Data rights organizations have warned that patients lack a clear understanding of how information about their health, employment, contact or location details may be used if it is collected by private entities during the Covid-19 vaccine drive.
Some advocates have already expressed concerns that the information could be used for marketing, targeted advertising or de-identified and sold into the multibillion-dollar health data industry.
“This [vaccine] is a miracle of modern science, and it’s so important to get it as fast as possible to all the people, and yet all the secondary questions have been left aside,” said Adam Tanner, an associate at Harvard’s Institute for Quantitative Social Science.
He is also the author of Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records, which explores the market for de-identified health data. “What happens to all these people whose data you now have in great volume?”
Privacy advocates warn retail pharmacies in particular are blurring the line between public health and commerce. For example, Walgreens required all customers seeking a vaccine appointment to make an account, including an opt-in to marketing emails, ReCode reported.
The company also encouraged people seeking vaccine appointments to join its loyalty program, which supplies data to the pharmacy’s advertising arm, Walgreens Advertising Group.
Non-profit hospitals have also opted in to the bonanza. RWJBarnabas Health, a large New Jersey hospital group which operates the Jersey City medical center, asked patients receiving a vaccine there to sign a form stating in part: “I understand I may be contacted as part of the hospital’s marketing activities”, and that patients could be contacted “as part of its fundraising activities”.
The US has relatively strong health information protections for individuals under the Health Insurance Portability and Accountability Act, best known as Hipaa. This law regulates how hospitals, pharmacies, doctors and insurers can share people’s health information.
However, it does allow for “de-identified” data to be sold and in an era when data behemoths such as Google are partnering with healthcare providers, the extent to which Hipaa protects personal information is now being considered by courts. One distinct risk is, in partnership with large corporations which already own a huge amount of consumer data, individuals’ health records could effectively be “re-identified”.
Further, the Centers for Disease Control and Prevention (CDC) also appears concerned about how data is being collected by private entities in the vaccine distribution campaign, and warned against using data for commercial purposes.
“Providers are prohibited from using any data gathered in the course of their participation in the CDC Covid-19 vaccination program … for commercial marketing purposes,” the agency wrote. The agency continued: “Such data cannot be sold or otherwise provided to any other entity, except as required by the provider agreement.”
However, privacy experts are skeptical such guidance is sufficient.
“I would be surprised if that had any legally binding effect,” said Lee Tien, a senior staff attorney and privacy expert with the Electronic Frontier Foundation. “I would love it if it were, but I would be surprised by that.”
In a statement, RWJBarnabas said it “is committed to protect patient privacy and conduct any outreach subject to patient authorization and use patient identified data only as permitted by state and federal law, as stated in our consent.” The hospital group also said it would review, “and, if necessary, will make changes to our policies consistent with the April 2, 2021 CDC guidelines”.
Tanner said patients are being asked to submit all sorts of information that might be useful both medically, for example to avoid serious adverse vaccine reactions, but which also might be useful for private companies.
In his own example, he was asked to update his address with CVS to get a vaccine. This important information is vital for vaccinators, no doubt, but also could be used to market to Tanner in the future without any proof it came as a result of the vaccine drive.
“That information is medically useful but it’s also useful for sales and marketing, so I’m just raising the question – is the data properly protected amid this very important vaccination campaign?” he said.
“The answer is a little bit murky still.”