Current Psychiatry Reports

, 16:494 | Cite as

Privacy in the Digital World: Medical and Health Data Outside of HIPAA Protections

  • Tasha Glenn
  • Scott MonteithEmail author
Psychiatry in the Digital Age (JS Luo, Section Editor)
Part of the following topical collections:
  1. Topical Collection on Psychiatry in the Digital Age


Increasing quantities of medical and health data are being created outside of HIPAA protection, primarily by patients. Data sources are varied, including the use of credit cards for physician visit and medication co-pays, Internet searches, email content, social media, support groups, and mobile health apps. Most medical and health data not covered by HIPAA are controlled by third party data brokers and Internet companies. These companies combine this data with a wide range of personal information about consumer daily activities, transactions, movements, and demographics. The combined data are used for predictive profiling of individual health status, and often sold for advertising and other purposes. The rapid expansion of medical and health data outside of HIPAA protection is encroaching on privacy and the doctor-patient relationship, and is of particular concern for psychiatry. Detailed discussion of the appropriate handling of this medical and health data is needed by individuals with a wide variety of expertise.


Privacy HIPAA Data broker Privacy policy Predictive analytics Trust Doctor-patient relationship Mobile apps 


Compliance with Ethics Guidelines

Conflict of Interest

Scott Monteith declares no conflict of interest.

Tasha Glenn shares a patent for ChronoRecord software but does not receive any financial compensation from The ChronoRecord Association, a 501(c)(3) nonprofit organization.

Human and Animal Rights and Informed Consent

This article does not contain any studies with human or animal subjects performed by any authors.


Papers of particular interest, published recently, have been highlighted as: • Of importance •• Of major importance

