On November 2, the American Hospital Association filed a federal lawsuit in Texas against the Biden Administration for civil rights regulations that prevent hospitals from selling their online health tracking data through third-party trackers to Big Tech, insurance companies, and vendors.
Telehealth has become increasingly popular since the COVID-19 outbreak, and more Americans are seeking care online through hospital systems. Health Insurance Portability and Accountability Act prohibits doctors and clinics from revealing any information about a patient’s health from their electronic medical records (medical charts). Patients would be surprised to learn that over 98 percent use third-party tracking for data sales, including searches on a hospital website and the ability to track patient location.
The information about a person’s health can be very valuable to people who are able to sell it to medical service providers in a particular area. The data can be used for other purposes, such as connecting patients to products and services they may want to purchase. Insurance companies or employers may use the searches of a person to diagnose a condition and flag him as a risk. The treatments that are offered to a patient by selling their searches could actually be in conflict with their doctor’s treatment plan.
This rare example of patient protection should be credited to the Biden administration (even if it is only half-credit). However, they do not get full credit because they are pursuing the wrong side. Big Tech’s insatiable desire for our personal data to grow is the root cause of this problem. They (not hospitals), should be held accountable for their efforts to circumvent HIPAA. It does not relieve hospitals of their duty to safeguard data, but it does recognize where the money comes from.
Imagine you are having a telehealth session with a counselor to deal with anxiety. Logging into the secure portal on the website of the health system is required to make the appointment. After logging out, you search for “psychotropic effects,” “bipolar diagnoses,” and “hospice” on the website of the health system. You then go to a psychiatric facility. The hospital was able to track and sell your data until the Biden administration’s 2022 rule. Your tracking could reveal as much information (and possibly much more) as your medical record. The Texas lawsuit would remove that restriction.
The patients are correct to assume that their data will not be sold if they leave the password-protected section of the website to find out about their condition and to arrange for care.
The line between HIPAA-protected data and data that was “up for grabs” became blurrier when COVID-19 was declared an emergency, and restrictions were loosened to allow more people access to care via telehealth. Telehealth was a success in the pandemic, and many states have continued to ease restrictions on virtual care. The legal sale of medical information is also a possibility.
AHA and Big Tech claim that it is done simply to improve user experience through tailoring services to search. The AHA says that they sell this ability only to provide “bus schedules and driving directions from or to a community member’s location.”
In 2021, Mass General Brigham & Dana-Farber Cancer Institute will pay $18 million in settlement to patients who claim their privacy has been violated. Plaintiffs claimed that hospitals used third-party tracking devices, including cookies and tracking pixels, without consent. There were no hackings or breaches of HIPAA-protected information on the patient’s charts. Costco has also been sued for selling customer search data and “highly sensitive medical information” via the pharmacy.
Big Tech’s intrusion on the patient data of hospitals and their patients is a threat to both. States need to protect patient data and get ahead of the federal fight.