Big Tech and Health Data: How the Landscape is Changing
The relationship between big tech and health data has been a concern for more than a decade due to fears about the monetization of individuals’ health information and the security of data. Now, federal and state regulators are taking steps to force big tech to be more transparent about what health data is collected, how it is used, and how it is protected.
The relationship between big tech and health data started almost a quarter of a century ago when, in 1999, Microsoft invested $250 million into the online health and well-being website WebMD. To ensure the success of the venture, Microsoft also underwrote $150 million in doctor subscriptions and $100 million in commitments to sell advertising and sponsorships.
Over the next ten years, Microsoft expanded its interest in the healthcare ecosystem with the acquisition of the integrated hospital information platform Azyxxi (now GE Caradigm), the workflow and patient safety system, Global Care Solutions, and the genetic, genomic, metabolomic, and proteomic data management solution Rosetta Biosoftware.
As later-developing tech companies evolved into big tech companies, their interests in health data also became apparent. The 2010 acquisition of RareLight – a non-invasive glucose monitoring system -by Apple kicked off a series of healthcare acquisitions by big tech companies. The most significant acquisitions since 2010 include:
- 2016: Apple ventured further into the healthcare market with the acquisition of Gliimpse – a health data app that enables users to collect and combine disparate threads of personal health info, and share the data with whoever they wish.
- 2017: Google acquired Senosis Health – a software solution that uses smartphones as monitoring devices to collect health metrics for diagnosing pulmonary function, hemoglobin counts, and obtaining other critical health information.
- 2018: Amazon paid a reported $1 billion to acquire the online pharmacy PillPack. The acquisition was the stepping stone for the launch of Amazon Pharmacy – an online service that delivers medications to Prime members within two days.
- 2021: Google acquired Fitbit and its database of 29 million users in a deal worth a reported $3.2 billion. Interestingly, one of the conditions of the sale was that Google did not use users’ health and wellness data for targeted advertising.
- 2022: Amazon made its biggest commitment to healthcare by spending $3.9 billion to acquire One Medical. The acquisition added a physical healthcare infrastructure to the recently launched telehealth service – Amazon Clinic.
- 2022: Microsoft dwarfed all previous big tech acquisitions with the purchase of Nuance Communications for $17.9 billion. The acquisition will enable the development of new AI healthcare solutions that combine voice recognition and cloud technologies.
Big tech firms are likely to continue to expand their footprint in healthcare, and many already are with major investments in “metaverse technologies” (AR, VR, XR, M-worlds, blockchain, etc.). Many have already developed FDA-approved technologies for use cases such as behavioral and mental health, pain management and physical therapy, and testing and diagnosis. Over the next decade, future metaverse technologies are anticipated to further improve care navigation and operational decision-making, increase patient safety, and reduce costs.
Big Tech and Health Data: The Good, the Bad, and the Ugly
The Good
There is no doubt that the involvement of big tech has vastly improved the delivery of health care in the United States. Between them, the “Big 4” have developed interoperable technologies that allow patients and providers to review complete medical records with the click of a mouse, enable health plans to compile more comprehensive health data on members, and facilitate the development and manufacture of life-saving drugs by pharmaceutical companies.
Due to advances in the capabilities of wearable devices, healthcare providers can respond faster to patient health indicators, make more accurate diagnoses, and develop more effective treatment programs. Advances in healthcare IT have also accelerated healthcare workflows, lowered the cost of healthcare delivery, contributed to a reduction in medical errors, an improvement in public health, and an increase in life expectancy (by three years since 2000).
The potential also exists for further improvement. Metaverse technologies under development include digital triage sites, virtual disability and elder care, and XR-supported clinical trials, and the adoption of blockchain technologies will support the integrity of claims data and better secure patient data. In another quarter of a century, the relationship between big tech and health data will likely be much closer than it is today.
The Bad
The involvement of big tech has also raised concerns about what health data is collected, how it is used, and how it is protected. One of the consequences of supplying digital infrastructure services to healthcare providers is that big tech companies acquire access to vast quantities of health data. The companies claim they need access to the data to connect data silos and obtain superior data-driven insights that can improve the delivery of healthcare, lower costs, and save lives.
However, patient privacy rights advocates claim that health data such as prescription records, lab test results, and drug histories are regularly being sold to pharmaceutical manufacturers, healthcare clearinghouses, and data analysis companies. They claim the sale of health data affects which drugs are prescribed by healthcare providers, how much health plans charge for insurance coverage, and what devices and services are marketed to patients.