  1. 1.
    Mechanic D, Meyer S. Concepts of trust among patients with serious illness. Soc Sci Med. 2000;51(5):657–68.PubMedCrossRefGoogle Scholar
  2. 2.
    Narayanan A, Shmatikov V. Myths and fallacies of personally identifiable information. Commun ACM. 2010;53(6):24–6.CrossRefGoogle Scholar
  3. 3.
    Ohm P. Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev. 2010;57(6).Google Scholar
  4. 4.
    World Economic Forum. Personal data: the emergence of a new asset class. 2011. Accessed 31 May 2014.
  5. 5.
    Cukier KN, Mayer-Schoenberger V. The rise of big data: how it’s changing the way we think about the world. Foreign Aff. 2013. Accessed 31 May 2014.
  6. 6.
    IDC. The digital universe in 2020: big data, bigger digital shadows, and the biggest growth in the far east - United States. 2013. Accessed 31 May 2014.
  7. 7.••
    Guardian. A Guardian guide to your metadata. 2013. Accessed 31 May 2014. Clear tables on what is included in metadata for email, phone, Facebook, Twitter, search and web browser.
  8. 8.
    IDC. The diverse and exploding digital universe. 2008. Accessed 31 May 2014.
  9. 9.
    IDC. The digital universe decade - are you ready? 2010. Accessed 31 May 2014.
  10. 10.
    Cohen JE. What privacy is for (November 5, 2012). Harv Law Rev. 2013;126.Google Scholar
  11. 11.
    Norberg PA, Horne DR, Horne DA. The privacy paradox: personal information disclosure intentions versus behaviors. J Consum Aff. 2007;41(1):100–26.CrossRefGoogle Scholar
  12. 12.
    McDonald AM, Cranor LF. Americans’ attitudes about internet behavioral advertising practices. In: Proceedings of the 9th annual ACM workshop on privacy in the electronic society. ACM; 2010. 63–72.Google Scholar
  13. 13.
    Bauer C, Korunovska J, Spiekermann, S. On the value of information–what facebook users are willing to pay. In: 20th European Conference on Information Systems proceedings (ECIS 2012). 2012.Google Scholar
  14. 14.
    Hann IH, Hui KL, Lee SYT, et al. Overcoming online information privacy concerns: an information-processing theory approach. J Manag Inf Syst. 2007;24(2):13–42.CrossRefGoogle Scholar
  15. 15.••
    Abelson H, Leeden K, Lewis H. Blown to bits: your life, liberty, and happiness after the digital explosion. Addison-Wesley Professional; 2008. For those wanting background information, excellent introduction to the digital world.Google Scholar
  16. 16.
    Black A, Gen Y. Gen Y: who they are and how they learn. Educ Horiz. 2010;88(2):92–101.Google Scholar
  17. 17.
    Newman J. Google’s Schmidt roasted for privacy comments. PC World. 2009. Accessed 31 May 2014.
  18. 18.
    Johnson B. Privacy no longer a social norm, says Facebook founder. The Guardian. 2010. Accessed 31 May 2014.
  19. 19.
    Shapiro G. Op-Ed: don’t let privacy concerns stifle innovation. 2013. Accessed 31 May 2014.
  20. 20.
    Kaye J. The tension between data sharing and the protection of privacy in genomics research. Annu Rev Genomics Hum Genet. 2012;13:415–31.PubMedCrossRefGoogle Scholar
  21. 21.
    Lane J, Schur C. Balancing access to health data and privacy: a review of the issues and approaches for the future. Health Serv Res. 2010;45(5 Pt 2):1456–67.PubMedCrossRefPubMedCentralGoogle Scholar
  22. 22.
    Shachak A, Jadad AR. Electronic health records in the age of social networks and global telecommunications. JAMA. 2010;303(5):452–3.PubMedCrossRefGoogle Scholar
  23. 23.
    Groves P, Kayyali B, Knott D, et al. The ‘big data’ revolution in healthcare: accelerating value and innovation. McKinsey & Company; 2013. Accessed 31 May 2014.
  24. 24.
    Institute of Medicine. Best care at lower cost. The path to continuously learning health care in America. 2012. Accessed 31 May 2014.
  25. 25.
    Murdoch TB, Detsky AS. The inevitable application of big data to health care. JAMA. 2013;309(13):1351–2.PubMedCrossRefGoogle Scholar
  26. 26.
    Swan M. The quantified self: fundamental disruption in big data science and biological discovery. Big Data. 2013;1:85–99.CrossRefGoogle Scholar
