Users beware

Unbeknownst to millions of Americans who seek health and fitness help on their computers or smartphones, bits and pieces of their personal, sensitive health information are loose on the Internet. And right now there's not much either they or their healthcare providers can do to protect their online privacy—except quit using these services.

Two new published reports have found that multiple leaks are springing from many popular Internet-based medical, health and fitness websites and mobile applications. In addition, the Illinois attorney general has written to a few executives from online health websites, asking what information they “capture, collect, store, aggregate, sell, share or transmit” about their visitors and whether they “benefit financially” by letting third parties access it, giving rise to “troubling privacy concerns.”

Some experts fear that third-party use of this personal health information could lead to employment discrimination, loss of insurance coverage or higher premiums, and fundamental privacy intrusions.

The operators of many consumer-directed health and wellness sites and their counterpart vendors of mobile health applications work in a regulatory gap between the Health Insurance Portability and Accountability Act, policed by HHS' Office for Civil Rights, and the Federal Trade Commission Act, enforced by the FTC. So, right now, it's user beware.

Dr. Marco Huesch, writing in the July 8 issue of JAMA Internal Medicine, explained how he monitored what 20 popular health information websites did after he entered searches from his own computer for “depression,” “herpes” and “cancer.” He did this by hooking up some monitoring tools to his computer. Huesch reported 13 sites had secreted on them one or more invisible bits of “tracker” code that enable a third party to learn a visitor's browsing history. He caught seven of the sites “leaking” his search terms to third parties.

Huesch, an assistant professor at the Sol Price School of Public Policy at the University of Southern California, said he couldn't tell whether leaked information was used or misused, but found the off-site movement of his search terms “worrisome.”

“I wanted to show doctors who are very tech unsavvy how much of a risk this presents to their patients,” Huesch said. “Commercial websites may also disclose user activity to the government, as recent National Security Agency news stories have suggested.”

Meanwhile, researchers for the San Diego-based Privacy Rights Clearinghouse released a series of reports concluding that 40% of the consumer health apps they tested presented “high risk” regarding personal privacy and another 32% “medium risk.” They examined 43 mobile health and fitness apps using monitoring software.

Clearinghouse Director Beth Givens warned that anyone thinking of using mobile technology for health information should “first, decide how important it is to you to use these health and fitness apps,” and then “accept the consequences regarding your privacy.”

Users could read the privacy policies, but good luck with that, according to Craig Michael Lie Njie, founder and CEO of Kismet Worldwide Consulting and a mobile app developer himself. He researched and compiled the privacy group's 31-page report. “The lawyers are really good at finding ways to cover their apps,” Lie Njie said. “Generally, I found that the more detailed or more extensive the privacy policy is, the more invasive the privacy policy.”

Neither Huesch nor the clearinghouse named the sites or apps they studied. But Lisa Madigan, Illinois' attorney general, named the recipients of her information request letters—webmd.com, weightwatchers.com, drugs.com, menshealth.com, mayoclinic.com, about.com, health.com and mercola.com—in a news release.

In her letter to the developers, Madigan said that 72% of U.S. adults have sought healthcare information online, and such traffic leaves behind “a digital footprint” bearing “sensitive information” about “health topics and symptoms they research, the drugs they read about or the links they click.”

Cora Han, a lawyer in the division of privacy and identity protection with the FTC, pointed to Section 5 of the FTC Act prohibiting “unfair or deceptive acts or practices” as a potential enforcement tool for federal regulators to use in policing how websites and mobile app operators use personal healthcare information. That section provides a cause of action for deceptions by omission, she said.

Joy Pritts, chief privacy officer at HHS' Office of the National Coordinator for Health Information Technology, said HHS has only limited authority to regulate consumer health websites and app developers but that it works closely with the FTC, which she said has primary authority to protect consumers on the Internet. Pritts acknowledged that it's a “fuzzy line” between privacy protection responsibilities as the covered entities and patients increasingly connect and share information.

“It is a shared responsibility,” Pritts said, and consumers have a responsibility to protect themselves from personal data disclosures when they use health websites and mobile health apps, though providers and site and app developers also have a responsibility. “I don't want to make everybody in America a lawyer, but it is important for people to understand they are responsible. The law can only protect them so much.”

Follow Joseph Conn on Twitter: @MHJConn