Why HIPAA Won’t Save You: Protecting Data Privacy

This weekend, I had the fortune to speak (and attend) SXSW Interactive Festival for the first time. I wanted to take the opportunity to share here some of the perspectives I brought to the panel titled “Why HIPAA Won’t Save You: Protecting Data Privacy” with my colleagues Amanda Sheldon (Medtronic Diabetes), Jane Sarasohn-Kahn (THINK-Health and Health Populi blog) and Marc Monseau (Mint Collective LLC).

Recent data breaches have made the American public more aware about the issue of privacy, and potential for their health information to end up in unwanted hands.

Still most people do not bother to scroll through a lengthy Privacy Policy, Consent Form, or Terms of Use… though we probably should! On page 30 there may be a provision that could very well allow the company providing us with the tool or service to sell or share your data in ways that you may not be OK with.

What can be done to make this process easier on the patient?

  • People with visual disabilities may struggle reading below certain font sizes (I am one of them!!), and legal documents are also frequently referred to as “the fine print”. It would make sense to use a bigger font for the most sensitive parts of the document.
  • People learn from information differently: there are people who are visual learners, there are people who are auditory learners, etc. and even if all people could become informed by reading alone, lengthy documents make them ineffective. Having a 1-pages summary or an infographic with key elements from the policy would be a tremendous advance on this front.
  • People’s literacy level (health literacy, ability to understand legalese) can also get in the way. Even if the information is there and it’s accessible to the patient, they may not be able to understand what it means.
  • Last, even if you understand what the information means, you may not be able to understand the mid-to-long term implications. This is the hardest item to address, because it involves implications that may not be apparent today.

As my friend, Health Policy Attorney, and Patient Advocate, Erin Gilmer told me:

HIPAA is meant to give patient rights and ensure patients can trust that the system will keep their PHI safe – only used for treatment and payment purposes. [But] it has not yet evolved to tackle the sharing of data via social media or apps or websites or forums.

Makers of apps, devices, etc. where health data is being collected and/or shared need to do the right thing for the patient. That will go a long way towards protecting their privacy:

  • Almost every piece of data that is collected about someone using your product could have health implications: GPS data, mobile device usage, etc. so it needs to be treated with the same care as an A1c, weight, or cholesterol value.
  • Only data that is needed to do the job should be collecting. Just because you can ask for a piece of data doesn’t mean that you should, if you are not going to use it.
  • If you need to collect a piece of data, first default to do it in an anonymized or aggregated fashion, if it can give you the information you need.
  • If you are going to use the piece of data that is personally identifiable information, remember the Mom Test that Jane talks about: would you trust the system with your own mother’s data?
  • Don’t hide behind regulation or lack of guidance to justify the small print, the cryptic language, or the obscure links. KISS = Keep It Simple and Stupid!
  • People will not necessarily resent that their data is sold, as part of their usage of the product. But two things need to happen for this to work out: (1) they need to get a compelling benefit from the experience (and often it’s not a monetary incentive, but rather a sense of being part of something bigger, advancing science, etc.) ; (2) they need to CLEARLY understand that their data could be sold, and probably be told so again as it’s about to happen (always remember they are on the driver’s seat). A great example of how this has been done well is PatientsLikeMe.
  • Life happens and health changes with it, so products we interact with should allow us to update our privacy preferences easily at any point. Reminders about what is being done with your data, or what parts of your data are being used in ways that could affect your privacy build an environment of trust that is essential for a healthy ongoing relationship with your customers. “When data is your primary currency, trust is fundamental for your business.”
  • Every maker should provide users with a way to access their data easily in a truly portable format. A PDF is not a portable format (no matter what the acronym may stand for). Data siloed behind a company’s walls is not portable. Remember: the patient is in the driver’s seat and they OWN their data. Just because a company collects data doesn’t mean they own it. They are mere stewards of our data.

At the end of the day, it’s about placing the interests of the patient first and doing so with transparency and openness. While it is perfectly fine for companies to protect themselves, it cannot be done at the expense of the interests and the privacy of the consumer. This is something where everyone (patients, companies, and regulating entities) have a role to play.

Thank you to the following people whose incredible insights that helped make my participation (hopefully) more useful to those in attendance:

  • Erin Gilmer – Health Policy Attorney, and Patient Advocate (@GilmerHealthLaw)
  • Dana Lewis – Moderator for #hcsm, Patient Advocate (@danamlewis)
  • Melissa Lee – Exec. Director for Diabetes Hands Foundation, Patient Advocate (@sweetlyvoiced)
  • Brian Cohen– Lead Administrator for TuDiabetes.org, Patient Advocate
  • Other generous members of TuDiabetes.org

It’s the birthday of TuDiabetes!!

In March of 2008, we started TuDiabetes because we saw that too many people with diabetes were feeling isolated instead of benefiting from the shared experience they could have by connecting to other people touched by diabetes.

Today, Diabetes Hands Foundation‘s networks allow members to find support locally and globally. Our more than 23,000 members describe the TuDiabetes family as a lifeline, a source of guidance, a sanctuary, and even a college education! We proudly connect advocates, artists, dreamers, thinkers, and people touched by diabetes of all types so that all of us may live a more expansive life with diabetes.

I sit back and reflect on where we were five years ago and where we are now:

– I have learned to stay flexible, both about my diabetes (not pretending to be perfect) and in the way we do things on TuDiabetes and the Diabetes Hands Foundation (adapting to changing circumstances, challenges, and signals along the way).

– I am more hopeful than ever: I have had the opportunity to talk with (and share the conversations on video) with some of the world’s most brilliant minds working to make our lives better and one day have diabetes be a thing of the past.

– I have witnessed the power of social media beyond socializing: seeing how connected people touched by diabetes now feel better understood and more empowered. Who would have imagined this when MySpace was the big thing?

On our fifth birthday, please help us keep going strong in our mission to improve the lives of people living with diabetes worldwide.

If all members of TuDiabetes donate $5, we will raise more than $100,000. Our goal is less ambitious: we are seeking to raise $20,000 before the end of March. So we ask you to give us 5 dollars, or more if you can.


Thank you for your support! And here’s to another 5 years!