How to Protect Your Health Data: Practical Recommendations
In this era of personalized medicine and consumer genomics, you should understand how your health data is being used, how it’s being stored, and with whom it’s being shared.
When you hear the word “genomics,” you might associate the term with personalized medicine or the genetic underpinnings of diseases you may inherit. But this field of biotechnology has also ushered in a rapidly growing consumer industry known as personal genomics.
According to a recent MIT Tech Review article, more than 26 million Americans have purchased an at-home DNA test, and that number is expected to swell to over 100 million within the next two years. Consumers are using these products to help them gauge their risk of developing a disease, identify the best diet for weight loss, find long-lost relatives, and track their ancestry.
But while the consumer health industry has taken off, the privacy protections and data ownership issues associated with it are playing catch-up.
You may wonder whether your health data — which can include anything from the number of steps you took today, to your resting heart rate, to even your genetic information — will be shared with others.
If the privacy of your health data worries you, you’re not alone. In a recent survey, more than half of Americans are concerned about how a company might share a consumer’s genetic data without that person’s knowledge.
The good news is that regulatory bodies and ever-evolving technology are working to keep up with consumer concerns.
Your Data Privacy Rights in the Digital Age
While you might consider the Health Insurance Portability and Accountability Act (HIPAA) a rule that providers must follow to protect your medical information, it also applies to entities that handle protected healthcare information (PHI). HIPAA, however, has a loophole that permits sharing de-identified data. In the last 23 years since the act was passed, more sophisticated data-mining has made this loophole worrisome to privacy advocates. Companies can sell this de-identified health data to countless clients, as many times as they want, and often without consumers’ knowledge.
To strengthen consumer protections, some countries and certain states in the U.S. have passed stricter regulations. This includes the European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018.
The GDPR does much more than protect your email address and website cookies. It protects your health and biometric data, and it gives you more insight into how your personal data is being used, along with where and how it is processed. It also ensures that you have the right to receive a free copy of your personal data in an electronic format, the ability to opt out of the sale of your data, and the option to have your data erased. (The GDPR does make exceptions for de-identified health data, which can be used for research without your consent.)
In addition to Europe, certain states in the U.S. are introducing tougher laws. For example, the California Consumer Privacy Act is slated to become the United States’ first consumer privacy law when it goes into effect in January 2020. And in early 2019, Oregon legislators introduced the Oregon Health Information Property Act. If passed, the bill would treat individual health data as property and would require companies to obtain permission from consumers each time their de-identified medical data is sold. Several other states are considering similar bills.
How Next-Generation Tech Protects Health Data
When health companies began collecting vast amounts of medical data from consumers, finding patterns became important. But these large quantities of data cannot be processed by the human mind alone. Instead, researchers have been able to program computers to process data and learn on their own, a type of artificial intelligence known as machine learning.
To increase the speed and complexity of processing data, but also to provide better data privacy, a type of AI called federated learning has emerged.
Federated learning allows data to be stored and processed on individual devices, such as your smartphone. Each device sends its processed “learnings” to a cloud where it is collectively used to provide overall predictions. This helps to prevent mass hacking and theft of data because data is decentralized.
doc.ai is among the first healthcare companies to incorporate federated learning into the product. Our platform is able to receive learnings from individuals, but we don’t need to have access to their personal data and we can’t manipulate users’ data.
Research needs your health data
Many medical breakthroughs over the last decade can be linked back to individuals who provided their health data for scientific research. And as more people share their medical data, technology becomes more sophisticated at gathering that data.
Today, a person undergoing cancer treatment can provide more than 100 million data points per day, generating analysis that could be used to develop future therapies, manage side effects, or create risk prediction models.
In other words, the more data people share, the more breakthroughs are possible, which will ultimately benefit you, your children, and generations to come.
Be Smart About Your Health Data
Your health data is important to research, but also to you. Be smart about how your data is being used and by whom. Here are a few tips to manage how your medical data is used:
Know with whom you are sharing your health data and understand how they are using it. Is it a non-profit conducting scientific research? A for-profit company using it for research and development of new drugs? A health insurer developing predictions for healthcare costs? Read the fine print in privacy policies and informed consents, and make sure you understand them. In an analysis of 15 direct-to-consumer genetic testing companies, researchers found that only four companies provided clear use of how people’s genetic data was being used for research. Confirm you have the right to opt out of sharing your data or withdraw your consent at any time. Companies and institutions who conduct ethical research should have similar language in their patient consents. Additionally, the far-reaching GDPR also includes a consumer’s right to revoke consent at any time and “to be forgotten,” which means their data will be erased. Once you have medical results from a consumer company, you have the right to remove, transfer, and store your data in a private, secure place.
Bottom line: As health data becomes increasingly important to research, to businesses, and to you, it’s important to know your rights when it comes to data ownership and privacy.