A bipartisan group of senators recently sent letters to three telehealth companies in response to a report from Stat and The Markup, which highlighted the tracking and sharing of sensitive and personally identifiable health data with third-party social media and online search platforms like Google and Facebook. The lawmakers are seeking more information about the companies’ data-sharing practices.
The Health Insurance Portability and Accountability Act (HIPAA), which was created before virtual care became available, does not protect much of the data shared by trackers. This has caused concern among health privacy experts and former regulators, as it compromises patient privacy and trust and possibly violates fair business laws.
“Telehealth…has become a popular and effective way for many Americans to receive care. One fifth of the U.S. population resides in rural or medically-underserved communities where access to virtual care is vital. This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems,” the senators continued.
STAT and The Markup focused their investigation into the data-sharing practices of 50 direct-to-consumer telehealth companies, such as Workit, Monument, and Cerebral. The investigation focused on the use of trackers from big tech companies, including Meta, Google, TikTok, Microsoft, and Twitter, to target advertisements and monitor consumer browsing and purchasing activity. The data collected can be incredibly personal for patients visiting online health care platforms. It was discovered that 13 of the 50 sites had at least one tracker from major social media and search engine outlets collecting patients’ responses to medical questions. Moreover, the investigation found that At least 25 sites conveyed information to big tech platforms when users added prescription drugs and other items to their cart, or when they subscribed to a treatment plan. For instance, when presented with findings that Workit’s website – which offers addiction treatment – had a survey inquiring about opioid and alcohol use, self-harm, and methadone use, and that responses were sent to Facebook, Workit altered their utilization of trackers.
“Recent reports highlight how your company shares users’ contact information and health care data that should be confidential…this information is reportedly sent to advertising platforms, along with the information needed to identify users. This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” the senators wrote to Cerebral Chief Executive Officer Dr. David Mou, Monument Chief Executive Officer Mike Russell, and Workit Health Chief Executive Officer Robin Ann McIntosh.
In the three letters sent to executives at the companies in question, lawmakers requested a list of every third-party platform with which user information has been shared over the last three years, as well as details on the types of user data that were shared. Both Workit Health and Cerebral offer online prescriptions of controlled substances, which is allowed under the relaxed federal regulations during the pandemic. However, in accordance with federal law, some addiction treatment providers must meet patient privacy standards that are even stricter than those specified in HIPAA. For example, Workit’s physician group has stated that they are not allowed to disclose that a person is a substance use disorder patient to anyone outside of the program, except in limited cases.
The letters also detailed specific practices they use, in addition to making four requests. The first request was for a complete list of questions asked of users on the platform, as these potentially reveal sensitive and personally identifiable health data. Workit’s intake forms, as an example, are said to ask questions such as whether the user is in danger of harming themselves or others, as well as their current opioid and alcohol use and how much methadone they use. These responses, along with the user’s personal information, including full name, email, and phone number, are then sent to Facebook, according to the lawmakers.
In addition, Workit, Monument and Cerebral have all been asked to provide a list of questions a user may be asked on their platform, a list of third-party platforms they have sent tracked user information to in the last three years and information on how they will protect user information in the future. They were also asked to commit to “providing clear, easy-to-understand, plain language information to patients about which personal information they do and do not keep confidential.” Both Workit and Monument have claimed that the information shared on their websites is confidential and HIPAA compliant. Cerebral has not made any claims about its intake forms being HIPAA compliant, but it does note that the responses are confidential and secure. A deadline for the companies to respond to the letter has been set for February 10th.
