What types of health data are protected? What types are not?

Whenever you go to your doctor, a hospital or clinic, or a pharmacy, they collect a lot of different types of data about you. 

  • They collect administrative and financial data like where you live and how you pay for services.
  • They also collect a lot of data about your health. For example, they normally collect information about your health and treatment history and have access to your test results. In the event you are admitted to a hospital, they will continuously collect data on your health stats. All of this information forms part of your health or medical record. 

First and foremost, this data is collected so that the doctor, pharmacist, or other healthcare professional can provide you with appropriate care. The data is also used by insurance companies to help you pay for your care. However, some of this data is also used for reasons beyond your individual care – to improve overall health outcomes. 

In the United States, there are some legal safeguards in place that protect your data to a certain degree. Most of these safeguards come from the Health Insurance Portability and Accountability Act of 1996 – often known as ‘HIPAA’. Health care providers including doctors, clinics, hospitals, and nursing homes are required by HIPAA to take certain steps to protect your data.  

Generally, your health data cannot be used by healthcare providers for reasons that are not directly related to your care without your permission. For example, your doctor cannot share your health records with your employer or with marketers and advertisers without your written permission. However, your data can be used for treatment, payment, and other operational reasons. This means that a provider can share your data with another company that supports their operations. For example, your provider might need to share data with an accounting firm or a third party administrator who helps process claims. These companies are called ‘business associates’ and have to comply with certain provisions under HIPAA. There are certain companies or people that might incidentally use your data but are not required to comply with HIPAA. These include janitorial services or electricians or postal or courier companies all of whom have come across your protected health information. 

Please remember that providers do not have to obtain your permission if they want to share your information with public health authorities. For example, during emergencies like an infectious or communicable disease outbreak like that of COVID-19, the providers can share your information with public health authorities even without your permission.  

Is data collected for the purpose of monitoring my health outside of a healthcare facility also protected?

In addition to clinical data, providers often encourage or require patients or their caregivers to monitor their health and record data through an electronic journal. This can include your health and treatment history, records of your symptoms, biometric data, and more. If you share such information with your provider, they are legally bound to comply with the law and protect it in the same way as they would with data that they collect in a clinical setting. 

Is the data that I provide to genetic testing companies like 23andme protected?

Companies like 23andme, Ancestry.com, and MyHeritage collect your ‘genomic data’ which can include everything from full DNA sequences to individual DNA variants. This data is considered highly sensitive. However, these companies are not required to comply with HIPAA and do not have limits placed on how they use and disclose your data. 

What risks do I expose myself to when providing data to genetic testing companies?

Genetic testing companies routinely emphasize the value of their diagnostic capabilities and ability to identify rare conditions in patients. These marketing tools may make patients more willing to provide their DNA to these companies. However, you may find that genomics companies provide less information and cover fewer genetic risks than you anticipated, or provide information without fully explaining it. For example, a consumer may believe that she will never develop breast cancer because she has tested negative for a specific mutation, even though she may still be at risk for breast cancer from other causes.

The Genetic Information Nondiscrimination Act (GINA) prohibits employer- or insurance based discrimination based on an individual’s genetic information. However, you should remember that genomic data does not just impact you. Your family members share genetic similarities with you and federal rules and regulations, including HIPAA, do not address risks posed to relatives when you share your genetic data. 

Genetic data has already been used in criminal cases to identify relatives of people who have provided DNA samples to commercial companies. Similarly, genetic data can be used to trace blood relatives of people whose DNA has been tested without those relatives’ consent.

Is the data collected by mobile health or wearables companies like Fitbit protected?

No, currently the data generated by you and collected by IoT and mobile health devices is not protected under HIPAA. This is because consumer-generated data are typically collected by technology companies that are not regulated by HIPAA. While HIPAA also applies to ‘business associates’ of covered entities, companies like Fitbit operate independently of healthcare providers and payers and are not covered. 

What risks do I expose myself to when providing data to these companies?

Since many mobile health companies are not covered entities or business associates under HIPAA, they are not under any legal obligation to protect your data. There are already documented instances of such companies releasing consumer-generated data to companies like Facebook and Google. 

Mobile health companies do not necessarily follow the general  principle of ‘data minimization’ – the goal of using only as much data as is needed for a particular purpose. Because of this, consumer-generated health data often includes information with unnecessary personal details. This data may not have implications for your health, but can be very valuable to third party companies. For example, many smartphone apps and other digital health devices have location-sharing built into their functionality. Third parties can use that data for targeted advertising and other purposes that are unrelated to the original purpose of the app.

How is my data protected if I participate in clinical research?

Your data can be used for clinical research in many ways: when your healthcare provider or payer shares your data with a company or research institute conducting clinical research or when you participate directly in a clinical trial or research program or provide your data to a patient registry. 

Pharmaceutical companies, government agencies, academic institutions, charities, and other organisations who sponsor and conduct clinical research often obtain data from your healthcare providers. Providers are required to get your permission before they share your data for clinical research in certain circumstances. But, they can sometimes share your data without your consent – in the form of what is known as a ‘limited data set’ under a data sharing agreement. When they share your data in aggregate form, they are required by law to remove identifying information from the data and make it a ‘de-identified dataset’. 

While no one method can ensure that your data is shared without any risks, many healthcare providers take multiple steps to protect your data. Some basic procedures include sharing of data only in relation to ‘approved’ research proposals and sharing data in a secure manner under a data sharing agreement. It is important to understand the procedures in place for data sharing by your particular healthcare provider. 

When you participate directly in a clinical trial, the researchers themselves are required to follow rules issued under the Common Rule. They are required by law to obtain your consent and set up a governance and monitoring mechanism known as an ‘institutional review board’ (IRB) to monitor this process. The IRB will review how the researcher obtains your consent. If the person participating in the trial is a child, the IRB has more stringent requirements to ensure that consent is given voluntarily. Many IRBs have developed standard language or formats to be used in consent documents. It is important to review the fine print in these forms if you are concerned about how your data is shared. Once your data is part of a clinical trial, and depending on the terms of the consent you have given, it can be then be shared with other researchers