Law in the Internet Society
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

Getting Tech Companies Away From Our Medical Data

-- By NishaChandra - 06 Dec 2019

Medical data is data that is collected about a person’s state of health. It can include information about hospitalizations, symptoms, allergies, treatment plans, medications, lab reports, and progress notes. This form of data was traditionally collected by clinics, hospitals, and public health authorities and has been stored in recent years as electronic health records (EHRs), which can be uploaded onto a third-party electronic health information exchange (eHIE). EHRs can be accessed by approved users instantly and be updated in real-time, making them a helpful tool for doctors to understand their patients’ history and subsequent medical needs. They can also be shared across providers in different health care systems, ensuring that clinicians have a full picture of a patient’s records.

Tech's Interest In Health Data

But increasingly, technology corporations are collecting this health data. In some cases, people are willingly handing over that data. There exists a multitude of mobile phone applications where users can import information about their health. One such application, the Maya period tracker application, has over 5 million downloads on the Google Play Store. This application can store information about users’ use of contraception, period cycles, and associated symptoms. In other cases, people don’t know that corporations have access to their health data or never consented to it. The Maya period tracker, for instance, was recently found to be sharing its users’ medical data with Facebook. Additionally, Google has accessed health data without patient’s consent through Project Nightingale, a partnership with the health care provider Ascension. Through this project Google has the health records for millions of Ascension patients, and it claims the goal is to use machine-learning algorithms to make better healthcare decisions.

While medical providers collect and store medical data to streamline the provision of medical care, technology corporations may have more profit-based motives and may be less concerned with maintaining the privacy of this data. Health information, for example, can be used to suggest purchase options through targeted marketing. A company which knows that you’re struggling to conceive might show you ads for fertility clinics or self-help books. Through this type of marketing companies influences the behavior of users. Health data can also be sold; Facebook is interested in collecting health data in part because of the lucrative practice of selling this data to pharmaceutical and insurance companies. Unfortunately for users, health data in the hands of these companies will inevitably lead to discrimination based on that data. Insurers may start making health insurance coverage decisions based on the data they’re buying from these behavior-collectors. A previous prescription for depression medication noted on a patient’s medical record may lead to them being denied health insurance in the future due to “pre-existing conditions”. One day soon, companies will use this data to make decisions that affect every facet of people's lives – decisions about who to rent to, who to give a loan to, and who to hire.

A Lack of Consent

Unfortunately, patients’ consent plays a very small role in the dissemination of health data. Health care providers are bound by the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected health information by certain entities. While best practices dictate that patients are asked to consent to the sharing of their health data, HIPAA provides a very low baseline of conduct and does not require that providers get patients’ consent before exchanging health information through an eHIE. Some states have laws that are more protective than HIPAA of patients; but these laws are narrow and many only pertain to the disclosure of sensitive diagnoses such as HIV.

As a general rule, in the United States healthcare systems can legally share health information with their business partners even without patients’ consent as long as the use is for the system’s healthcare functions. As long as the technology company that is receiving the data isn’t operating as a de-facto health care system in and of itself, its use of data is under a lower level of scrutiny. A hospital could share medical information with Amazon for research, for example, as long as it stripped the data of personally identifying information. And once the medical data has been de-identified it is no longer protected under HIPAA, so Amazon could legally try to link it to existing data on specific users.

Patients are attempting to push back against this nonconsensual sharing of their medical data. A group of patients has sued the University of Chicago Medical Center for sharing patient data with Google without stripping out dates. In theory, Google could use information it has about users’ locations to match the medical data with specific users and then use this enhanced knowledge about their users for marketing purposes. Unfortunately, since the medical center did remove names, phone numbers, and other patient information from the records, it appears that this type of sharing is legal under the current regime. Ultimately the best way patients can protect themselves against non-consensual sharing of their medical information with technology companies is to push for updates to HIPAA. HIPAA was signed into law in the 90’s, before most could conceive of the ways that technology companies would come to use personal data. Changes to the law to require affirmative, informed consent from patients before their health data is stored or shared may be the only way to stop these companies from misappropriating our data further.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r3 - 16 Jan 2020 - 04:45:10 - NishaChandra
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM