All Our Data is Health Data.
And the Tech Companies have it all.
Authors: Mona Sobhani, PhD & Leslie Saxon, MD
NOTE: My conversation with NYT reporter Charlie Warzel about this article can be found here.
LAS VEGAS — At this week’s Black Hat Conference, the annual computer hacker confab, hacker after hacker talked about the ubiquity of data, and how our institutions and lives are increasingly susceptible to ruin. Along with participating on a health data panel, we talked with numerous hackers, and they are becoming increasingly interested in the susceptibility of health data. Hackers are now able to infiltrate and create malware for medical data, which creates significant issues for health insurance, receiving proper treatments, and controlling your most intricate secrets. Your health data used to be incredibly difficult to obtain and organize, but now consumer and other medical devices have created a world in which 24/7 monitoring of your health data has become more readily available, but also readily hackable.
Complete health data from a person’s life are essential to understanding all the diverse factors that influence health and can reveal undiscovered insights about disease. As one example, Parkinson’s is a disease that causes changes in a person’s movement, cognition, and sleep. Currently, disease progression cannot be reliably predicted, differs for every patient, and there is no cure. But new research shows that passively collected data from smartphones can distinguish patients with Parkinson’s Disease with extremely high accuracy, and that with more data there is potential to identify preclinical markers, as well as disease progression markers. Earlier treatments and preventions could be within arm’s reach.
This extremely valuable data is in the possession of the Silicon Valley tech giants, such as Google and Facebook, strange as that may seem. The tech companies have the most comprehensive population datasets ever created and can already predict and influence behavior at creepily accurate levels — a terrifying reality exemplified by the influence of Facebook and Cambridge Analytica in the 2016 US Elections. Now, the tech companies are beginning to tie their existing datasets to concrete medical outcomes through research partnerships with health systems and universities, without patient consent. This will likely reveal the deepest insights yet into human health. But why should the tech companies have it?
We have passively allowed the tech companies to acquire our data and to use it against us. We cannot let this happen with health data. It’s time to shed any remaining naïveté about the intentions and capabilities of the tech companies and to demand consumers are put first. The tech companies need to hand over health data to the public.
Just how Silicon Valley tech companies came to have data that could be used for health purposes might require a conceptual redefining of what health data is. The traditional definition of Personal Health Information, PHI, from the Health Insurance Portability and Accountability Act, or HIPAA, the federal law that protects health care data privacy and security, is information about a person that relates to their past, present, or future physical or mental health condition. Tech companies know where you live, how many hours you work, your income, the size of your social support network, your race, your hobbies, and more — all of which are “social determinants of health”.
Social determinants of health are a broad range of personal, social, economic, and environmental factors that determine individual and population health and the World Health Organization (WHO) estimates these factors drive between 80 and 90 percent of health outcomes. For example, zip code is a good predictor of life expectancy. Sure, these estimates of health outcomes are odds-based, but so are health predictions based on genetic data. So, much of our information on the tech platforms is PHI that can predict our health outcomes.
But that’s not all the tech companies have. In addition to possessing personal life facts, they have your health behavior data because you use their platforms. For example, they know how much you sleep, what you buy (medical or otherwise), your medical search history and membership in social networking patient groups, and more. With all that aggregated health data, the tech companies are capable of deriving stellar health insights, in real-time. Your status update can even be used to predict your mental health status, your Facebook likes can predict alcohol use, and keyboard typing patterns can reveal emotions.
What are the companies doing with these innumerable health insights? One notable example is Facebook’s AI-driven predictions of suicide that result in the dispatching of police wellness checks at users’ residences. Will Facebook or Google be dispatching medical personnel before you know there is a health problem while you’re at work? Will a public report be released explaining how the life-saving predictions were made? Evidence is strong that behavior can be modified by tech platforms, by both the tech companies themselves and by any interested customer, as exemplified in this recent piece — what’s to stop influencing someone’s health behavior in a harmful way?
Where the PHI and health insights are going and how secure they are is an important, unanswered question. The high value of PHI is exemplified by its value on the black market and the special HIPAA protections it garners. HIPAA-regulated companies must abide by enhanced data security standards, as well as privacy standards where they must disclose to whom and for what purpose a covered entity may disclose PHI.
The problem is that HIPAA only applies to certain types of data, and to certain healthcare organizations and won’t provide protection against tech companies using or sharing PHI, since they are not considered healthcare organizations.
The Federal government is making some moves against the tech companies and their unsavory data practices, although none fully protect all PHI. Most recently, in the settlement terms between the FTC and Facebook for its privacy violations, fourteen types of personal information are identified as “protected information”, with much overlap with HIPAA (with the notable addition of biometric data), but much data is left unprotected. Also, rather than imposing HIPAA-level privacy and security restrictions, the terms only require Facebook to indicate the intended use of the data. Facebook can still use and monetize the data as they like. A recent bill proposing to bridge the privacy and security gaps of health data at non-HIPAA companies falls short in that it would only apply to tech companies with a substantial purpose of collecting or using PHI. That means companies like Google or Facebook, who do not explicitly state this purpose, would be exempt. Also, the bill’s definition of PHI is identical to HIPAA’s definition, so it does not encompass any of the social determinants of health.
No entity has ever had access to such rich human health and behavior data. It is hard to imagine that health data will not be used to manipulate, control, or harm the public as other data has been. It’s time the tech companies stop gaining insights and money off our data, and especially before the full potential of health data is realized. While data use, security, and privacy regulations play out at the federal and state levels, the public has a right to its PHI and any derived insights. Turning over PHI to individuals will also keep in line with the traditions of research where participation is strictly voluntary. The public can then decide to donate or sell their data for research, potentially saving national research institutes enormous sums of money on duplicative and comically smaller research efforts. We are in a time of reckoning. The decisions we make now will have a major impact on healthcare, and our personal health lives.