Privacy, Data Security

Who owns digital health data? HIPAA privacy myths may put women at risk

Under the current abortion climate, it’s crucial for women to better understand who controls their digital health footprint and whether their privacy is fully protected. (Photo credit: “EMT/Nursing Pediatric Emergency Simulation – April 2013 1” by COD Newsroom is licensed under CC BY 2.0.)
Under the current abortion climate, it's crucial for women to better understand who controls their digital health footprint and whether their privacy is fully protected. (Photo credit: "EMT/Nursing Pediatric Emergency Simulation - April 2013 1" by COD Newsroom is licensed under CC BY 2.0.)

For women, privacy and control over health information has never been more important, as the U.S. continues its abortion access fight and as some states criminalize the procedure. But beyond the political debate, knowledge gaps on the actual protections for and control of digital health data may lead to severe consequences.

Several reports within the last few months have furthered these digital health privacy concerns, including two showing Facebook’s Pixel tool allegedly scraping hospital data. The Novant Health ACE breach notice that soon followed the report seemed to confirm the dubious practices as 1.4 million patients were told of an “unintended disclosure” via the Meta tool.

During the same time period, reports out of Nebraska showed Facebook was issued a subpoena compelling it to release private communications with law enforcement over illegal abortion claims against a 41-year-old woman and her daughter.

Kayte Spector-Bagdady, JD, an associate director at the University of Michigan Medical School’s Center for Bioethics and Social Sciences in Medicine, says it’s the latter scenario that should be of prime concern to women under the current abortion climate, in combination with misconceptions about digital health control and privacy.

Click here for full coverage of the 2022 Women in IT Security.

Spector-Bagdady is a clinical ethicist and leads in other academic roles. She was also the former associate director for the Obama administration’s presidential Commission for the Study of Bioethics. She mused, “this is the moment.”

The Facebook scenarios bring up several different regulatory regimes. While Spector-Bagdady has no personal knowledge of the report on the company’s alleged data scraping, if appointment information, health concerns, and personal names were indeed pulled by the app, it could be a violation of the Health Insurance Portability and Accountability Act.

HIPAA regulates identifying data like names combined with health information, like the kind of appointment you need. She added that in a traditional sense it “should indeed be protected by HIPAA.”

In light of these reports, extensive nuances, and the criminalization of abortion in some states, SC Media spoke with Spector-Bagdady on the current state of digital health privacy and controls to disbunk key myths and find ways to protect providers, and their patients.

Who is in control of consumer health data?

Those in healthcare are keenly aware of the limitations of HIPAA: that it only applies to specific covered entities and business associates and its outdated nature limits its controls over consumer-generated data and health app developers.

Meanwhile, the COVID-19 national emergency revealed the chasm between privacy perceptions around health data and actuality. Consumers tend to believe they have more control over their own health information than they actually do, said Spector-Bagdady. “Health information is only protected by federal law under very narrow and specific circumstances.”

Kayte Spector-Bagdady, University of Michigan Medical School

For example, when stores were asking people to present their vaccination card before entering, people were concerned about their HIPAA rights. But it clearly wasn’t a violation as the rule applies only to healthcare entities and not private businesses and no one else.

In addition, if the health data lacks some very specific identifying information, like the full name or Social Security number, the information “can be shared pretty freely.” Spector-Bagdady stressed that HIPAA’s main protection is for clinical information. 

“Even our de-identified clinical information doesn't have HIPAA protection,” she said. De-identified data is still defined by the regulation, which was drafted in the 1990s. As a result, it “doesn't at all govern commercial gathering or use of health information or health proxy information. 

“There are almost no protections under HIPAA or any other data privacy regulation in the U.S. to protect against a state law enforcement, subpoenaing, or discovery requests or any other kind of law enforcement technique to gather information because there are huge exceptions in HIPAA for criminal law enforcement requests,” Spector-Bagdady continued.

These myths around how health information is protected may lead consumers to share more information than they intended. These misconceptions and the gaps in HIPAA gaps raise numerous privacy and safety red flags and put women, and perhaps providers, at risk of legal action in states where the practice has been criminalized.

Users creating inadvertent healthcare digital footprint

To Spector-Bagdady, there are two big data issues people don’t understand: the data mosaic and how much health proxy data they're leaving behind as they go through their day-to-day activities. 

For example, if someone visits their local pharmacy and uses their pharmacy discount card or credit card every time they check out, or buy tampons the same time every month, and one month, they buy a pregnancy test and no tampons. If they start buying tampons again two months later, that’s likely “health proxy information that can be discoverable and used against them in a criminal case.”

The data mosaic refers to people feeling able to share their personal information on Facebook, professional information on Twitter, or information about who you want to date on Tinder. “People aren't thinking about these companies that are gathering all of those data together, which paints a much more complete picture of people,” she explained. People need to know not to “rely on private companies to protect information they feel is personal.”

