today being sold. It is being sold for behavioral analytics, for advertising targeting. People don’t understand that is happening,” she told the committee. (After this story was published, a Fitbit spokesperson sent Fast Company a statement saying that the company does not “sell customer personal data, and we do not share customer personal information except in the limited circumstances described in our privacy policy.”)
The demand for all this data is rising, as it has for years. The health data market was approximately $14.25 billion in 2017, according to BIS Research. The firm predicts that in just under seven years—by the end of 2025—the market will grow nearly five times bigger, to $68.75 billion.
