Jen Miller will never return to Thomas Jefferson University Hospitals, a Philadelphia-based health system.
The longtime runner received a mailer in January from the system advertising bariatric surgery. Just weeks before, she had completed a 24-hour ultra-marathon, but she had noticed some unusual weight gain, so she visited her Jeffereson Health doctor to figure out what was going on. Miller's chart showed a BMI as just over the cusp of being overweight. Then came the mailer, which read: "We see you, not your weight."
"As someone who had an eating disorder in her 20s, to get a flyer like that, I was stunned and offended to be honest," Miller said.
Miller has written about healthcare for 15 years as a reporter, so she knows that healthcare providers have certain legal rights to use patient information from electronic health records to promote health services.
"There's definitely value in having electronic health records, especially if they're used to do screenings," Miller said. "But to use it to try to sell extreme surgeries around weight, even though there are no other indicators in my health record, seems invasive and upsetting."
Jefferson Health uses customer relationship management (CRM) software that does not solely rely on patient histories and personal health information but also on more thorough demographic profiles of individuals from several public sources, said John Brand, the company's vice president and chief communications officer.
"CRMs use hundreds of data points to identify a broad target audience for a communication with the intention of educating patients on the options available to help them improve their health," Brand said. "Consistent with federal [Health Insurance Portability and Accountability Act] laws, Jefferson uses various patient data elements along with its CRM in order to more effectively communicate with patients about certain goods and services that lead to more personalized care."
Healthcare marketing like this is a permissible use of patient data under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that regulates the release of patient medical information, as long as a third party isn't paying for it, said Deven McGraw, co-founder and chief regulatory officer at consumer health tech company Ciitizen, based in Palo Alto, California
"The health systems can use data in order to educate patients about their service offerings or to let patients know about options they might want to take advantage of. They can use fully identifiable data for this, and there's not even a right to opt out under HIPAA," McGraw said. For example, if a system wanted to target people for bariatric surgery, they could hone in on a group of people whose BMI was over a certain level, she said.
"It might've been nice if they had an exclusion for people with diagnosed eating disorders," McGraw said.
Valerie Montague, a partner in the healthcare group at law firm Nixon Peabody in Chicago, said that patients always can reach out to providers directly to ask to be taken off certain mailing lists.
"I think the patients are, in some ways, a check and balance on hospitals and healthcare providers. If they do see something that seems out of the ordinary, it's well within their rights to question it," Montague said. "I would think the healthcare providers would want to respond to the needs of the people they treat."
In Miller's case, Jefferson Health did agree via email to remove her from its mailing lists, after she expressed her concerns.
"I understand that this might be technically legal but it seems really irresponsible," Miller said.
Brand said that Jefferson Health can't speak to Miller's experience due to federal privacy laws, but did say "it is clear that Jefferson's approach to make our mailings relevant was not well received."
"Jefferson works diligently to ensure its patient communications are compliant with all privacy laws and, in reviewing this situation, have confirmed that all actions were appropriate," Brand said.
Art Caplan, a bioethics professor at NYU Langone Health in New York, said, "It's pretty clear this horse is down the road from the barn," when it comes to using personal data for marketing, inside and outside of healthcare. "It's just late in the game in a political world that has given up on hardcore privacy protection."
Healthcare providers could use more transparency in their communications with patients, however, Caplan said.
"At this point, what we can say is there are huge datasets out there, and health systems would be, I think, ethically prudent to try and let people know why are they getting communications post-visit to the health system," he said. That could be something as simple as including a link to a webpage that explains the system's data policies. Industry groups like the American Hospital Association also could devise on boilerplate disclosure language health systems could use, he said.
For Miller, the mailer felt like an unwelcome – and unexpected – judgment on her weight.
"There are so many ways that this information can be used in a useful way. That feels like it was too intrusive and judgmental, honestly," she said. "They lost a patient. I will not go back to them for the rest of my life."