Personal Health Records: PHRs and Marketing

Report home | Read the report (PDF) | Previous section | Next section

Perhaps the biggest single concern about commercial PHRs is the possibility that a consumer’s health information will leak into the marketing system. The terms under which a PHR operates could allow the sale or rental of consumer information in the same way that magazines, catalog companies, magazines, charities, or other merchants and activities share information with limited or no consumer knowledge or consent. Consumers generally have some sense about how readily companies and agencies pass personal information around, but they do not expect the same kind of sharing when it comes to personal health information.

HIPAA generally prevents use or disclosure of health information for marketing purposes. There are a few mostly unremarkable exceptions to the marketing prohibition, and some definitional issues cloud the picture. Nevertheless, the HIPAA marketing prohibition mostly mirrors what people expect. Physicians’ ethics prevent them from selling lists of identifiable patients to pharmaceutical manufacturers or to markets, and the HIPAA rule makes those sales legally improper.

However, the marketing prohibitions of HIPAA do not apply to PHRs that are not offered by covered entities. A 2007 study of PHR privacy policies conducted for the Department of Health and Human Services found that only 3 percent, or one in 30, of PHR privacy policies stated that explicit consumer consent was necessary prior to the vendor sharing any of the data in the PHR (See R. Lecker et al, Review of Personal Health Record (PHR) Service Provider Market, Jan. 5 2007 at 7. http://www.hhs.gov/healthit/ahic/materials/01_07/ce/PrivacyReview.pdf). Meanwhile, none of the PHR privacy policies analyzed in the study expressly named the PHR vendor’s data partners, third parties, or other secondary uses of the PHR data, or whether the data was de- identified or not. Even if a PHR vendor states that it does not share information with marketers without consent, it may be still be easy for the vendor to induce consumers to give consent without actually realizing what they are doing.

Why would a PHR vendor want to disclose information for marketing purposes? The answer is simple: money. Many PHRs are free to consumers. Who is paying for the service? In some cases, it might be an employer or health plan. However, for other PHRs, marketing and advertising are the only or the primary sources of revenue. Under those conditions, commercial PHR companies can find many ways to share consumer information with marketers. The extensive sharing of consumer information – whether identifiable or not – is a standard revenue source for many Internet activities.

One example of the demand for patient information may be seen by looking at pharmaceutical manufacturers. These companies generally do not know who their customers are. They cannot find out because medical ethics and HIPAA prevent doctors and pharmacists from sharing the names of those who have prescriptions. The manufacturers work hard to find information through other methods. They want to know who uses their drugs and who uses a competitor’s drug. To find out, the companies may offer coupons for free or discounted medicine that requires consumers to provide names and addresses. Companies may offer magazines for people who have a particular disease. They may have toll-free numbers for people to call. Companies may also use websites to obtain the names and survey information from consumers. Any information that manufacturers obtain – or any other marketers for that matter – is theirs to keep, use, and disclose as they please because no American privacy law typically applies.

Even if a PHR vendor solemnly swears that it will not provide consumer information to marketers, any PHR that allows advertising on its website may facilitate the disclosure of the information anyway. Here’s a scenario that may apply in some cases. Let’s assume that advertisers want to place their ads where it will do the most good. For example, a company advertising birth control pills will not pay to place its ads where men will see them. The PHR vendor can make sure that the ad only appears on pages viewed by women, and it can do so without disclosing any personal information about the women who see the ad. The advertiser knows that anyone who saw the ad or clicked on it is registered on the website as a female.

A PHR vendor can target ads more narrowly so that they appear only to 50-plus year-old white males with diabetes, an annual income over $75,000, and a health plan that pays for drugs. The targeting itself may not disclose any personal information, depending on how it is done. However, when the user clicks on the ad, the advertiser can often infer that the user has certain the specified characteristics. If the advertiser can identify the user because of a previously set “cookie,” because of the user’s static IP address, because of another behavioral tracking activity, or because the user casually provides a name or email address to obtain more information, the specified information about the consumer can pass to a third party advertiser. The advertiser may then use the information, disclose it to others, share it with commercial data brokers, or do anything is pleases because no privacy law typically applies and because it is not typically subject to the PHR’s privacy policy.

Regardless of the PHR’s policy on marketing disclosures, advertising can provide a method for a consumer’s health information to escape into marketing files. Marketers already have millions of names of consumers categorized by specific diseases and diagnoses. Most of the information comes from consumers who provided it in response to “consumer surveys” or through other stealthy methods for collecting health information for marketing use. Health records maintained by health care providers have been unavailable to marketers directly, but commercial PHRs operated outside of HIPAA offer marketers the promise of more and better health information from consumers.

Advertising-supported PHRs are not necessarily likely to support or allow strict control over consumer information or to fully and readily tell consumers how personal information may be shared. Many PHRs will only succeed if they can sell advertising, and advertisers will seek as much detailed information about PHR clients as they can obtain. Wheedling consent from consumers for the profitable sharing of records is something that some PHRs are likely to try. Casual clicks or agreements by consumers may release the health records they have uploaded irretrievably to marketers, data brokers, and others. Many consumers may not be aware of the sophistication of how targeted marketing technologies and practices operate online or in other arenas.

Roadmap: Personal Health Records – Why Many PHRs Threaten Privacy: II. Discussion – PHRs and Marketing

Report home | Read the report (PDF) | Previous section | Next section

Posted February 20, 2008 in Health Privacy, Health Records, HIPAA, Personal Health Record (PHR), Report: Personal Health Records - Why Many PHRs Threaten Privacy, Uncategorized

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.