Simi Pharmacy

Law comes down on illegal medical record sharing

When we total up our assets, most of us will say to ourselves: “Reasonably comfortable but nothing to excite the curiosity of the IRS.”

Think again. Let SIMI PHARMACY explain how every little bit of you is worth something.

We are not talking about selling blood, kidney, or cornea.   The big money is in all those little bits of you that are digitally stored in hundreds of computerized records:  your age, gender, occupation, income, the power of your glasses, what you have been treated for, how treated and where and when.  There are people who are prepared to break the law to get their hands on your records because the market for it is huge.

A news item from this week has thrown the spotlight on the security of your medical records and the developments are certainly in your favour. 

The report is about a Federal Trade Commission crack-down on a drug discount app that illegally shared users’ information.  Along with a complaint on behalf of the FTC, the Department of Justice dragged the app developers to a California federal court on charges of making deceptive statements about its sharing of health data and its failure to notify its users about unauthorized disclosure of their health data to advertising platforms.

Specifically, the accused were charged with sharing sensitive personal data about users’ prescription medications and illnesses with companies like Facebook and Google without authorization. This made it possible for drug sellers to target individual app users with ads for medications on Facebook and Instagram.

When the FTC threw the book at the mobile app company, that book was Section 5 of the FTC Act.  This section states: “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.”  A company that promises its users that it will never share health data with advertisers or other third parties and then uploads the data to advertising platforms such as Facebook, Google, Criteo, and other third-parties has violated Section 5. The section also means that a company may not integrate tracking tools from third parties into its websites and mobile app. Such trackers acquire users’ contact information, persistent identifiers, location information, and information about users’ activities on the website or mobile app. This all about creating “custom audiences”, clearly identified and linked to a user’s health data.

A company that does not maintain effective policies and procedures to ensure privacy and prevent data sharing is also in violation of Section 5.  A company that in any way indicates that it complies with HIPAA and with the  Digital Advertising Alliance (DAA) principles but does not, in fact, do so, is guilty of deception.

The app developers chose to settle out of court and paid a $1.5 million civil penalty for violating the Health Breach Notification Rule.

On Feb 28, the federal judge not only approved the settlement order, but slapped a permanent injunction on the company barring them from ever sharing users’ health information for advertising purposes and compelling them to make full and accurate disclosure to app users regarding all conditions surrounding the company’s services.

So who tipped off the FTC about what was going on?  Writing in the March 6, 2020 issue of Consumer Reports, senior technology reporter, Thomas Germain, laid out the whole story.  He documented how the app’s digital products were sending personal details about individual users to more than 20 internet-based companies. Google, Facebook, and a marketing company called Braze all received the names of medications people were researching, along with other details that could let them pinpoint whose phone or laptop is being used.  The writer noted that even Facebook’s own investigation concluded that the app was violating Facebook’s terms, which prohibit the sharing of health data with Facebook.

How did the app dare to share medical information? It’s worth quoting Germain:

“The Health Insurance Portability and Accountability Act of 1996 doesn’t apply to [company name] or many other “direct-to-consumer” websites and apps that provide health and pharmaceutical information. It doesn’t apply to heart-rate data generated by a sports watch or Fitbit, information you enter into period-tracking apps, or running data held by running and cycling apps such as Strava. As far as the law is concerned, such information has no more protection than your Instagram likes.

“Major companies are keenly interested in consumer health data. Last year, the data broker and credit monitoring agency Experian announced it had assigned every person in the United States, an estimated 328 million Americans, a unique “Universal Patient Identifier.” Google and Amazon are publicly investing in efforts to collect consumer health data and acquire or partner with healthcare companies.

“HIPAA may actually make medical data more valuable to internet companies. “I can buy a targeted list of people that have opened a new business or bought a BMW,” says Jeff Greenfield, co-founder of the advertising attribution firm C3 Metrics, but it’s much harder to locate people with diabetes or high cholesterol because of HIPAA. “There’s money that’s on the table, hundreds of millions, billions of dollars a year in aggregate, in potential advertising dollars.”

The company’s illegal practices were too flagrant to ignore.  The FTC found the rule it needed to go after the app developer, namely the Health Breach Notification Rule.  It requires a company holding medical information to notify users of breaches such as cyberattacks or the unauthorized sharing of their health data.

The company behind the drug discount app is the first to be hauled up under the Health Breach provision. And, for the first time, through the issue of consent, the FTC has prohibited a company from sharing users’ health data for advertising purposes.

The Health Insurance Portability and Accountability Act was enacted to provide security for your medical records and personal health information.  HIPAA compliance is a responsibility that SIMI PHARMACY takes very seriously. YOUR RECORDS ARE SAFE WITH US.

Leave a Comment