The Department of Health and Human Services’ Office for Civil Rights enforces the HIPAA Rules, which restrict uses and disclosures of healthcare data by HIPAA-covered entities and business associates of those entities. When entities are not covered by HIPAA, privacy violations and illegal uses and disclosures of sensitive consumer data are policed by the Federal Trade Commission (FTC). The FTC recently announced in a blog post that it is fully committed to enforcing the law against illegal uses and sharing of highly sensitive data.

Some of the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health. Currently, those sensitive types of information are collected by fitness trackers, smartphone apps, browsers, and other connected software and devices, and that information is combined with other data and is monetized and sold to third parties, often without the knowledge of the individuals to whom the data relates.

“The conversation about technology tends to focus on benefits. But there is a behind-the-scenes irony that needs to be examined in the open: the extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers,” said Kristin Cohen, Acting Associate Director, FTC Division of Privacy & Identity Protection. “These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.”

Location data is collected by connected devices, even when those devices are not being used. They can provide information about where individuals work, sleep, socialize, worship, and seek medical treatment. “While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online identity associated with the frequency of their visits to a therapist or cancer doctor,” said Cohen. “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it. After it’s collected from a consumer, data enters a vast and intricate sales floor frequented by numerous buyers, sellers, and sharers.”

Since the SCOTUS ruling that overturned Roe v. Wade, these data collection and sharing practices have faced even greater scrutiny due to the potential for the collection and misuse of location data and information related to personal reproductive matters, such as through the use of products that are used for reproductive cycle tracking, monitoring fertility, overseeing contraceptive use, and even for targeting women considering abortion.

In terms of the latter, Cohen explained that this is not just a theoretical risk. In 2017, Copley Advertising, LLC settled a case with the Massachusetts Attorney General over its use of geolocation technology to identify when people passed through a digital fence around a clinic offering abortion services. Those individuals were then served targeted advertisements offering alternatives to abortion. The FTC also recently settled a case with Flo Health over the sharing of the sensitive data of users of its period and fertility tracking app with Google and Facebook, when the company had told users that the information collected by the app would remain private and confidential.

Cohen explained that the misuse of location and any health data exposes consumers to significant harm, and can place consumers at risk of phishing attacks, extortion, physical and emotional injury, discrimination, stigma, mental anguish, and other significant harms. “The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” said Cohen. “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”

Cohen warned companies that collect sensitive consumer information to be aware that the information is protected under many federal and state laws, including laws enforced by the FTC such as the FTC Act which prohibits unfair and deceptive trade practices. The FTC also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.

Companies that claim they anonymize or aggregate consumer data should be on guard that such claims could be considered a deceptive trade practice. If found to be untrue, those practices would be in violation of the FTC Act. Cohen said the FTC is cracking down on companies that misuse consumer data and has recently taken action against several companies for using location data without content, improperly collecting and retaining sensitive data, and failing to respect consumer requests to delete sensitive data.

The post FTC Committed to Enforcing Laws Preventing the Illegal Use and Sharing of Location and Sensitive Health Data appeared first on HIPAA Journal.

On Friday, the House Committee on Oversight and Reform announced that a probe has been initiated to determine how data brokers and health app companies are collecting and selling individuals’ personal reproductive health data. The probe was initiated as a result of the SCOTUS decision that overturned Roe v. Wade, as members of the committee were concerned that the personal data of individuals seeking reproductive healthcare services may be misused.

Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, Rep. Raja Krishnamoorthi, Chairman of the Subcommittee on Economic and Consumer Policy, and Rep. Sara Jacobs, wrote to five data brokers (SafeGraph, Digital Envoy, Placer.ai, Gravy Analytics, Babel Street) and five health app companies (Flo Health, Glow, BioWink, GP International, and Digitalchemy Ventures) requesting documentation on how personal reproductive care information is collected and sold.

Huge amounts of personal data are now being collected and sold, often without the knowledge of individuals. The information is used to serve individuals’ targeted advertisements and for other reasons. There is concern that the collection and sale of this information may put the health, safety, and privacy of Americans and healthcare providers at risk.

“The collection of sensitive data could pose serious threats to those seeking reproductive care as well as to providers of such care, not only by facilitating intrusive government surveillance, but also by putting people at risk of harassment, intimidation, and even violence,” explained the Committee members. “Geographic data collected by mobile phones may be used to locate people seeking care at clinics, and search and chat history referring to clinics or medication create digital breadcrumbs revealing interest in an abortion.”

The Committee Members cited a study published in JMIR – Privacy, Data Sharing, and Data Security Policies of Women’s mHealth Apps: Scoping Review and Content Analysis – which found that 20 of the 23 most popular women’s health apps, which include reproductive health apps, were sharing user data with third parties, even though just 52% of those apps obtained consent from users. The study found that most women’s mHealth apps had poor data privacy, sharing, and security standards.

There is concern that data from health apps, especially period trackers, could be used to identify women who have had abortions. Data brokers are known to sell users’ location data, including the location data of individuals who have visited healthcare clinics that provide abortions. Recently Google announced that it will further improve privacy protections by automatically deleting the location data from Google accounts related to visits to healthcare providers that provide sensitive healthcare services, but Google is not the only company that records location data.