  27. 27.
    Ramirez E. How can we get more meaning out of our data? Quantified Self knowledge through numbers. 2013. Accessed 31 May 2014.
  28. 28.
    Government Accountability Office. Information resellers: consumer privacy framework needs to reflect changes in technology and the marketplace. 2013. Accessed 31 May 2014.
  29. 29.•
    Dixon P, Gellman R. The scoring of America: how secret consumer scores threaten your privacy and your future. World Privacy Forum. 2014. Accessed 31 May 2014. A review of consumer scoring, describing scores and rankings created from consumer data such as for health, financial, identity and authentication.
  30. 30.
    Federal Trade Commission. Data brokers: a call for transparency and accountability. 2014. Accessed 31 May 2014.
  31. 31.
    Monteith S, Glenn T, Bauer M. Searching the internet for health information about bipolar disorder: some cautionary issues. Int J Bipolar Disord. 2013;1:22.CrossRefGoogle Scholar
  32. 32.
    Sheehan KB. In poor health: an assessment of privacy policies at direct-to-consumer web sites. J Public Policy Mark. 2005;24(2):273–83.CrossRefGoogle Scholar
  33. 33.
    Mackey TK, Yagi N, Liang BA. Prescription drug coupons: evolution and need for regulation in direct-to-consumer advertising. Res Soc Adm Pharm. 2014;10(3):588–94.CrossRefGoogle Scholar
  34. 34.
    Fox S, Duggan M. Health online. Pew Res. 2013. Accessed 31 May 2014.
  35. 35.
    Krishnamurthy B, Naryshkin K, Wills C. Privacy leakage vs. protection measures: the growing disconnect. In: Web 2.0 Security and Privacy Workshop, 2011. Accessed 31 May 2014.
  36. 36.
    Huesch MD. Privacy threats when seeking online health information. JAMA Intern Med. 2013;173(19):1838–9.PubMedCrossRefGoogle Scholar
  37. 37.
    Pwc. Social media “likes” healthcare: from marketing to social business. 2013. Accessed 31 May 2014.
  38. 38.
    Mayer J, Mutchler P. MetaPhone: the sensitivity of telephone metadata. Accessed 31 May 2014.
  39. 39.
    Lazarus D. CVS thinks $50 is enough reward for giving up healthcare privacy. Los Angeles Times. 2013.,0,6519110,full.column. Accessed 31 May 2014.
  40. 40.
    Valentino-DeVries J, Singer-Vine J. They know what you’re shopping for. Wall Str J. 2012.
  41. 41.
    Tudor ML. Protecting privacy of medical records of employees and job applicants in the digital era under the Americans with Disabilities Act. North Ky Law Rev. 2013;40:635–65.Google Scholar
  42. 42.
    Dickson V. Offshore health record storage may pose privacy risks. Mod Healthc. 2014. Accessed 31 May 2014.
  43. 43.
    Hooley S, Sweeney L. Survey of publicly available state health databases. Harvard University Data Privacy Lab. 1064-1. 2013.
  44. 44.•
    Lowe SA, Ólaighin G. Monitoring human health behaviour in one’s living environment: a technological review. Med Eng Phys. 2014;36(2):147–68. Review of technologies used for behavioral monitoring.PubMedCrossRefGoogle Scholar
  45. 45.
    Dolan B. Report:13K iPhone consumer health apps in 2012. MobileHealthNews. 2012. Accessed 31 May 2014.
  46. 46.
    IMS. Patient apps for improved healthcare from novelty to mainstream. 2013. Accessed 31 May 2014.
  47. 47.
    Landman Z. Debunking the most common myths about HIPAA. 2013. Accessed 31 May 2014.
  48. 48.
    Marcus AD, Weaver C. Heart gadgets test privacy-law limits. Wall Str J. 2012. Accessed 31 May 2014.
  49. 49.
    Privacy Rights Clearinghouse. Technical analysis of data practices and privacy risks of 43 popular mobile health and fitness applications. 2013. Accessed 31 May 2014.
  50. 50.
    President’s Council of Advisors on Science and Technology. Big data and privacy: a technological Perspective. 2014.
  51. 51.
    Fernandez-Luque L, Elahi N, Grajales FJ. An analysis of personal medical information disclosed in youtube videos created by patients with multiple sclerosis. In: Adlassnig K-P, et al. (Eds.) Medical Informatics in a United and Healthy Europe: Proceedings of MIE 2009, the XXII International Congress of the European Federation for Medical Informatics. IOS Press; 2009. 150:292.Google Scholar
