The Washington PostDemocracy Dies in Darkness

Help Desk: Can your medical records become marketing? We investigate a reader’s suspicious ‘patient portal.’

Our tech columnist helps identify a HIPAA loophole, explains Apple Pay and shares a Firefox upgrade that helps you track the data trackers on your computer.

(Washington Post illustration/iStock)
Placeholder while article actions load

There’s a saying among certain Silicon Valley billionaires that nobody cares about privacy. My inbox suggests quite the opposite.

In recent months, my email, Twitter feed and Washington Post “Help Desk” have been deluged with your questions and concerns about the secret life of our data. You’ve shared your outrage at how smart TVs and credit cards, web browsers and iPhone apps treat our lives like a product to be sold. You’ve asked me great questions about how you can identify and stop unwanted surveillance.

Some of you have even taken the reporting into your own hands, diving into dense privacy policies and data feeds to report to me what you find. You’ve inspired my investigations and columns for months to come.

Ask our tech columnist a question

This feels like the beginning of a movement. So I wanted to share a few recent queries that show how we can demand more transparency from the technology in our lives. It’s our data, after all.

How private is your health data on “patient portal” websites used by hospitals and doctors’ offices?

It’s not as private as you might hope, despite a federal law known as HIPAA, short for the Health Insurance Portability and Accountability Act.

A reader from Silver Spring, Md., who asked me not to use her name, emailed me after reading the privacy policy in an external website used by her doctors at George Washington University Medical Faculty Associates. The patient portal reserves rights to use “personal health record” data for “marketing and advertising purposes, including sending you marketing and advertising communications whether on our behalf or on behalf of marketing partners.”

Say what? Nobody wants to see their medical diagnosis turn into an ad.

The eagle-eyed reader also noted that when she logged in to Follow My Health, she couldn’t find any privacy or data-sharing controls. “The only way to prevent the use of my data for marketing appears to be canceling/deleting my account,” she wrote.

What’s the law here? A patient portal that has a business associate agreement with your doctor’s office to collect your personal health information should be covered by HIPAA, said Deven McGraw, the former deputy director of health information privacy at the Office for Civil Rights in the U.S. Department of Health and Human Services. And under HIPAA, showing paid, targeted advertisements should require consent from each patient.

When I contacted Follow My Health’s corporate parent Allscripts, it painted a narrower picture of its practices — and claimed the site wasn’t limited by HIPAA.

Tom Lynch, the company’s director of marketing communications, said the site is “not disclosing identifiable patient data to third parties for any marketing purpose” — even though its privacy policy specifically reserves the right to “release” personal health data for marketing and advertising. (That policy was updated in August.)

Lynch said Follow My Health is using “information about patients to alert them to certain goods and services that could support their ability to make more informed choices about their own care.”

All of that happens inside the Follow My Health website. “We have discussed the possibility of alerting patients to information about medical research opportunities, clinical trials or insurance plans that could be relevant,” he said.

But here’s the head scratcher: Follow My Health claims it is not limited by HIPAA. “Unlike a patient portal that a vendor hosts or supports for a single health-care provider, a vendor of a personal health record product that allows individual consumers to aggregate their health information from multiple sources is not regulated by HIPAA,” Lynch said.

The HIPAA-covered business associate relationship, he said, is “limited to the technical work that is necessary to establish and maintain connectivity” between a doctor’s electronic records system and Follow My Health.

GW Medical didn’t respond to my questions about its business relationship with Follow My Health.

This case speaks to a broader problem with HIPAA, said Sharon A. Anolik, president of the consulting firm Privacy Panacea. “There’s a misconception that all health information is protected by HIPAA; it’s just not true,” she says. A growing number of apps and websites skirt oversight, such as wearable devices that track your heart rate, or an app or portal where individuals can store their own health information.

If a company isn’t covered by HIPAA, it “can do more with your health information than you might think, without your consent,” she said.

The takeaway: Yes, you should be suspicious of health portals, even if your doctor uses them. And we should demand doctors be more careful about who they do business with.

The Post reader who alerted me to Follow My Health may have ushered along an improvement. Lynch said that by the end of the year, the site will give account holders the ability to “opt out” from marketing.

Does using Apple Pay keep your purchases more private?

“Apple Pay is convenient, but does it protect my privacy?” asked Jack Miller from Arlington, Mass. The short answer is it does not hide you from retailers and point-of-sale systems that track purchases.

Using Apple Pay does create a special new version of your credit card number, which is good for security. You won’t have to run out and get a new credit card if a merchant gets hacked and a criminal tries making a purchase with that stolen number.

But Apple Pay doesn’t change your card number each time you make a purchase in a store. So a retailer could still use your Apple Pay number as a way to identify you and track you across visits. That’s why, for example, Square terminals at coffee shops and food trucks are still able to text receipts to your previously submitted phone number.

Can I see how websites are tracking me?

A few months ago, I wrote about a Web experiment where I used software to tally up all the tracking cookies I received in a week of normal browsing. It was an astounding 11,189. Several readers asked me how they could track the trackers, too.

Now there’s an easy way to repeat my experiment for yourself. You just have to be using the Mozilla Firefox browser, which I recommend anyway over Google’s Chrome for its superior default privacy settings.

Starting with Version 70 of Firefox, released Tuesday, there’s a weekly status report tallying the times the browser’s “enhanced tracking protection” has blocked third-party cookies and social media trackers. You’ll find it under “show report” when you tap the shield icon next to the Web address.

I’ve been running a beta version of the new Firefox software for the past week, and tallied 10,788 trackers. Now if only it would also name and shame the sites guilty of doing the most tracking.

Read more from our Secret Life of Your Data series:

Alexa has been eavesdropping on you this whole time

It’s the middle of the night. Do you know who your iPhone is talking to?

The spy in your wallet: Credit cards have a privacy problem

Goodbye, Chrome: Google’s Web browser has become spy software

I found your data. It’s for sale.

You watch TV. Your TV watches back.