It sounds amazing. You sign up for an app that tracks your robust heart rate, your 10,000 daily steps, and other minute-by-minute data, and then, with a few short clicks, you can also download the years of medical records that show your struggles with cholesterol and the procedures you’ve had with a variety of specialists. It’s all in one convenient spot.
You’ll have that option soon, by way of a little-noticed federal regulation that is winding its way toward final approval later this year. The rule would effectively wrest control over your health records from health-service providers. The idea is that, with a single click, you would be able to transfer those records to a third-party app—say, Apple Health—that could aggregate everything from every doctor you’ve ever seen.
The upsides for patient safety, holistic care, and choice could be tremendous: You’ll be empowered to ensure that your doctors know everything about your history, without needing to either awkwardly arrange for paper records to be sent from one place to another or rely on your own faulty memory. Ever since the federal Health Insurance Portability and Accountability Act, known as HIPAA, was passed in 2000, Americans have had the right to get copies of their medical records. Finally, it seems, that right will become practical, because the new rule will make it mandatory for all health care systems to make their data easily downloadable through an API.
But the societal tradeoffs prompted by technology adoption are seldom obvious at the outset. Each individual choice seems innocently incremental, an exercise of freedom made easy through digital encouragement. So it is with this new regulation.
Few Americans may realize that, under current law, releasing their digital health records to an app—So easy! Just like using Uber!—is like being bitten by a vampire: There is nothing you can do to reverse this action, and it has the potential to infect every part of your life. Third-party health apps—think apps for fertility, weight loss, lifestyle changes, or diabetes management—aren’t covered by federal privacy laws. They certainly aren’t covered by HIPAA, which governs only health industry “covered entities,” like health insurance companies, doctors, and hospitals, and requires that those actors adequately protect your health information and use (and disclose) that data only as minimally necessary to provide you services.
So, unless something changes, once you click impatiently through your favorite health app’s terms of service, that app will be able to sell your data—including your name and everything in your medical records—to anyone. A recent study found that 19 out of a sample of 24 general-purpose mobile health apps shared user data with more than 50 unique companies, most of which were data analytics companies; another study showed that many depression-tracking and smoking cessation apps currently share users’ personal details with third parties without clear disclosure.
Just imagine how those analytics could be repurposed for use by companies considering hiring you, selling you insurance or a mortgage, making a decision to lend you money, or deciding whether or not to admit your child to preschool. Right—you didn’t expect that, did you? And you likely wouldn’t know if something like that happened to you. Much algorithmic decision-making is unknown to its subjects.
Some think these privacy concerns are overblown. Since mid-2017, Don Rucker has led the office inside the federal Department of Health and Human Services that is developing the rules. Rucker points out that people share sensitive data with apps all the time—heart rate data with fitness apps, banking data with who knows who—and should have the right to make similar choices about their medical data. Rucker also says he is working on “better ways of doing consent” for use of health information, so as to ensure people actually understand what will happen to their data. But this consent-based approach doesn’t go nearly far enough. We should clearly extend and revise HIPAA so it covers third-party apps and limits the apps’ ability to share data (just as we try to with credit data).