  52. 52.•
    US Senate Committee on Commerce, Science, and Transportation. A review of the data broker industry: collection, use, and sale of consumer data for marketing purposes. 2013. A clearly written review of the data broker industry.
  53. 53.
    Armour S. Data Brokers come under fresh scrutiny. Wall Str J. 2014.
  54. 54.•
    Michael K, Clarke R. Location and tracking of mobile devices: Überveillance stalks the streets. Comput Law Secur Rev. 2013;29(3):216–28. A review of how mobile devices are used for location tracking.CrossRefGoogle Scholar
  55. 55.
    Steel E. Acxiom to create ‘master profiles’ tying offline and online data. Financ Times. 2013. Accessed 31 May 2014.
  56. 56.
    Epsilon. Consumer data and data cards - Ailments/health.;jsessionid=E46C0F404A2FCB1EF6F0A24EE0DEC61A?page=research/datacard&id=91407. Accessed 31 May 2014.
  57. 57.
  58. 58. Ailments mailing list. Accessed 31 May 2014.
  59. 59.
    Garla S, Hopping A, Monaco R, Rittman R. What do your consumer habits say about your health? Using third-party data to predict individual health risk and costs. SAS Institute. 2013.
  60. 60.
    Acxiom Update Newsletter. Stay current with Acxiom product and industry alerts. 2009. Accessed 31 May 2014.
  61. 61.
    FICO. Medication adherence score. Accessed 31 May 2014.
  62. 62.
    Scism L, Maremont M. Insurers test data profiles to identify risky clients. Wall Str J. 2010. Accessed 31 May 2014.
  63. 63.
    Hill T. Predictive modeling in life insurance underwriting. Society of Actuaries. The Future of Preferred Underwriting. 2013. Accessed 31 May 2014.
  64. 64.
    Network Advertising Initiative. Study finds behaviorally-targeted ads more than twice as valuable, twice as effective as non-targeted online ads. 2010. Accessed 31 May 2014.
  65. 65.
    Acxiom Annual Report. 2013. Accessed 31 May 2014.
  66. 66.
    De Choudhury M, Counts S, Horvitz E. Major life changes and behavioral markers in social media: case of childbirth. In: Proceedings of the 2013 conference on Computer supported cooperative work. ACM; 2013. 1431–42.Google Scholar
  67. 67.
    Golbeck J, Robles C, Turner K. Predicting personality with social media. In: CHI’11 extended abstracts on human factors in computing systems. ACM; 2011. 253–62.Google Scholar
  68. 68.
    Marcus B, Machilek F, Schütz A. Personality in cyberspace: personal Web sites as media for personality expressions and impressions. J Pers Soc Psychol. 2006;90(6):1014–31.PubMedCrossRefGoogle Scholar
  69. 69.
    Bachrach Y, Kosinski M, Graepel T, et al. Personality and patterns of Facebook usage. In: Proceedings of the 3rd Annual ACM Web Science Conference. ACM; 2012. 24–32.Google Scholar
  70. 70.
    Moreno MA, Jelenchick LA, Egan KG, et al. Feeling bad on Facebook: depression disclosures by college students on a social networking site. Depress Anxiety. 2011;28(6):447–55.PubMedCrossRefPubMedCentralGoogle Scholar
  71. 71.••
    Kosinski M, Stillwell D, Graepel T. Private traits and attributes are predictable from digital records of human behavior. Proc Natl Acad Sci U S A. 2013;110(15):5802–5. Example of how a range of sensitive personal attributes can be predicted from Facebook Likes.PubMedCrossRefPubMedCentralGoogle Scholar
  72. 72.
    Martin EA, Bailey DH, Cicero DC, et al. Social networking profile correlates of schizotypy. Psychiatry Res. 2012;200(2–3):641–6.PubMedCrossRefGoogle Scholar
  73. 73.
    Duhigg C. How companies learn your secrets. New York Times 2,16,2012. Accessed 31 May 2014.
  74. 74.
    Crawford K, Schultz J. Big data and due process: toward a framework to redress predictive privacy harms. Boston Coll Law Rev. 2014.
  75. 75.
    Terry N. Protecting patient privacy in the age of big data. Univ Missouri-Kansas City Law Rev. 2012;81(2).
  76. 76.
    Walker J. Data mining to recruit sick people. Wall Str J. 2013. Accessed 31 May 2014.