The data brokers and health app providers have been given until July 21, 2022, to respond and provide the requested data.

The post Data Brokers and Health Apps Probed Over Privacy Practices appeared first on HIPAA Journal.

Google has announced that it will be taking steps to improve privacy protections for users of its services. Google has long advocated for a comprehensive, national privacy law covering consumer data to ensure there is consistency across the entire country, rather than relying on a patchwork of state-level privacy laws. The American Data Privacy and Protection Act that was recently introduced could see national privacy law introduced, but until ADPPA or equivalent consumer data privacy regulations are signed into law, Google said it has taken additional steps to protect user privacy, especially for health-related issues.

Google confirmed that location history is turned off in Google accounts by default, but if users choose to activate location history, they can auto-delete or manually delete parts or all of their location data at any time. However, to further protect privacy, Google has added a new auto-delete feature that will be rolled out in the next few weeks. If Google detects a user has visited certain medical facilities that offer sensitive medical services, the entries will be automatically deleted from the user’s location history soon after the visit.

Those locations include:

• Abortion clinics
• Domestic violence shelters
• Counseling centers
• Fertility centers
• Addiction treatment facilities
• Weight loss clinics
• Cosmetic surgery centers

On Google Play there are policies that prevent app developers from selling personal and sensitive user data, developers are required to only handle data for purposes directly related to the use of the app, and any data collected must be handled securely. A new data safety section has now been added that developers can use to provide app users with more information about how their apps collect, share, and secure user data.

Users of Google Fit and Fitbit have access to tools that allow them to easily access and control their personal data, including the option to change or delete their tracking data as they see fit. “Fitbit users who have chosen to track their menstrual cycles in the app can currently delete menstruation logs one at a time, and we will be rolling out updates that let users delete multiple logs at once,” explained Google.

Google has also clarified its position regarding law enforcement demands for user data. “We take into account the privacy and security expectations of people using our products, and we notify people when we comply with government demands, unless we’re prohibited from doing so or lives are at stake — such as in an emergency situation,” explained Google in a recent blog post. “We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable.”

The post Google Announces New Measures to Protect User Privacy on Healthcare Matters appeared first on HIPAA Journal.

Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) have written to two leading mental health app providers and demanded answers about their data collection and sharing practices.

There have been multiple reports that the mental health apps provided by Talkspace and BetterHelp are collecting, mining, and disseminating private client information to third parties, including big tech firms such as Google and Facebook. During the COVID-19 pandemic, the use of mental health apps grew rapidly. The apps offered an alternative to traditional face-to-face therapy, with the app developers themselves marketing the apps as a cost-effective alternative to traditional therapy.

While therapists may be required to comply with the Health Insurance Portability and Accountability Act (HIPAA), mental health apps fall into a gray area and are not generally covered under HIPAA, which means that the restrictions on uses and disclosures of protected health information under the HIPAA Privacy Rule do not apply to many mental health apps.

Users of those apps may not understand that any information collected, stored, or transmitted through the apps may be shared with third parties. Consumers may mistakenly believe that HIPAA applies to these apps because if the same data were to be collected by a healthcare provider – a HIPAA-covered entity – the information would be classed as protected health information and the HIPAA Rules would apply. However, most app developers, including mental health app developers, are not HIPAA-covered entities and are generally not even business associates. The developers of those apps should explain clearly in their privacy policies about any uses or disclosures of users’ information, but privacy policies are often unclear.

“We have long been concerned about the misuse of personal data by Big Tech companies and unscrupulous data brokers, especially for the purpose of microtargeting vulnerable populations,” explained the Senators in their letter to BetterHelp and Talkspace. “Unfortunately, it appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”

Earlier this year, researchers at Consumer Reports’ Digital Lab investigated 7 mental health apps, including the apps provided by Talkspace and BetterHelp. Using specially programmed Android devices, the researchers tracked which third-party companies received data from the apps and checked whether privacy settings were on or off by default. The researchers found that the apps behaved like many other consumer apps, and shared unique IDs associated with individual smartphones which can be used by big tech companies to track what people do across many different apps. When combined with other data, users can be served targeted ads.

An investigation in February 2020 found BetterHelp was sharing analytics data with Facebook, which included how many times the app was opened and metadata from every message, including data on how long and where users were accessing mental health services. Former employees of Talkspace claimed that treatment transcripts were viewed as a data resource to be mined, and individual users’ anonymized conversations were routinely reviewed and mined for insights to help the company with research and marketing tactics.

The Senators have raised concerns about the use of anonymized data, as that information could be combined with other data to identify individuals. The Senators referred to a 2019 study that found anonymized data that included only a zip code, gender, and date of birth would allow an individual to be identified in 81% of cases.

The senators have asked both companies questions about the types of data collected, the extent of data sharing with third parties, the methods used to protect clients’ information, and how potential clients and current users are informed about the privacy policies and the risks associated with sharing data. The companies have been given until July 6, 2022, to respond.

The post Senators Question Mental Health App Providers Questioned About Privacy and Data Sharing Practices appeared first on HIPAA Journal.