Stories Behind Health Brokers Selling Mental Health Data
According to recent research from Duke University’s Sanford School of Public Policy, roughly a dozen data brokers are selling mental health data for dirt cheap, frequently with little to no screening of the potential buyer and little regulation of how the data is used. Many implied that individuals may offer their personally identifiable information for sale, such as names and contact info.
The report author Joanne Kim said, “There are data brokers which advertise and are willing and able to sell data concerning Americans’ highly sensitive mental health information. The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications.”
The data broker industry has been exposed before for selling private health data. A Gizmodo investigation conducted shortly after the Supreme Court repealed Roe v. Wade discovered hundreds of data brokers offering 2.9 billion profiles of Americans who were either “actively pregnant” or “shopping for maternity products.”
Our pervasive health privacy issues have just been addressed in ground-breaking ways by the Federal Trade Commission, but the initiative is in jeopardy. The FTC and GoodRx struck a deal at the start of February, and the latter was fined $1.5 million for providing consumers’ prescription data to Google and Meta (owner of Facebook). The settlement aims to establish that using health information for advertising without explicit authorization is forbidden.
What Does HIPAA Say About Health Data Brokers?
When unsecured protected health information (PHI) is improperly used or disclosed—or “breached”—in a way that jeopardizes the PHI’s privacy and security, covered entities are required, under the HIPAA Breach Notification Rule, to notify the affected individuals.
However, in the cases we’ve mentioned, patients are inputting their own information into health apps. Since the patients use the app for personal care, the health apps do not need to be HIPAA compliant and are not subject to the Breach Notification Rule. If the apps were used by the healthcare provider, such as a digital health chart app that doctors use to provide lab test results to their patients, the app would need to be HIPAA compliant.