  77. 77.
    Lupton D. The commodification of patient opinion: the digital patient experience economy in the age of big data. Sociol Health Illn. 2014. doi: 10.1111/1467-9566.12109.Google Scholar
  78. 78.
    Li J. Privacy policies for health social networking sites. J Am Med Inform Assoc. 2013;20(4):704–7.PubMedCrossRefPubMedCentralGoogle Scholar
  79. 79.
    Weigmann K. Health research 2.0: the use in research of personal fitness or health data shared on social network raises both scientific and ethical concerns. EMBO Rep. 2014;15(3):223–6.PubMedCrossRefGoogle Scholar
  80. 80.
    Williams J. Social networking applications in health care: threats to the privacy and security of health information. In: Proceedings of the 2010 ICSE Workshop on Software Engineering in Health Care. ACM; 2010. 39–49.Google Scholar
  81. 81.
    Ball DE, Tisocki K, Herxheimer A. Advertising and disclosure of funding on patient organisation websites: a cross-sectional survey. BMC Public Health. 2006;6:201.PubMedCrossRefPubMedCentralGoogle Scholar
  82. 82.
    Treato. Treato: patient intelligence based on real-life experiences. Accessed 31 May 2014.
  83. 83.
    Tene O, Polonetsky J. Privacy in the age of big data: a time for big decisions. Stanf Law Rev Online. 2012;64:63.Google Scholar
  84. 84.
    Center for Democracy and Technology. Rethinking the role of consent in protecting health information privacy. 2009. Accessed 31 May 2014.
  85. 85.
    Turow J, Hoofnagle CJ, Mulligan DK, et al. The Federal Trade Commission and consumer privacy in the coming decade. ISJLP. 2007;3:723. Accessed 31 May 2014.
  86. 86.
    Determann L. Social media privacy: a dozen myths and facts. Stan Tech L Rev. 2012. 7–10. Accessed 31 May 2014.
  87. 87.
    Brandimarte L, Acquisti A, Loewenstein G. Misplaced confidences privacy and the control paradox. Soc Psychol Personal Sci. 2013;4(3):340–7.CrossRefGoogle Scholar
  88. 88.
    El Emam K, Moher E. Privacy and anonymity challenges when collecting data for public health purposes. J Law Med Ethics. 2013;41 Suppl 1:37–41.PubMedGoogle Scholar
  89. 89.
    Savla P, Martino LD. Content analysis of privacy policies for health social networks.” IEEE International Symposium on Policies for Distributed Systems and Networks. 2012;94–101.Google Scholar
  90. 90.
    Anton A, Earp JB, Vail M, et al. HIPAA’s effect on web site privacy policies. IEEE Secur Priv. 2007;45–52.Google Scholar
  91. 91.
    Milne GR, Culnan MJ, Greene H. A longitudinal assessment of online privacy notice readability. J Public Policy Mark. 2006;25(2 (Fall)):238–49.CrossRefGoogle Scholar
  92. 92.
    Graber MA, D’Alessandro DM, Johnson-West J. Reading level of privacy policies on Internet health Web sites. J Fam Pract. 2002;51(7):642–5.PubMedGoogle Scholar
  93. 93.
    Ryan C, Siebens J. Educational attainment in the United States: 2009. U.S. Census Bureau. 2012.
  94. 94.
    Breese P, Burman W. Readability of notice of privacy forms used by major health care institutions. JAMA. 2005;293(13):1593–4.PubMedGoogle Scholar
  95. 95.
    Gralton E, Sher M, Lopez CD. Information and readability issues for psychiatric patients: e-learning for users. Psychiatr Bull. 2010;34:376–80.CrossRefGoogle Scholar
  96. 96.
    Goldston DB, Walsh A, Mayfield Arnold E, et al. Reading problems, psychiatric disorders, and functional impairment from mid- to late adolescence. J Am Acad Child Adolesc Psychiatry. 2007;46(1):25–32.PubMedCrossRefGoogle Scholar
  97. 97.
  98. 98.
    Carrión Señor I, Fernández-Alemán JL, Toval A. Are personal health records safe? A review of free web-accessible personal health record privacy policies. J Med Internet Res. 2012;14(4):e114.PubMedCrossRefPubMedCentralGoogle Scholar
  99. 99.
    Hargittai E. Digital na(t)ives? variation in internet skills and uses among members of the “Net Generation”. Sociol Inq. 2010;80:92–113.CrossRefGoogle Scholar
  100. 100.
    Park YJ. Digital literacy and privacy behavior online. Commun Res. 2013;40(2):215–36.CrossRefGoogle Scholar
