Search This Blog

Powered by Blogger.

Blog Archive

Labels

Changing Methods of Tracking and Sharing Healthcare Data

Security concerns around Meta Pixel and other tracking tools spurred a former OCR investigator to recommend health systems consider all possibilities.

 


As artificial intelligence (AI) becomes more and more prevalent in healthcare, there is a growing need to manage its development, as rapidly. Private companies and organizations own and control AI technologies. Because of the way artificial intelligence is implemented, corporations, clinics, and government bodies could be required to play a much larger role in determining what health information is gathered, utilized, and protected about patients than is typical under traditional circumstances. There are privacy concerns associated with data security and the implementation of this method that need to be considered. 

Earlier this year, a patient from Baltimore, Maryland-based MedStar Health System, filed a lawsuit against Meta Platforms, seeking damages on behalf of the entire group of patients who were injured due to the company's practices in the U.S. The Northern District of California is the court responsible for hearing the cases. 

A plaintiff in the class action lawsuit alleged that Meta, the parent company of Facebook, was using Pixel tracking technology to sneak into hospitals' and health systems' websites and portals to track patients' information. As of now, Meta has been sued by at least two more class action lawsuits alleging that the company improperly collected information about its customers. 

As well as several major health systems having been named as defendants (Dignity Health, UCSF) or have faced lawsuits against them (Northwestern Memorial Hospital) for alleged misuse or misconfiguration of the Pixel tool, several of the major health systems in the country have also been named as co-defendants. 

Multiple recent studies have revealed that third-party tracking occurs on nearly all hospital websites, which reinforces recent media coverage of the increasing number of consumers who are losing privacy when they browse online to find health information. 

As it turns out, nearly all U.S. hospital website visitors who provide their contact information have the option of sharing potentially sensitive medical information with tech companies, data brokers, and advertising firms, according to a recent analysis of Health Affairs published by the University of Pennsylvania. 

As a first set of concerns, one is the complexity of accessing, using, and having control over patient data under private ownership. In some recent public-private partnerships for the implementation of artificial intelligence, privacy has been poorly protected, leading to poor results. The research using big data for health purposes has been criticized thus far due to a lack of systematic oversight of the research. To protect patient privacy and other rights, appropriate safeguards must be implemented. A structural incentive should be provided to private custodians of data to prevent the unauthorized use of these data. This should deter the use of these data in alternative ways. 

Moreover, another concern about AI-driven methods is the possibility that they could expose people's private information to external threats. New algorithms have been developed that have successfully reidentified such data in the absence of any tools for deidentification or anonymization and therefore this capability may be compromised or even made null and void. 

Under a private custodianship, the risk of data exposure to unauthorized persons could rise significantly. 

As a result of these developments, hospitals and health systems now have to ask themselves some questions regarding the design of their websites and apps, and how third parties may, either inadvertently or not, put patients' protected health information at risk through the use of these tools. 

This missive from January 2014 contains Frances' full name, along with the revelation that she has a genital wart and human papillomavirus. This is a sexually transmitted disease associated with genital warts and cancer. Moreover, the letter also contained her date of birth and ended with a plea to friends asking them to help expose this hoe. 

The following day, Frances, who had lived near her high school pals but had been dating for a short time, was told by a friend that the former friend who lived nearby had shared a secret that only she and a former boyfriend knew about. 

Frances was treated at the local hospital where the Facebook poster worked as a patient care technician, but they were no longer friends after Frances had been treated there. 

The hospital responded to Frances' complaint by sending her a letter of apology in March 2014 after Frances complained to a nurse supervisor at the hospital. In the letter, the company stressed that it takes these sorts of situations very seriously. Despite not specifying what actions were taken, "We took action according to our policies and procedures," they said.

As far as the disclosures to Meta/Facebook are concerned, what is truly concerning is not so much the sharing of their data, but that their data may be shared broadly and for advertising and tracking purposes without their consent or knowledge, which is what concerns the majority of people. 

Under HIPAA, covered entities, including certain providers and insurance plans, as well as certain business associates/vendors, are required to adhere to certain privacy and security regulations, as well as to respect the rights of individuals. It also establishes certain requirements regarding the privacy and security of health information. 

Patients must be notified of the use and disclosure of their personal health information. In addition, the organization obtains valid authorization for certain types of use and disclosures. It requires certain assurances before sharing PHI with vendors. These standards also require organizations to provide patients with information about how their PHI may be used and disclosed. 

The Executive Order, which was issued earlier this summer, also requires the Department of Health and Human Services to consider actions and guidance to strengthen security and privacy protections for reproductive healthcare providers specifically. Organizations should focus on the current legislation, rules, and risks that apply today. However, they should also pay close attention to what is being discussed in the legislature and the enforcement actions being taken.
Share it:

Artificial Intelligence

Cyberattacks

Healthcare Data

Meta Platforms

Technology