While most of us have been physically distancing ourselves during this pandemic (and will continue to do so for another month or three), we’re getting a lot closer digitally. We are sharing more information online than before. As before, some of this is positive and lighthearted — John Krasinski sharing good news or Chrissy Teigen exchanging banana bread for romaine lettuce. But some of it, like personal health information, is sensitive, and should only be shared with great care. During a pandemic, health is everything. Thankfully, you have control over what health information you share online and you can take simple steps to protect it.
The basics of health data
Generally, we’re pretty aware of guarding our passwords and avoiding phishing scams, but protecting medical and health data is different. The Health Insurance Portability and Accountability Act (HIPAA) is the law that protects patient privacy and medical data. It makes sure data transferred between healthcare providers, insurers, and their associated businesses remains private. It’s meant to keep pieces of protected health information (PHI) from being associated with your medical records or payment history. This makes sure that only people like doctors or designated family members can see medical information next to things like your name and social security number. The HIPAA law keeps private your blood pressure, mental health information, and the medication you were given for that mysterious rash you got after changing fabric softeners.
The issue is that we sometimes freely give up health data to entities outside of our doctor’s offices that are not covered by HIPAA’s protections. Especially during times of crisis and our collective guard is down, we share details about our health through mobile apps (such as fitness trackers), message boards, chat groups, or social media.
(NOTE: It’s worthwhile to note that this might be changing. A group won a suit against Facebook last year for not disclosing data breaches that happened after people shared PHI in Facebook-supported private health message groups. Judges ruled that Facebook had to review its privacy practices with the government.)
This matters because your health data is a very unique marker of you. It is important to keep it secure, not only for your personal privacy but also to make sure employers, creditors, marketers, or insurance providers don’t exploit it. One leak or inadvertent disclosure later, your blood pressure could show up next to your email address and name, and be used to market off-brand diuretics to you or worse, deny you life insurance.
That said, there are responsible ways to share health information with others. During a pandemic, sharing your health information can even be helpful.
Here are a few tips on how to use each channel and our quick take on how reliable the method is for sharing health information.
This is a touchy one. We are all isolated at home now and need to connect. In addition, hiding a diagnosis from your friends could add to the stigma surrounding certain conditions like COVID-19 or depression. On the other hand, do you really want your cousin’s best friend making fun of you for an unfortunate wart? The best policy here is to own what you post, avoid posting any detailed or incriminating personal health information, and make sure you know to whom you are broadcasting your message.
That means avoid sharing the medications you’re on, any detailed diagnoses, or specific treatment on these platforms. It’s probably ok to tell your close friends you’ve broken your leg or are battling cancer, but don’t share pictures of health records, x-rays, or devices with diagnostics. Double-check your privacy settings to see who can see your posts. Here’s how you can do that on Facebook and Instagram.
Keep in mind that even if a post you share (your specific language and images) is restricted only to your friends, the idea of the post is effectively public information. So even if you’re not friends with your mom’s hair stylist, your mom could mention whatever you share with her in her own post, and suddenly the world knows something you thought was a little more private.
COVID-19 contact tracing apps
As you may have heard, Google and Apple are in the process of creating an app to notify people when they have been in contact with someone who has been diagnosed with COVID-19. It’s similar to one being developed in Europe. The process uses Bluetooth, stores people you have been in contact with for 14 days on your phone, and requires your consent to tell others if you have been diagnosed with COVID-19. They are taking measures to make sure the app development remains transparent, will not allow ad platforms to access the data, and have promised to shut it down after the crisis is over. The jury’s still out on all the privacy implications, but Wired has a full blow-by-blow.
COVID-19 Facebook survey
Facebook recently released a map in partnership with Carnegie Mellon University’s (CMU) Delphi Research Center mapping the percentage of people self-reporting COVID-19 symptoms. This data can be used with other information like co-location maps, social connectedness, and movement trends to help researchers predict infections. The survey guarantees that CMU Delphi Research won’t share individual survey responses with Facebook, and Facebook won’t share your identity with the researchers. There are few specifics beyond that, but this map could help counties determine the flow of supplies much more efficiently.
Technically speaking, texting PHI is not protected under HIPAA, so you’re not guaranteed privacy of this information with the same protections as your doctor or insurer. Texts are protected under another federal privacy law, the Consumer Telephone Records Protection Act of 2006. This law has different privacy concerns, but unless you’ve committed a crime, most people, businesses, or agencies cannot get access to this information. Still, it’s best to opt for HIPAA-compliant texting with a medical professional unless you’re talking to a family member or someone you trust.
Many doctors are moving (or at this point, should have moved) to secure platforms for data sharing, and do not allow patients to share information via text or over a non-secure Google Hangout or Zoom session. If you’re unsure, please ask your provider what platform they are using to secure your telehealth visits and messaging sessions.
Most email is not HIPAA-compliant. It’s even against Gmail’s terms of service to transmit PHI without extra encryption. While some companies encrypt their business emails, it’s probably best to avoid sending health data over your office server. There are ways of encrypting an email, but it’s still best to trust your medical provider’s technology.
It goes without saying that Google and most search engines pay attention to what you are searching and use it for marketing purposes. If you want to prevent this, you can do a privacy audit or use a privacy-focused browser like Mozilla, Brave, or secure search platforms like DuckDuckGo.
To prevent someone accessing your device (and search history), make sure your device has a good password, two-factor authentication is turned on, and you have a way to delete data remotely should it ever get stolen.
Fitness trackers and health apps
In short, it’s ok to humble brag a run or two, but read the Terms of Service and Privacy Policies on these apps. Check to see if they are attaching private information to any health information and displaying that publicly. Also look into whether they are sharing this information with third parties for marketing or tracking purposes. This means marketers could use your active lifestyle (or lack thereof) as a selling point. If you’re overwhelmed with the fine print and legalese, use CTRL+F or CMD+F to search the Terms of Service for sensitive terms like “health,” “gender,” “third-party apps,” or “sharing.”
How to manage the sharing preferences in Apple Health, Google Fit, Fitbit, and Strava is included in this Wired article.
Mental health apps
A good number of these apps are HIPAA-compliant and have robust privacy disclosures and practices, like Talkspace. Others that rely completely on forums can be small social media channels with the same concerns as Facebook. A good majority of them also share information with third parties. One study found that many popular depression and smoking cessation apps share information with Google and Facebook for marketing purposes. Again, the terms of service and privacy disclosures are the place to start, along with managing the settings in each of the apps. Bottom line, make sure what you share is hard to connect to your name or other PHI.
As noted above, the most secure way to share digital health information is through your medical provider’s IT infrastructure. Again, make sure they follow HIPAA compliance, and ask directly what they are doing to insure the security of the data you share through digital channels. Never take a telehealth visit over text, FaceTime, Google Hangout, or Zoom unless you know that your provider has initiated the session over their secure platform. As tedious as it may sound, read the disclosures to make sure you’re ok with where your information is headed. Even nonprofit hospitals can put you on an internal fundraising list for services they provide.
As we’ve all heard hundreds of times over the past several weeks, this is an unprecedented moment. While there are new updates and recommendations to pay attention to almost every day, your health and how you manage it are more critical than ever. So while you’re waiting for the next installment of Tiger King, be safe and wise with how you share your health data. After all, you’re sharing a little bit of you.