When Barack Obama came to Austin, Texas, to speak at SXSW, the yearly festival of ideas in music, technology, and movies, the President was wearing a Fitbit on his wrist. Fitbit's wildly popular fitness trackers can capture health data such as heart-rate, sleep patterns, and location. Apparently, the president has people to tweak his technology, limiting how much of his personal information pours into the ocean of data for sale about consumers. But the rest of us have few protections against such information being collected and monetized, according to a SXSW panel organized by Consumer Reports and led by Teresa Carr, a senior editor who reports on health and medical topics for the organization.

“It’s a 21st-century gold rush, where our health data is looked at as a natural resource,” Carr said at the session, held on Monday at Austin’s JW Marriott. Medical records shared among doctors and hospitals are covered by HIPAA, the medical privacy law, but data shared among app developers, financial firms, and others is unregulated. As President Obama has pointed out, the use of such data can enhance research and promote public health. But there are also risks. Lucia Savage, the chief privacy officer for the U.S. Department of Health and Human Services, was one of three panelists speaking alongside Carr. She pointed out that nearly any consumer information can reveal clues to health. “It includes how clean or dirty the air is where you live, and how many bags of potato chips you bought last week.” You may have purchased 20 bags of snacks for a soccer team practice, but to someone accessing your buying habit details, it can look as though you’re immersed in a junk-food binge.

The Trouble with Data

Americans are worried about how health data of all kinds is shared, according to Consumer Reports' research conducted in 2015. Nearly everyone surveyed—91 percent—agreed that their consent should be required whenever health information is shared. And 45 percent of respondents in the survey, a nationally representative group of more than 2,000, found it “creepy” when an ad targeting their medical conditions popped up in a web browser. How do those ads show up? If you see an oncologist, the resulting medical records can’t be sold to a data broker, but when you visit websites that provide information on cancer treatments, that information is captured and shared just like web searches on vacation spots or dress shoes. 

The panelists, who spoke in front of close to 200 SXSW-goers, tried to define both the risks and benefits of sharing health data widely. 

The risks to individuals were sketched out by Lygeia Ricciardi, a health-industry IT consultant who helped pioneer digital health programs at HHS. One risk arises from stolen health data: She cited research showing that medical fraud costs victims an average of $13,500, and 200 hours of work to rectify. Such fraud can occur when criminals submit health claims under a victim's name. And, while it’s possible to be reimbursed for fraudulent credit card charges, there’s no way to pull back sensitive medical information that has been widely shared. (Consumers can take steps to protect themselves.)

However, legal uses of health data can also have adverse affects on consumers. The Affordable Care Act resolved the problem consumers faced when they were denied health insurance because of preexisting conditions. However, other problems remain. Speaking after the session, panelists said they were unaware of any clear federal standards preventing private companies from using information about health conditions to make hiring or promotion decisions, and they worried about discrimination based on these conditions.

As data become far easier to acquire, abuses like that could become more widespread, panelists agreed.

Apps Lack Privacy Policies

But that’s just one side of the story. There’s not a lot of societal benefit from marketers trading data on what TV shows we all watch, but things are different when it comes to medical information. Sally Okun, vice president of policy and safety at Patients Like Me, was a panelist who spoke in favor of increased data-sharing combined with strong consumer empowerment. Her company is a health-data sharing platform founded in 2004 to make it easier for people with relatively unusual illnesses to get information, and supply data to researchers. And she cited a consumer phenomenon that turns a concern about medical devices on its head. Researchers have warned that pacemakers and other equipment could be compromised by hackers, but Okun said that some highly tech-savvy patients are talking about hacking into implanted devices because they want fuller access to data on their own health.

Ultimately, the desire for privacy depends a lot on context, panelists said. Ricciardo recounted an art project in New York City, in which passersby at a Brooklyn festival were asked to trade personal data for a cookie—not a web cookie, but the literal kind. Hundreds of people agreed, giving up their mothers’ maiden names, driver’s license numbers, and in some cases the final four digits of their Social Security numbers for the confections. Would they have provided a list of their current medications? It's hard to know. 

Users of Patients Like Me share a lot of data because they are confident they are in control of the information, Okun said. However, that’s not the rule for many other health websites and apps. She pointed to research recently published in the Journal of the American Medical Association that found that of 211 diabetes-management apps in the Google Play store, only 19 percent had privacy policies—and many of those polices stated that consumer data was being collected and shared. In these cases, consumers may not be aware of that data can be shared with marketers.

Looking ahead, the panelists agreed that government regulation would lag innovation, as it usually does—but they didn't call for new controls. “You don’t want laws rewritten every two weeks because some software was updated,” Ricciardi said. However, responsible developers can adopt HIPPA as a guideline, even if when it’s not legally required, and HSS has started a portal for developers of health and medical apps to get guidance on best practices. “There’s nothing stopping developers from doing the right thing,” Savage said.