Lisa started therapy during the pandemic. Working from home at a stressful job with kids underfoot and financial worries all combined to put strains on her marriage and increase her anxiety.
She was not alone. Millions of people faced mental health challenges during lockdown as they adjusted to the new normal. But when Lisa downloaded an app to support her telehealth therapy, she surrendered her privacy without knowing it. Now she’s receiving advertisements for products, services and prescriptions related to her mental health condition – on her browser, in the mail, through email, even texts and phone calls.
Pandemic Spurred Explosion of Mental Health Data Online
Data brokers selling personal information is not a new problem. The internet economy has fostered a marketplace for personal information and the problem is growing. Data brokers collect personal information, package it, and sell it to companies who use it to target ads and drive up sales.
But during the pandemic as telehealth and therapy apps became more common, individuals’ mental health data was added to the list. Until very recently, the unauthorized sale of health data has not been illegal in the United States. The law is gradually changing but more needs to be done to protect personal mental health information.
What the Duke University Study Found
A Duke University researcher started with simple internet searches for “healthcare data providers,” “mental health data brokers,” “health information for sale,” “mental health data for sale,” and “data brokers who sell mental health data” and found an astonishing number ready to sell her personally identifiable data. After contacting a number of them the researcher, Joanne Kim, ultimately found 11 companies willing to sell bundles of data that included information on what antidepressants people were taking, whether they struggled with insomnia or attention issues, and details on other medical ailments, including Alzheimer’s disease or bladder-control difficulties.
While some of the data offered was in an aggregate form allowing a buyer to know, for instance, an estimate of how many people in one Zip code might have depression, other data sets included lists of personally identifiable information with names, addresses, incomes, and specific diagnoses, including “Anxiety Sufferers” and “Consumers With Clinical Depression in the United States.”
One company advertised the names and contact information for people with depression, anxiety, post-traumatic stress or bipolar disorder.
HIPAA Does Not Apply
The Health Insurance Portability and Accountability Act (HIPAA) protects patient information handled by covered entities, like hospitals, doctors, therapists and clinics, and their business associates, third-party vendors who support covered entities and also handle protected health information. HIPAA does not apply to health apps that are independent from a covered entity.
Recently, the Federal Trade Commission (FTC) investigated GoodRx, a prescription app, for allegedly sharing users’ private health information. GoodRx settled that investigation by agreeing to pay a $1.5 million civil money penalty. But this investigation came under the FTC’s Health Breach Notification rule, not HIPAA, and it’s the first investigation of its kind. The FTC has said more will follow.
Health Apps are Under Scrutiny
Four Senators have recently written letters to three telehealth companies urging them to protect their patients’ sensitive health data. The companies are Cerebral, Monument, and WorkIt Health.
From the press announcement:
“Recent reports highlight how your company shares users’ contact information and health care data that should be confidential…this information is reportedly sent to advertising platforms, along with the information needed to identify users. This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” the senators wrote to Cerebral Chief Executive Officer Dr. David Mou, Monument Chief Executive Officer Mike Russell, and Workit Health Chief Executive Officer Robin Ann McIntosh.
The full text of the letters to Cerebral, Monument, and Workit Health are here.
Safeguarding Patient Privacy
Do your best to prevent the disclosure of sensitive private health information.
Although covered entities and business associates are not targets of the current scrutiny on health apps, everyone subject to HIPAA would be wise to review the Office for Civil Rights (OCR) guidance about online tracking technologies. Take care to restrict tech companies’ collection, use and sale of PHI acquired from you and your patients.