  101. 101.
    Leon P, Ur B, Shay R, et al. Why Johnny can’t opt out: a usability evaluation of tools to limit online behavioral advertising. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM; 2012. 589–98.Google Scholar
  102. 102.
    Solove DJ. HIPAA turns 10. J AHIMA. 2013;84(4):22–8.PubMedGoogle Scholar
  103. 103.
    Ponemon. Fourth Annual Benchmark Study on Patient Privacy and Data Security. 2014. Accessed 31 May 2014.
  104. 104.
    McCann E. HIPAA data breaches climb 138 percent. Healthcare IT News. 2014.
  105. 105.
    US Department of Health and Human Services. Breaches affecting 500 or more individuals.
  106. 106.
  107. 107.
    Johnson ME, Willey ND. Will HITECH heal patient data hemorrhages? In: System Sciences (HICSS), 2011 44th Hawaii International Conference on IEEE. 2011. 1–10.Google Scholar
  108. 108.
    Figg WC, Kam HJ. Medical information security. Int J Secur (IJS). 2011;5(1):22.Google Scholar
  109. 109.
    KrebsonSecurity. Data broker giants hacked by id theft service. 2013. Accessed 31 May 2014.
  110. 110.
    Schwartz MJ. Experian breach fallout: ID theft nightmares continue. Inf Week. 2013. Accessed 31 May 2014.
  111. 111.
    Rosencrance L. Acxiom database hacked. Computerworld. 2003. Accessed 31 May 2014.
  112. 112.
    Federal Trade Commission. Health privacy. Accessed 31 May 2014.
  113. 113.
    Harris Interactive. Many U.S. adults are satisfied with use of their personal health information. 2007. Accessed 31 May 2014.
  114. 114.
    California HealthCare Foundation. Consumers and health information technology: a national survey. 2010. Accessed 31 May 2014.
  115. 115.
    California HealthCare Foundation. National consumer health privacy survey. 2005. Accessed 31 May 2014.
  116. 116.
    Ancker JS, Silver M, Miller MC, et al. Consumer experience with and attitudes toward health information technology: a nationwide survey. J Am Med Inform Assoc. 2013;20(1):152–6.PubMedCrossRefPubMedCentralGoogle Scholar
  117. 117.
    National Partnership for Women and Families. Making IT meaningful: how consumers value and trust health IT. 2012.
  118. 118.
    Westin AF. Institute of Medicine project survey findings on health research and privacy. 2007. Accessed 31 May 2014.
  119. 119.
    Employee Benefit Research Institute. Health confidence survey. 2008. Accessed 31 May 2014.
  120. 120.
    Markle. Survey finds Americans want electronic personal health information to improve own health care. 2006. Accessed 31 May 2014.
  121. 121.
    Deloitte. Survey of U.S. health care consumers: the performance of the health care system and health care reform. 2012. Accessed 31 May 2014.
  122. 122.
    Agaku IT, Adisa AO, Ayo-Yusuf OA, et al. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Inform Assoc. 2014;21(2):374–8.PubMedCrossRefGoogle Scholar
  123. 123.
    NPR/Kaiser Family Foundation. The public and the health care delivery system. 2009. Accessed 31 May 2014.
  124. 124.
    Fair Warning. How privacy considerations drive patient decisions and impact patient care outcomes. 2011.
  125. 125.
    Lowes R. Fear of data theft blunts public acceptance of EHRS. Medscape. 2012.
  126. 126.
    Flynn HA, Marcus SM, Kerber K, et al. Patients’ concerns about and perceptions of electronic psychiatric records. Psychiatr Serv. 2003;54(11):1539–41.PubMedCrossRefGoogle Scholar
  127. 127.
    Office of National Coordinator for HIT. Health care providers’ role in protecting EHRs: implications for consumer support of EHRs, HIE and patient-provider communication. 2014.
  128. 128.
    Sankar P, Moran S, Merz JF, et al. Patient perspectives of medical confidentiality: a review of the literature. J Gen Intern Med. 2003;18:659–69.PubMedCrossRefPubMedCentralGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.ChronoRecord Association, Inc.FullertonUSA
  2. 2.Michigan State University College of Human Medicine, Traverse City CampusTraverse CityUSA

Personalised recommendations