Do You Know Where Your Health Data Is?

The data we generate in our digital lives can reveal important information, particularly about our health. For one, our social networks can be predictive of health outcomes and conditions, in part because of shared attitudes amongst social groups about health and behavior, and because socio-economic status is a health determinant. Some research also indicate that search engine queries can be used to infer medical conditions, and researchers at the University of Pennsylvania have found that they could predict heart disease in users by analyzing the language of their Twitter posts better than models that use traditional variables from demographic, socioeconomic, and health risk factors. A research team with members from Microsoft, Stanford, and Columbia is pioneering a method for discovering the underreported side effects of prescription drugs by mining search logs, which can act as an alternative to the FDA's Adverse Event Reporting System, a database where physicians can input their observations of adverse side effects in patients they follow.

Many of us would support the use of our data for medical or health research and some may even welcome the medical interventions prompted by algorithmic systems that detect a looming medical event or the personalized medicine derived from more individualized data-collection. However, when the inferences and connections that can be made about us reveal sensitive information, like mental health conditions or the propensity for genetic diseases like Alzheimer's, we want to know what the boundaries of visibility are, especially when such inferences can affect our employment prospects. In a professional medical setting, it is generally understood that our medical information is confidential, and there are laws in place, such as the Health Information Portability and Accountability Act (HIPAA) which safeguards such information. Our increasingly networked selves and the internet of things have, however, resulted in the transport of health data to entities that operate outside the legal boundaries of confidentiality that we expect from medical professionals.

Fitbit, Spreadsheets, 23&me, Project Ginsberg, Priori, Cogito, and other apps and products have become popular with consumers who seek to benefit from the behavioral insights that these self-tracking programs promise to provide. However, as Federal Trade Commissioner Julie Brill has observed, ""devices and apps that encourage consumers to supply information on diet, exercise, medicines and other health factors aren't covered by medical privacy laws." What happens when health data collected outside of the boundaries of medical privacy laws are repurposed or brokered to third-parties, like insurance companies or employers? The repurposed data poses potential risks and harms that outweigh our understanding of the benefits we subscribed to as networked information users. In an article published by the Ohio State Law Journal, I explore some of the risks associated with genetic testing, including the inadvertent disclosure of genetic information when such information is used for marketing purposes and I advocate for the promulgation of a new tort, the tort of genetic information disclosure. And in a new article, I argue for the strengthening of the Genetic Information Non-Discrimination Act (GINA) to prevent the type of employment discrimination that might arise from genetic determinism.

The world of Big Data is a brave new world in which more health data is being collected either for the purposes of preventative medicine or in an effort to promote holistic health. Unlike the pre-internet days when our health information was securely locked in a cabinet in our family doctor's office, these days our health information flows freely through electronic networks. Internet database breaches, such as the one experienced by the health insurance company Anthem, remind us that the protection of networked information is tenuous. Indeed, the misfortunes of the health insurer Anthem may reflect a trend in the booming business of medical identity theft.

The saying "health is wealth" takes on new meaning when you comprehend that there are corporations who stand to legally make money from your health information and also nefarious individuals who illegally do the same. The unfortunate fact, however, is that when it comes to health data, there remain many gaps in the law. It is high time that health law caught up with the digital age.