There may be no stranger with whom the average person shares more private details of their life with than their doctor. The primary healthcare mechanism to protect patient privacy in healthcare, the Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996, but was, as its title suggests, heavily focused on insurance-related concerns, and left gaping holes in much of the healthcare data privacy space. Under HIPAA, personal health information can be sold by healthcare organizations, used for marketing purposes, and shared with research organizations, as long as the data is de-identified, or the patient authorizes such uses.
While many patients are incredibly skeptical of their health information being shared, even with identifying details stripped from the data, there are incredibly important reasons to embrace and support a robust data-sharing model: to provide drug manufacturers with patient data about side effects and adverse reactions, to allow researchers to uncover and analyze systemic trends and anomalies, and to allow for the most comprehensive and holistic data-driven modeling. Much of patient skepticism may be due to the unfamiliarity with how their data is used – in a 2022 survey, only 20% of patients indicated an understanding of who has access to their healthcare information.
Two recent developments have further exacerbated the problems around patient skepticism – the post-Dobbs criminalization of abortion, and the furor around TikTok. Although much of the legislation criminalizing abortion targets health care providers and clinical staff, the mere fact that, in some states, abortions are now a felony with potential jail time will likely cause patient unrest and fear. Even though Justice Kavanaugh’s concurrence in the Dobbs decision suggested that pregnant persons will still have the right to travel out of state to obtain abortion services, there is little clarity or guidance on what data law enforcement may be able to collect, even if the abortion occurred out-of-state. If patient data privacy concerns related to abortion procedures are not addressed, the skepticism and fear may seep into other types of healthcare and further impede the robust sharing of healthcare information.
To that end, the discussions around banning TikTok demonstrate the general concern that user data, including personal health information, may be in the hands of the Chinese Communist Party, which would have far-reaching implications. Like the concerns surrounding abortion, skepticism and fear about what data from social media is being shared, and with whom, decreases consumer/patient willingness to share personal information in ways that may be beneficial to them.
There is already an undeniable overlap between healthcare and social media. One of the risks of conflating the two is that third-party data sharing in the healthcare space may be inadvertently equated with sharing data with social media platforms. For the purposes of sharing data with third parties, even when de-identified, should AstraZeneca, collecting patient information to improve a vaccine, be considered equivalent to TikTok collecting information for advertising purposes?
Much of the current proposed legislation is aimed at increasing data privacy and security. The American Data Privacy and Protection Act (ADPPA), proposed last year, would create additional protections for sensitive data, though data covered under HIPAA is outside its scope. Last month, Democratic senators introduced the Upholding Protections for Health and Online Location Data Privacy Act (UPHOLD), which would give consumers more control over their health data and restrict companies’ ability to collect and/or use data without patient consent. On the other hand, the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in 2009, was intended to address privacy and data security concerns by increasing the civil and criminal penalties associated with HIPAA violations, with the goal of promoting the “adoption and meaningful use of health information technology.”
Despite the continued emphasis on increasing and broadening data privacy rights and consumers’ ability to control how their data is disseminated, it is critical that the importance of sharing health data with relevant third parties not be minimized or vilified. Innovation in healthcare depends on pharmaceutical companies, academic researchers, and others, having access to the most current, comprehensive patient data.