Health Data Brokers

Personal data privacy has become a prime concern in today’s digital age. With the advancement in technology, our personal information is more accessible than ever before. Health data brokers are one such entity raising concerns among people about their privacy and mental health.

Want information on people with mental health issues such as anxiety or depression? Health data brokers are increasingly collecting data relating to mental health. 

This information can include a person’s name, address, contact details, medical history, prescription records, and even social media activity. The data is then sold to insurance companies, pharmaceutical companies, and marketers. 

How Health Brokers Collect Data & The Risks Behind It

Health data brokers collect data from various sources, including electronic health records, health insurance claims, and prescription records. Some companies even purchase or collect data from other companies from public records like birth and death certificates. Health data brokers also use cookies, pixels, and other tracking technologies to monitor our online activities and collect information from social networking platforms and other websites.

The risks of health data brokers are enormous. For instance, if your health data ends up in the wrong hands, it can lead to identity theft, insurance fraud, and even blackmail. Hackers can use this data to access your bank accounts or medical insurance and even sell it on black markets. Additionally, marketers can use this data to target vulnerable individuals with medical product and service advertisements.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

Stories Behind Health Brokers Selling Mental Health Data

According to recent research from Duke University’s Sanford School of Public Policy, roughly a dozen data brokers are selling mental health data for dirt cheap, frequently with little to no screening of the potential buyer and little regulation of how the data is used. Many implied that individuals may offer their personally identifiable information for sale, such as names and contact info.

The report author Joanne Kim said, “There are data brokers which advertise and are willing and able to sell data concerning Americans’ highly sensitive mental health information. The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications.” 

The data broker industry has been exposed before for selling private health data. A Gizmodo investigation conducted shortly after the Supreme Court repealed Roe v. Wade discovered hundreds of data brokers offering 2.9 billion profiles of Americans who were either “actively pregnant” or “shopping for maternity products.”

Our pervasive health privacy issues have just been addressed in ground-breaking ways by the Federal Trade Commission, but the initiative is in jeopardy. The FTC and GoodRx struck a deal at the start of February, and the latter was fined $1.5 million for providing consumers’ prescription data to Google and Meta (owner of Facebook). The settlement aims to establish that using health information for advertising without explicit authorization is forbidden.

What Does HIPAA Say About Health Data Brokers?

When unsecured protected health information (PHI) is improperly used or disclosed—or “breached”—in a way that jeopardizes the PHI’s privacy and security, covered entities are required, under the HIPAA Breach Notification Rule, to notify the affected individuals. 

However, in the cases we’ve mentioned, patients are inputting their own information into health apps. Since the patients use the app for personal care, the health apps do not need to be HIPAA compliant and are not subject to the Breach Notification Rule. If the apps were used by the healthcare provider, such as a digital health chart app that doctors use to provide lab test results to their patients, the app would need to be HIPAA compliant.

Are you using HIPAA compliant tools?

Make sure you’re following all of the HIPAA rules.