“You should never trust that a conversation you have on Facebook or a conversation that you have and the direct messages of Twitter to be ultimately completely private,” said Spector Bagdady. “Disconcertingly in the space, even when you're talking to your doctor, if what you're talking about is criminal in your state: they can still attempt to discover those conversations.”

Further, it’s become increasingly clear that there are many ways to identify data that has been “de-identified” under the HIPAA standard. “For example, if somebody has my geolocation data, I am the only person on the face of the earth that goes from my house to my office and back every single day,” said Spector-Bagdady. 

The combination of geolocation data to other kinds of data shared on the device, like weight tracking and adding it it other geolocation data, “like visiting an abortion clinic, you suddenly get a very vivid picture, not only of who I am as a person, but some health information about me.”

This precise scenario has driven several congressional investigations and proposals, as well as legal actions by the FTC against data brokers allegedly selling health information.

A classic example of this is period tracker apps. People put in information about when they have sexual intercourse, when they have their period, when they don't have their period, how they're feeling, she explained. There have been past exposes that show some of those period tracker apps, at least in some point in time, were sharing that data directly to Facebook.

That kind of information and data sharing can reveal really personal information, like that kind of data sharing can reveal really personal information, like when you were not pregnant, when you stopped having your period and then when you started having your period again.

“We haven't traditionally identified that as sort of HIPAA-protected, abortion care-related information. But states that are criminalizing performance of or access to an abortion can then use those data to support criminal allegations,” said Spector-Bagdady.

Can companies share health data?

The reports on the law enforcement actions in Nebraska spotlight data control concerns, where Facebook was compelled to share private messages between a mother and a daughter with criminal law enforcement.

Spector-Bagdady notes it’s a completely different situation from simply scraping data or tracking geo-location data to build user profiles because it’s “in the world of commercial health information.” The reports centered on “health proxy information,” not records held by a doctor, but a person “talking about their health information in what an assumed private conversation.”

“There are many exceptions to any sort of privacy when law enforcement requests those records,” said Spector-Bagdady. “To some extent, it's almost up to the private companies with how much they're going to fight against those subpoenas and requests for information.”

While she does not have personal knowledge about Facebook’s relationship with law enforcement and what legally occurred, there are companies that have “been very clearly aggressive in pushing against that kind of warrant for information.”

Similar issues arose years ago, when the FBI asked Apple to unlock a phone of the suspected San Bernadino killer. In more recent years, it’s an issue 23andme has been quite public about: sharing how frequently law enforcement requests data from them and how many times they've actually been forced to give the data to them after fighting. 

Protecting healthcare providers and their patients

Consumers need to be better aware of the current state of data, privacy, and control. As Spector-Bagdady notes, “people see things like Facebook and Twitter as a public forum or even a private place to have personal conversations, and they're owned by private companies.”

“There are all these exceptions that people just don't even realize,” she added.

A June JAMA article written by Spector-Bagdady and Michelle Mello, a leading empirical health law scholar with a joint appointment at the Stanford University School of Medicine in the Department of Medicine, outlines the importance of clinicians speaking with patients about online privacy, particularly when it comes to reproductive health and in the current climate.

Although Spector-Bagdady stressed that “we always put so much on our first-line practitioners.”

However, in states where abortion has been criminalized, “it's critical for clinicians to be having that discussion. It’s also time to remind clinicians not to record unnecessary medical information” as there is a lot of information shared, some of which could be extraneous.

“This is a place we should revisit: what actually needs to be written down in the medical record, such that we can take good continuous care of a patient over the long term, versus what is speculation and potentially not necessary or helpful for that patient,” she added.

For clinicians, currently stuck in this untenable situation, Spector-Bagdady stressed the importance of relying on phone calls for those complicated conversations, as they “can’t be discovered.”

Email is one of those challenging areas, particularly as people may use work email as a private email, which is owned by their employer — including the information stored in the account. And “even if you're using personal devices or personal email, if you are subject to the Freedom of Information Act because you're a publicly funded institution, you are subject to state laws.”

These are important elements for clinicians to consider around data, but there are obvious concerns held by Spector-Bagdady and others for states where abortion is now considered a crime. The Emergency Medical Treatment and Active Labor Act (EMTALA) adds another complication for providers, where they must stabilize patients even if that includes abortion care and in a state where abortion is potentially criminalized. 

“The hospital is looking at civil liability from the feds, and the clinician is looking at criminal liability from the state,” Spector-Bagdady. But unlike civil liability, my hospital can't go to jail for me. My hospital can say, ‘do the right thing, and if you get sued, we'll protect you and pay civil penalties’ but the hospital can’t go to jail for someone.”

“Clinicians are being put in these horrific positions where they might actually be in a moment where they have to decide whether to potentially provide life saving abortion care when they might risk being charged with criminal effects,” Spector-Bagdady. “That's not our clinicians’ burden to bear. That is the fault of our court system and our legislators.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.