What HIPAA doesn't cover

Data brokers continue to mine consumer health data
By Erin McCann
10:58 AM
Sure, HIPAA adds a layer of privacy protection for certain health data -- if organizations actually comply with it -- but there remains myriad avenues of mining health data and selling to the highest bidder that do not fall under the purview of HIPAA's privacy and security rules. And they may surprise you. 
Anything from what health data one Googles, to what medical products you purchase through online retailers are fair game for data brokers. What's more, these companies are not liable under HIPAA and are able, without an individual's consent, to track and collect health data for various purposes, says a new July report from the California Healthcare Foundation
Often unknown by consumers, data elements including Googling for health data; using medical-related social networks; purchasing health products through online retailers; entering retail store preferences and locations into smartphones; or even buying any item related to health like fast food and cigarettes, can all be tracked. 
"Even consumer footprints that are not expressly about health can be used to help determine a person's physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the week -- this information is relatively easy to purchase by third parties," wrote Jane Sarasohn-Kahn, health economist and author of the report. 
Sarasohn-Kahn pointed to a 2014 report from 60 Minutes covered by Tim Sparapani, former director of public policy for Facebook, in which he said, "You can buy from any number of data brokers, by malady, the list of individuals in America who are afflicted with a particular disease or condition."
Sure, oftentimes these data elements are collected and tracked not for malevolent purposes but rather for improving clinical outcomes and reducing costs. The report cites data mining as integral in bettering clinical trials and managing chronic disease for instance. One particular instance included designing a recruitment strategy for a Hepatitis C vaccine trial, where they located patient influencers on Twitter, contacted them and asked them to publicize the vaccine trial. 
However, even with these seemingly positive end goals, many individuals and stakeholders have expressed concern over privacy rights and the current lack of transparency.  
Even the Federal Trade Commission has expressed concern over the unfettered access these data brokers have to consumer health information, without the consumer's consent. 
In a May report, FTC underscored the practices of nine data brokers and revealed that most consumers are unaware these brokers are collecting data. Just one of the data brokers in the report, Acxiom, had more than 3,000 data segments for nearly every U.S. consumer. 
"To close these gaps, I urge Congress to consider legislation provisions – in addition to the provisions recommended by the Commission – that would create greater accountability for data supplies, data brokers and data broker clients," wrote FTC Commissioner Julie Brill in a May 27 statement to Congress.
Sarasohn-Kahn underlined several recommendations put forth by stakeholders on how to properly balance data sharing with consumers' privacy rights: 
  • Help people gain control. For some stakeholders, this means getting consent from consumers. And for others, consent fails to offer "meaningful protections."
  • Simplify the fragmented regulatory environment.
  • Consider personal health data locker and clouds.