Yeah, that's right. If your physician tells you to use an app and tells you to share that data with her, then for most purposes that data-sharing would be covered by HIPAA. And physicians have professional obligations to maintain confidentiality. So if you're sitting and show them data on your app but don't send it to their computer, they would have professional obligations under state law to keep that information confidential.
Now let's say there's an app made by a third-party developer. It's not covered under HIPAA. Then you take that data and send it to your physician, who puts it into your medical record. The data in your medical record would be covered by HIPAA. The data that the third-party app developer has would not.
It's literally that identical bits of data in different computers have different protections. The data the app developer has are not protected, while the very same bits of information in the doctor's computer are?
Yup. But the Federal Trade Commission has taken a few enforcement actions where mobile app developers made privacy promises but haven't kept those promises. If you're an app company you might not be governed by HIPAA, but you have to be careful to do what you're saying you're doing with that information. If you're engaging in any unfair or deceptive practices with regards to user data, the FTC could swoop in and take action.
What are the kinds of data that mobile app developers and tech companies have that people might be concerned about?
There's quite a few thoughtful researchers in this space who basically say that any data can be health data. Your online search terms, location, all of these are combined into a kind of profile of each of us. There's the famous case of Target sending mailers to a house because they accurately predicted the high-school-age daughter was pregnant. That was all predictive analytics based on shopping patterns and the like.
If you start shopping for certain goods and analytics online, it's not that hard for companies to figure out what medical conditions you might be dealing with.
Amazon has these shopping lists or wish lists that are public. I realized that somebody with my email address could probably learn a lot about me just based on what I have on that shopping list. Or if you're sending more texts than usual that could that mean you aren't feeling so great that day — that kind of thing?
Yeah, or what words are you using? Do you check into certain restaurants? Your gym patterns? Your travel patterns? There's a huge industry that's emerging around this data-gathering where you can predict a lot and ascertain a lot about people from data where on its face doesn't seem like health data. You can learn a lot about someone's health, even really intensely personal information, by analyzing this information.
Do you think an employer purchasing those data could use the information to figure out whether you have a certain medical condition that might give the company second thoughts about hiring you?
The discrimination question is really interesting and really scary, potentially. We have laws that inhibit medical insurance companies from discriminating based on your past medical history. But you can take a lot of data points and make inferences that get you to the same spot.
Legal scholars are wondering — is this a backdoor way to discriminate against insured populations based on their medical history? There's a company called Oscar based out of New York that has [become] really popular. They market themselves as a next-generation health insurance company where we're smart and we're data driven, we use modern technologies, we're not an old stodgy health insurance company. They give you an incentive to use [wearables] and use apps [to track exercise and give an opportunity to earn rewards].
But if you're using a Fitbit and you have a desk job and you sit around, will you be charged premiums for that or denied coverage in the future? Can we measure people's health risks in advance based on data points that individually seem innocuous but put together paint pretty detailed pictures?
Of course, some people would be happy to share those data, right? We do it all the time to get better traffic information. We could potentially be getting much better health care and health apps by freely sharing our information.
Of course! Not all consumers want their data to be locked up and in silos and kept confidential. I went to a conference at Stanford last month, and a bunch of patients there wanted their data to be open and free. One good thing about health going online is you have patient communities with chronic or difficult diseases where patients can find and help each other.
But there are certain egregious practices [from data brokers] that are predatory and abusive. It's very tricky to come up with a legal system that will work for everybody.
So, say I'm a consumer who wants to use these apps. How do I check and make sure that my data are protected to my satisfaction?
It depends on your level of concern. If it's very sensitive and you're very concerned, I wouldn't use an app unless it's from a traditional provider. If you're going to a hospital and they have an app that allows you to access records, which should be protected by definition.