Privacy of medical results obtained in a clinical setting are protected in the US by the Health Insurance Portability and Accountability Act (HIPAA). But what about non-clinical medical data gathered by phone apps and wearables such as a FitBit? Not so much. According to a new report, Rice expert: Be concerned about how apps collect, share health data your personal health data may be at risk:
As of 2016 there were more than 165,000 health and wellness apps available though the Apple App Store alone. According to Rice University medical media expert Kirsten Ostherr, the Food and Drug Administration (FDA) regulates only a fraction of those. Americans should be concerned about how these apps collect, save and share their personal health data, she said.
On Oct. 26 the U.S. Department of Health and Human Services will host a gathering of national experts to discuss "Data Privacy in the Digital Age." Ostherr, who is a professor of English and director of Rice's Medical Futures Lab, has been doing research on health and medical media for over 20 years, from "old" media like celluloid films used for medical education to "new" media like smartphone apps. She will present "Trust and Privacy in the Ecosystems of User-Generated Health and Medical Data" during a panel discussion.
[...] She said apps that make medical or therapeutic claims are considered a medical device and must go through the FDA procedures for approval and regulation. For some companies, that process is worth the time and effort, because their product could become covered by insurance.
But the vast majority of apps provide "helpful hints" in response to user-entered data, such as ideas for alleviating symptoms of a migraine.
[...] "If your app carefully sidesteps claiming any kind of medical intervention, then it's a health and wellness app and not a medical device — and it is not regulated," Ostherr said.
Regardless of whether an app is regulated, Ostherr said, they are all "capturing tons of personal data, some of which would be classified as personal health information if it were subject to oversight by the Health Insurance Portability and Accountability Act."
(Score: 0) by Anonymous Coward on Saturday October 21 2017, @12:12PM (8 children)
These experts don't look any further than where their nose stops. It should have been "Rice University Expert: Be Concerned that Apps Collect, Share
HealthData""Health data" should not be treated any differently than other 'data' on you. Data is data is data is data.
If you are going to make money off of it, I want ALL the money you make from it since it is MINE (i.e. without me, this data does not exist or is useless); you also become fully liable if this data is ever used against me and are on the hook for perpetual protection from any misuse(*).
(*) but of course, you would just close up shop and re-open under a different company... you fucking bastards...
(Score: 3, Insightful) by Gaaark on Saturday October 21 2017, @03:08PM (3 children)
PLUS:
could data collected by a 'device' and 'discovered' by your insurance company be construed as a 'pre-existing' condition and your health claim be 'DENIED'!
'Just sayin' '
'
''
'''
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Insightful) by Anonymous Coward on Saturday October 21 2017, @03:13PM (2 children)
Not yet, but I'm confident they have lawyers working on 'correcting' this right now...
But, combine this with data never begin deleted from the internet and your insurance company 'partnering' with, say, Google to find out whether or not this condition you searched for at time (INSURANCE_START + T1) is something you searched for as well at time (INSURANCE_START - T2) [for a range of T2's], and now we're talking... BAM, circumstantial evidence that the condition is pre-existing... coverage DENIED!
(Score: 2) by Gaaark on Saturday October 21 2017, @03:27PM (1 child)
Modded you insightful.
But scary would be what i meant. :/
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Interesting) by Anonymous Coward on Sunday October 22 2017, @11:51AM
do not participate in "employee wellness", especially if they have contests that involve fitness trackers and $150 or so in potential reward money for your willing involvement.
those tend to have leaky privacy policies
(Score: 0) by Anonymous Coward on Sunday October 22 2017, @04:24AM (1 child)
To be fair health insurance is changing to allow charging more for preexisting conditions. Hence it matters more to the users that their insurance rates could go up instead of just getting more poorly targetted marketing aimed at them.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @02:06PM
And thus, it is becoming less of an 'insurance' and more of a savings account where the insurer knows how much they'll have to spend (or will spend) on a single subscriber, thus making it easier for them to project their profit, and ultimately, giving them a way to guarantee and maximize profits... which they will.
(Score: 3, Insightful) by Wootery on Sunday October 22 2017, @12:22PM (1 child)
No. Medical data is special. It's extremely personal and intimate data, and deserves special protection. We're talking about the real world here, with real consequences. 'Data is data' is meaningless.
You can't blackmail someone if you find out their favourite colour. You can blackmail someone if you find out their history of STIs and sexual dysfunction.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @02:09PM
You don't know many intelligence officers, do you? You can blackmail anyone with anything. Data IS data is data... But I'll give you a point for 'it is intimate data' though. That being said, I'm an advocate for extending the same protections we reserve for 'intimate data' all the way up to 'some random and innocuous factoid about me'.
(Score: 3, Interesting) by Anonymous Coward on Saturday October 21 2017, @08:18PM
Doctors privacy policies are increasingly reserving the right to sell your entire medical record. Of course they're being tricky about it. One policy I read reserved the right to disclose(read: sell) your entire medical record if it was "aggregated or anonymized". Because of the word OR, it could be either and not necessarily both. So for example they could sell your medical record if it was aggregated even if it was not anonymized. Of course aggregated just means they put your record together with somebody else's record. A two for one deal. And when they anonymize it, they just scramble your name. But the entire industry scambles names the same way, so they just look up the scrambled name in their database to find the real name that scrambles to that value. Another trick is that this particular privacy policy wasn't actually the doctor's main one, but was the policy of the online appointment service that the doctor contracted with.
Another doctor's privacy policy mentioned they might share your record with their secretaries, billing departement, and business associates. But of course anyone can be a business associate if they have some money. Credit card companies say they may share your record with their affiliates. Someone checked it out and found one credit card company had 3000 affiliates.