How much do you know about your health data privacy?

I knew I had to write about health data privacy for my next big feature for a few reasons. First, last October I read that 23andMe founder Anne Wojcicki said that consumers with privacy concerns just need to get used to genetic testing. It struck me as dismissive to tell people with valid concerns and questions to just get used to it.

Then in November, the public learned about Google’s secretive deal with Ascension Health in which Google gained access to the health records of more than 50 million people in 21 states. “Project Nightingale” took the internet by storm and made people question what a company like Google — which already has amassed a treasure trove of data on people — could do with the health information of millions of patients. The partnership started a larger conversation about HIPAA — the Health Insurance Portability and Accountability Act of 1996 — how it protects patients and its limits. 

A few key questions came up. How much do individuals know about their health privacy rights? How much do data collectors care about people’s health privacy rights? Was this nonchalant “just get used to it!” attitude the norm or the outlier? And, as collectors of employee data, where did employers find themselves in this tug of war? 

Also read: Employer roundtable explores hype and hope in genomic medicine

Luckily I had the opportunity over the past few months to talk to several experts about employers and health data. 

Glenn Cohen, professor of law at Harvard Law School and faculty director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics, brought up some interesting what-ifs about how employers will address health data in the future. For one, this issue could play out differently for unionized labor versus at-will employees. 

“It’d be interesting to see whether this becomes a subject of collective bargaining to some extent,” Cohen said. Might the rules for how employers collect, use and sell the data look different?

Further, even for at-will employees, one place where we may see a lot of new policies written concerning data collection is the employee handbook, he said. “One interesting question will be whether employers are starting to update their employee handbook to be explicit about these things,” he said. 

One of the privacy concerns some patients have about their health data is that it could eventually be used against them in some way. Maybe they could be profiled or suffer real-world implications in employment (loss of job opportunities) or insurance (denial of coverage or higher premiums), Cohen said.

Also read: Should there be a code of ethics in technology? 

Ed Oleksiak, senior vice president at insurance brokerage Holmes Murphy, spoke with me about discrimination, and he stressed one of the most popular parts of the Affordable Care Act: the elimination of pre-existing condition rules. Before the ACA, some people were nervous that they may not be able to access health insurance because of an illness. As of now, that does not have to be a concern anymore.

With the future of the ACA in flux and with the Republicans’ challenge to the law going to the Supreme Court later this year, I wonder if that changes anything about that argument. According to Politico, it’s unlikely that the Supreme Court will rule before the election on the lawsuit, “which could wipe out the Affordable Care Act’s insurance protections and coverage for millions of people. The court is expected to hear the case during its next term starting in October, but the justices did not say when it will hear oral arguments.”

Just as the Google-Ascension partnership set off some regular news coverage concerning HIPAA and data privacy, I think it’s a safe bet that the ACA hearings will do something similar concerning health data and people’s ability to get health insurance based off that data. 

Oleksiak also said that telemedicine will become increasingly important, especially in rural areas which often have shortages of doctors and medical experts. This technology has potential to help out patients in rural areas, but an issue here for patients is if their data is protected while they receive this remote care. “In some areas where maybe there’s more of a stigma or [where] people might feel more discriminated against for a particular illness, there are extra precautions that get put in place for certain illnesses,” Oleksiak said. 

While these two sources shed some light on patient and employee fears, another one of my sources discussed patient and employee confusion. Data privacy attorney Joseph Jerome explained that the definition of health data is complicated. 

HIPAA protects health information, like if a woman is pregnant, in some contexts but not all. It’s protected in the health system setting, but someone who is buying items on baby.com or downloading fertility apps would not get the same protections.

“I think it leads to a culture where nobody knows what’s going on, and when consumers or employees ask questions, I don’t think there are a lot of good answers for them because they don’t know where the protections end and what protections they actually do have,” he said. 

Also read: Do employers have a duty to protect employees’ personal information?

Jerome also described an “information and power asymmetry” between employers and employees. While employees may worry that their data might be used in ways they’re not comfortable with, they don’t know for sure. And employers aren’t going to say they’re using something for a potentially controversial reason.This can create a sense of uncertainty among employees. 

These are just some of the topics that came up in my interviews, and I’m exploring more in my upcoming feature story. Meanwhile, if you are a forward-thinking employer who’s beginning to have discussions with stakeholders and employees about data privacy and data management, feel free to reach out to me. I’d love to hear your story.