e-Patient Dave

Power to the Patient!

By 1 Comment

Raise your citizen voice on FTC’s rule on health data leaks

Summary: please comment by August 8

  • The Federal Trade Commission is considering important rule changes to protect private information from careless handling by companies.
  • Submit a comment here. You can type it in, or you can upload a document.
    1. You can see comments from others on the Browse Posted Comments page. 
    2. You can comment anonymously if you want.
  • You can write your own comment, but it’s also okay to repeat or endorse someone’s else’s comment.
    1. The sheer number of comments is important. Don’t think “I have nothing to add.” 
    2. The most important message that should come through is
      • Anything about my health (or my family’s health) is extremely personal and must never, ever be used by anyone, especially without my knowing it’s happening in detail.
      • The fact that the internet is leaky does not change this!
      • For heaven’s sake, ENFORCE the rule! Punish people who are careless or sneaky with sensitive information!
  • Good text to endorse or use for inspiration: this great comment FTC Comment Health Breach Notification Rule was submitted by The Light Collective’s Andrea Downing, who is a powerful patient expert on security and privacy issues.
  • Andrea’s draft has a great summary of the five changes in this proposed rule:
    1. Modernize the rule to cover every company who might get their mitts on private information about you, whether or not it’s a hospital
    2. Modernize the rule to cover any unauthorized acquisition of identifiable health information,” e.g. if a company even stumbles onto private info about you. 
    3. Expanded the rule’s scope to require companies who access your information to be careful with what they learn. (At present they don’t have to!) This includes AI like ChatGPT.
    4. Modernize the rule so that it doesn’t just cover hospitals, it covers any company whose data about you might be given or sold to others.
    5. Modernize the rule so that if your data is leaked, you can be notified by email, not just snail mail.

Below is some background information.

The issue: 

  • We all know that companies quietly and sneakily track your googling and website visits about everything – including medical topics.
    • This often happens without you realizing what they’re recording about you. If you google  “bicycles” that’s one thing, but if you have a very private medical worry, it’s a whole different thing.
  • This highly private information can be used against you.
    • Example: in a post-Roe world, some states are aggressively pursuing people who seek options for unplanned pregnancies – a subject most Americans believe should be nobody else’s business. Should such a state’s Attorney General be allowed to subpoena a patient’s search activity and use it to hunt them down and prosecute them?? 
  • How should our government limit what they’re allowed to do? 
  • There is an existing “Health Breach Notification Rule,” but it’s out of date: it was created before the current flood of companies getting into health related areas and capturing your private health information.
    • The rule is being updated, and the FTC is seeking public comment before the decided on the final rule. The deadline is Tuesday, August 8.

HIPAA does not protect you. Different rules are needed. That’s where the FTC comes in.

Most of us know that our healthcare records are protected in some ways by HIPAA, the Health Insurance Portability and Accountability Act. But HIPAA only applies to doctors, hospitals, and insurance companies … not social media.

HIPAA is managed by HHS, the Dept of Health & Human Services. Companies like Facebook are not: they’re governed by the FTC – the Federal Trade Commission, which regulates commerce.

HIPAA does not protect your googling or web browsing, or anything you do outside of working with healthcare businesses. 

If you google “baldness” or “measles” or “broken ankle,” that information can go into any company’s database about you.  Same if you even mention the subject on Facebook or LinkedIn.

Example: psychotherapy company BetterHelp

A good (and shameful) example of the problem is that the psychotherapy company BetterHelp recently got busted for letting companies like Facebook know things you told BetterHelp: 

  • your answers about your financial health(!!)
  • whether you’d ever been in therapy before. 

(Here’s a tweet with what they had to tell customers.

What they did is not illegal under HIPAA: BetterHelp got busted by the FTC for being a naughty or careless business, leaking your private info, even though they aren’t doctors.

But the current rule is out of date, and we need to tell the FTC: 

  • Anything about my health (or my family’s health) is extremely personal and must never, ever be used by anyone, especially without my knowing it’s happening in detail.
  • The fact that the internet is leaky does not change this!
  • For heaven’s sake, ENFORCE the rule! Punish people who are careless or sneaky with sensitive information!

Comments

  1. Thanks for helping to push this forward Dave. It is so important.

    Andrea, your comments are very well written. Thank you for doing this!

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.