Your doctor protects your sensitive health data. But it’s important to check if that app you just downloaded will, too.
We know we shouldn’t, but most of us have clicked “agree” in a hurry to download an app or sign up for a streaming service without reading the user agreement in detail.
And it might seem pretty safe to add an app that promises to help take control of your health through simple things like tracking your steps, measuring your blood pressure or noting your eating and exercise habits. But doctors who appreciate the research potential of incorporating big data into medical care are also warning about the need to manage the risk of exposing such health data while it’s still possible to do so.
That’s because the average patient probably has no idea about the complex rules around what happens to their sensitive health data when it is collected by apps. For instance, a 2019 study found 19 out of 24 health-related apps studied shared their users’ data. Patient privacy laws preclude providers from sharing information, but the commercially available apps used to collect it don’t necessarily have to follow HIPAA, the law that governs privacy about health information.
“Some health data shared with a physician in the context of a health-related interaction is protected, but in a different context that same data is not protected,” says Jessica Golbus, M.D., a cardiovascular medicine fellow at the Michigan Medicine Frankel Cardiovascular Center. “The way the U.S. addresses health data focuses on who is using the data, but not the data itself.”
This lack of protection could lead to people’s sensitive data becoming available to unscrupulous third parties with sales interests, or those making decisions about life or disability insurance or employment, she says.
“One of the biggest areas of growth in medicine involves big data studies that use mobile technologies like our smartphones. We are really excited about these studies changing the way we deliver care, and we know our patients are excited about them too. But these studies may lead to generation of large amounts of digital data, which may be used outside the research setting in ways we don’t foresee,” Golbus says.
She authored a new perspective to highlight these consequences, published in Circulation, with two members of the University of Michigan’s Institute for Healthcare Policy & Innovation: Brahmajee Nallamothu, M.D., MPH, also with the Frankel CVC, and W. Nicholson Price II, J.D., Ph.D., also with the U-M Law School.
Benefits outweigh risks – so far
Imagine getting a text message on a sunny day to remind you to go for a walk if you’re trying to keep up your momentum after cardiac rehab, or a notification popping up with a sleep tip if your smartwatch finds you haven’t gotten enough ZZZ’s this week. Without advanced consumer devices that allow for data collection and synthesis, these kinds of interactions would still be a faraway dream. But these interventions are already here, or just around the corner.
And they have the potential to help patients better manage their own health, the authors believe.
“We’re learning how to leverage digital technology, like smartphones and wearables, to engage patients in their health, improve remote monitoring of health conditions and potentially deliver targeted interventions outside of the clinic appointment,” Golbus says.
The authors say they don’t want to scare patients or providers away from embracing these potential improvements to research and patient care, because the benefits presently outweigh the risks. However, the risks of commercial exploitation and privacy harms should be addressed, they write.
“We simply think it’s important to make sure providers who are encouraging their patients to use this technology are also able to have conversations with their patients about data privacy,” Golbus says.
The need for education and policy considerations
Golbus and colleagues suggest addressing two areas: provider education and policy considerations. This, they believe, would help researchers continue to harness more data than they’ve ever had access to before to improve health and disease prevention and treatment, while also protecting their patients’ privacy.
“It could be helpful for patients to provide doctors with their heart rate and blood pressure measurements collected using wearable devices,” co-author Nallamothu added. “But this means we have a responsibility to educate patients and ourselves about potential downstream uses of that data.”
This is a problem that will be difficult for consumers to solve on their own, the authors say.
As in many other commercial areas, data are being collected at large scale with little understanding by the public. Beyond the need for health care providers to learn about and raise awareness of the risks to using commercially available applications, the authors say the government should also ensure better protection of consumer data.
The responsibility shouldn’t be placed only on the shoulders of consumers worrying about to whom they’ve consented to data sharing, they write.
“The U.S. is living in the past with regard to data protection,” co-author Price says. “We’ve got privacy law from a world where health data means what your doctor writes in your medical chart. We’re not in that world anymore. The law needs to change.”
Paper cited: “Privacy Gaps for Digital Cardiology Data,” Circulation. DOI: 10.1161/CIRCULATIONAHA.119.044966