Because of loopholes in HIPAA and exclusions written into service contracts, the monetization of health data is not illegal. However, with every report of health data being sold by big tech, patients lose faith that their health data will remain private. The lack of trust in big tech concerns patient privacy rights organizations, as they feel it will result in patients being less forthcoming about their symptoms which will affect the diagnosis and treatment of their conditions.
The Ugly
Data in the hands of marketers is one thing. Data in the hands of criminals is another. When big tech companies fail to properly secure patient data, the potential exists for massive data breaches. Data in the “wrong” hands can result in identity theft and healthcare fraud – affecting not only healthcare providers and payers but also the individuals who were encouraged to share their most sensitive information with the promise it would be kept private.
Although HHS’ Office for Civil Rights maintains a breach portal that lists all data breaches affecting more than 500 individuals, the breaches listed are only those that affect HIPAA-covered entities and their business associates. Breaches of health data maintained by big tech companies do not appear in the report unless the big tech company is providing a service for or on behalf of a covered entity or upstream business associate.
When data breaches occur at HIPAA-regulated entities, individuals are required to be notified about the breach per the HIPAA Breach Notification Rule, and the breaches are added to the OCR breach portal; however, health data breaches at non-HIPAA-regulated entities do not tend to get the publicity that they should. For example, in 2021, an unsecured database exposed the data of 61 million Apple and Fitbit users, and in May 2023, PillPack reported a data breach affecting more than 19,000 customers, yet since these breaches were not at HIPAA-regulated entities, they cannot be found on OCR’s ‘wall of shame,’ even though health information was exposed.
How are Regulators Reacting to the Bad and the Ugly
The bad and the ugly parts of the relationship between big tech and health data have not gone unnoticed by regulators. At the federal level, the Federal Trade Commission (FTC) recently warned companies that collect health data that they must comply with the requirements of the FTC’s Health Breach Notification Rule. The agency has also taken enforcement action against several companies for falsely representing they would not share health data with third parties without users’ consent.
The HHS’ Office for Civil Rights has also published a bulletin warning HIPAA-covered entities about using data-tracking technologies on their websites, and – in an unprecedented move – sent letters to 130 healthcare organizations warning them of the security and privacy risks associated with third-party tracking technologies. All the organizations were addressed by name and the letters were published. While the move is understandable due to the risk of identifiable health information being disclosed to big tech firms, after which all control of that information is lost, the legality of OCR’s stance on tracking technologies has been questioned. One judge determined the extension of PHI to include health information and IP addresses collected from website visitors is more than the statute can bear.
States are also contributing to the changing regulatory landscape. Nine states have passed legislation this year to regulate what health data is collected, how it is used (without patient consent), and how it should be protected, while two further states (Connecticut and Texas) have added consent requirements to existing data privacy legislation. Many other states have health data privacy legislation in the committee stages or waiting for final approval by both legislative chambers.
A new, comprehensive federal privacy law has also been proposed in the form of the American Data Privacy and Protection Act (ADPPA), which could help to reign in big tech firms and curb their use and sale of sensitive consumer data; however, while the ADPPA has bipartisan support, it is not sufficient to survive a House vote.
What Healthcare Providers Need to Know about the Changing Landscape
Most new state legislation will have minimal impact on healthcare providers because either HIPAA-covered entities are exempt, or because the legislation enacted by states mirrors HIPAA’s existing privacy and security standards; however, organizations that collect health information must ensure they follow the guidance issued by the FTC and OCR regarding the use of tracking technologies, which can disclose personally identifiable health data to third parties such as big tech firms.
Many organizations that collect health data have taken the guidance on board and have removed these technologies from their websites and apps. The problem with OCR’s stance, as recently pointed out by the American Hospital Association (AHA) and several other critics, is that there is much greater potential for harm from preventing these technologies from being used than by permitting them. Tracking technologies allow healthcare organizations to improve their websites and services, and better communicate with patients about important health issues. Prohibiting these technologies will limit the ability of healthcare providers to deliver relevant and reliable health advice and improve services for their communities.
While the risk of disclosures of identifiable health information to big tech firms and other third parties will be managed and reduced, the loss of the benefits that come from these technologies could be far worse. This is certainly an area where discussions are required between all stakeholders to determine if there is a better solution that will allow the use of tracking technologies for improving services while minimizing privacy risks. Such an approach could involve prohibiting these technologies in higher risk areas such as patient portals and appointment scheduling apps, while permitting the technologies elsewhere, provided patients are informed that these technologies are in use in Notices of Privacy Practices and/or web and in-app notifications.
Steve Alder, Editor-in-Chief, HIPAA Journal
