Is Your Digital Footprint Revealing Private Health Information?

If you use a cell phone, credit cards, websites, search engines, or a medical device, you might be leaving a great deal of private health information (PHI) in your wake, according to a report from the California Healthcare Foundation (CHF). Each day, most of us leave behind a trail of data that can be used to construct a detailed health profile, even if we didn’t intend to give up anything. As health care becomes more intertwined with digital applications, the Internet, and smart phones, new privacy issues are developing as private health information leaks out into the internet. According to the report, the data is incredibly useful and already has served to advance health care in meaningful ways. However, the CHF believes privacy regulations and consumer education need to quickly catch up with the changing health care landscape to address privacy issues that current regulation doesn’t account for.


According to the CHF report, the amount of data related to health care is exploding. In general, consumer data is reaching untold heights; according to the CHF, data is now described in petabytes. A single petabyte is one quadrillion bytes, which the CHF says is enough space to store “the DNA of the entire population of the US, and then clone them twice.” The data exists because consumers are generating it everywhere they go. The CHF gives numerous examples of the sources of data including: web-based diabetes apps, web-based clinical trials, patient social networks, insurance-based wellness program apps, child health monitoring smartphone apps, Wi-Fi heart monitors, search engine queries, and posts to social networking sites. Even the Supreme Court recognized in its recent decision, Riley v. California, that the smart phones many of us carry contain private health care data.


The mined data has countless applications. The CHF says the information can be used to improve clinical trials, manage diseases, forecast and track epidemics, track data for research purposes, and develop individualized health goals. Going forward, the data can be used to develop personalized medicine that could predict individual health care outcomes. However, the potential usefulness of the data is not without its costs. Although some consumers are willing to give up PHI for the health care benefits, not all individuals are ready to, and even fewer understand the extent to which they are divulging information.


The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) protects private health data. However, HIPAA protections are limited to data held by HIPAA-covered entities. Thus, when data is mined from web-based applications, social networking services, or Internet searches, a consumer cannot be certain that the data is being held by a HIPAA-covered entity. In other words, for much of the data that consumers send out into the expanses of the Internet, current privacy laws are ill equipped to provide any protection.

Where it Goes

The data that consumers unknowingly give up is sometimes sold to third parties. Often times, the data on its face is not health related; however, when pieced together, data about location, age, occupation, exercise interests, income, and weight loss can create a comprehensive picture of an individual’s health. The New York Times reported that some health plans are using this sort of data to engage in predictive health care to anticipate patient claims before they happen. Many patients, however, are unaware of the intimate information hospitals and insurers may access to make their predictions.


The CHF suggests that new regulations and consumer education can serve as a solution. As technology advances, consumers and regulations need to advance alongside it. When consumers are educated they can make intelligent choices about where and when to divulge PHI. Additionally, regulations can be updated to account for the changing health care landscape and further protect patients from unknowingly losing their health care identities to the Internet.