Terms and Conditions Apply: A 30,000 ft view of data security and privacy in digital health
Google is beginning to use artificial intelligence and machine learning to predict when you’re going to get sick.
Because the user has become king. Over the course of the past decade, by generating and sharing data, companies like Uber, AirBnB, and online dating platforms like Bumble and Tinder have been able to delight users like never before — and even anticipating needs and wants before the users themselves become aware of them.
Health care has seen a similar tidal shift in the amount of data being generated; however, unlike other industries, how that data has been used has been dramatically tempered due to the unique characteristics of personal health data. That is, we’re creating and sitting on an unprecedented amount of data, but we’re just beginning to figure out how to navigate issues pertaining to the handling of that data, especially when it comes to security and privacy.
There is a need to more clearly define the role of user-generated health data in commercial and scientific contexts. Setting out detailed guidelines for handling this data is not only in the best interest of the individual user creating all this health data about themselves, but also for mobile and digital health organizations that must remain compliant with security and privacy regulations (like HIPAA, which we return to below) and maintain trust with their consumer/patient base. The credibility of a health-related app is almost unquestionably tied to the quality and security of the data which it collects.
A Wealth of New Information
Patients and members of the general public have begun providing fountains of data about health and disease (Sarasohn-Kahn, 2014). Proponents of the ‘Quantified Self’ and ‘e-patient’ movements (Ferguson et al., 2007; Nafus and Sherman, 2014) often see self-monitoring tools as a democratizing force that is reshaping the doctor-patient relationships which has so long been deeply characterized by information asymmetry between the two parties.
Smartphones and wearables like Fitbits and Apple Watches provide valuable longitudinal datasets from “in the wild” — meaning enormous amounts of data are being collected as people carry out their daily lives, an important shift away from traditional hyper-controlled, lab settings. Gathering this sort of data also offers greater contextual clues that can inform us of more robust relationships and interactions, as well as the opportunity (though not without difficulty) to cross-pollinate data across previously siloed disciplines.
Tapping Into the Opportunity
While user-driven data collection through downloadable apps and wearables circumvents a lot of the logistical issues involved in health care research, the issue has now become how to integrate and share this external information with researchers and health care providers that can provide expertise and potentially incredibly valuable insights.
Essentially, the question is, how do we merge silos of information (e.g. user-generated information with other contextual datasets or clinically-derived data) and how do we keep the data secure when it is being transferred and stored?
User-generated health data from wearables, apps, and other devices is not easily integrated into clinical contexts (Chung and Basch, 2015; Luxton et al., 2012). What this means is that, in general, users cannot bring their Fitbit data to their primary care physician with the intention of getting personalized recommendations based on those data. That being said, health care professionals can still ‘prescribe’ the use of digital health tools, even if the merging of the data generated by the device with the user’s electronic health record is almost impossible at the moment.
As a result, the evolution in health data currently taking place is highlighting a significant distinction between clinical and non-clinical domains. At the moment, we have a defined set of rules for how to manage clinically-oriented data, which we explore in the section below; however, how to handle data gathered by users themselves, and, further, how to merge these disparate data sources remains less clear.
Rules and Regulations
Let’s break this down.
At the moment we’re dealing with a patchwork of regulations on data privacy and security. Standards and guidelines may have to do with for whom the data is being gathered (e.g. a health provider or insurance company), the type of individual from whom the data is being collected (e.g. a minor or someone requiring a surrogate decision maker), and the nature of the data being collected (e.g. financial, medical, location-based).
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all personal data — regardless of whether it is health-related. Essentially, as described by Jesse Locke from Server Cloud Canada, “once an organization collects data, regardless of the province, industry, or the type, that…organization is now fully accountable and responsible for the protection of said data.”
Importantly, PIPEDA regulations are not standardized across every province and each province has the ability to enforce its own set of standards so long as they are “substantially similar” to those set out by PIPEDA. For instance, with the exception of British Columbia and Nova Scotia, all Canadian provinces can host their data on servers in the United States. British Columbia and Nova Scotia, however, do not allow data to be stored in the US, even if the data is encrypted.
PIPEDA is similar in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States, though HIPAA pertains specifically to health information. HIPAA covers any personally identifiable information that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and relates to past, present, and future health conditions, treatments, or payments. Demographics qualify as a subset of identifiable health information.
Under HIPAA, “covered entities” (i.e. anyone providing treatment, payment, and operations in healthcare) and business associates (i.e. anyone who has access to patient information and provides support in treatment, payment, or operations) is responsible for maintaining the privacy of the individual’s data and ensuring the data is secure. In particular, the HIPAA Privacy Rule is relevant to all forms of protected health information, including information that has been shared electronically, in writing, or orally.
Importantly, though regulations like HIPAA and PIPEDA are in place to inhibit the potential for data breaches to occur, they still do. Unfortunately, legal experts and data scientists have noted that data privacy is virtually impossible to ensure (Ohm, 2010; Pasquale and Ragone, 2014). Moreover, as an interview conducted by FierceHealthcare notes, understanding and complying with the laws set out in terms of the existing digital landscape is challenging, if not nearly impossible.
How Perceptions of Privacy and Security Affect Adoption
Do concerns about data privacy and security deter individuals from adopting digital health tools? The evidence is mixed and seems to depend on who is being asked and in what context. For instance, when asking existing users of wearables or health apps, they are likely to say that security and privacy concerns do not have a deleterious effect on their use of digital health products. Moreover, depending on the research context — e.g. in a survey or in an interview — respondents may feel that security and privacy worries are valid (which they are), easily explainable concern which they can explain to the researcher.
Depending on the consumer, in addition to whether or not they are the ones seeking out digital health tools (versus being recommended or required — e.g. through clinical initiatives), their interest may be geared more so towards the potential health benefits, rather than privacy. Not only may interests in using digital health tools differ between users, an important factor to consider is the users’ perceptions insofar as the intent of data collection. While some research has shown that people ‘‘strongly agree’’ that maintaining privacy and confidentiality in their everyday activities is important, other studies have found that very few individuals held concerns relating to how their data was being handled. In particular, users have been shown to assume that corporations, like Apple, automatically collect data with intentions of further refining and improving services and devices, without carefully considering the ramifications of how their own individuals data might be shared.
On the other hand, users may not feel that the institutions collecting their data are quite so innocuous when it comes to collecting data specifically for research purposes — as is the case in clinical settings. Researchers and data scientists can encounter recruiting difficulties when an emphasis on the users data privacy and security is in the foreground (Ostherr et al., 2017). It may be the case that people consider themselves to be somewhat more anonymous when they are the ones opting in to using a device or app, in contrast to being recruited into a trial or research program.
Do You Agree?
Turow et al. (2015) refer to a ‘‘the tradeoff fallacy’’ — the fact that users may believe it’s impossible to limit access to their data and that sharing their data is seemingly inevitable. A growing body of research is documenting this nonchalance towards data privacy when it comes to agreeing to terms and conditions. Researchers have found that almost half of surveyed respondents agree to terms and conditions because the length of the document. Other factors including legal terminology also play a role in accepting the terms set out. Ryan Calo, a legal scholar at the University of Washington uses the term ‘‘digital market manipulation” to refer to the cognitive overload users experience when they come across these lengthy, complex documents, used by data gathering parties.
It may come as a surprise to many users to know that wearable technology companies like Fitbit, Garmin, and Jawbone, all have the right to share personal, identifiable data in the process of business deals, and that there are virtually no restrictions as to how unidentifiable data that they collect from users may be aggregated and sold. Without this sort of information made explicit to users, it is understandable that their own wants and needs out of using a given product drives their decision to use it.
The management of health care data is clearly a complex issue and one which often generates confusion for data gatherers and potential angst for data generators (i.e. users). But, this is an issue that is not about to fall to the wayside, since technology is becoming more advanced, and it is here to stay.
“Engaging user-generated data as a tool to connect and relate to others, to offer encouragement, or to foster competitive spirit gives room to a different kind of sociality in which data is not a threat but a component of the very social fabric.” — Ostherr et al., 2017
As they currently stand, many laws and regulations are struggling to keep pace with technological advancement — the law lags behind — and deliberate, strategic efforts must continue to be made to bridge this gap. Not only is this in the users best interest, but it should also be top of mind for digital health companies who rely on users’ trust and openness for the success of their products.
It is possible that over time, there will be an even greater shift towards our willingness to share data. Researchers have alluded to the commodification of privacy to describe the necessary sharing of information that has happened in other industries (e.g. in social media via Facebook), and it may not be unreasonable to expect health data become a more normally transacted good (Campbell and Carlson, 2002). Important to this process is developing end-user experiences that are transparent and conducive to the communication of important data security information, all while maintaining ease of use. For instance, it may be possible to structure lengthy terms and conditions documents so that they are more user friendly — e.g. by highlighting only sections that have changed — or guiding users towards sections that they may be particularly interested in knowing about.
The emergence of more sophisticated technologies as well as systems that are better suited to maintaining privacy and secure transactions, such as blockchain, may offer valuable ways forward. Finally, the inception of institutions like the Connected and Open Research Ethics (CORE) initiative at the University of California in 2105 unites researchers, ethics committee members, developers, and stakeholders together to help address difficult questions raised by health care and other industries. Especially as we struggle to define terms and conditions for all of us, as a society, to operate under when it comes to how we share our own personal information.