A Shadow of Oneself
How your everyday actions create unregulated health data.
Researchers from U-M’s Institute for Healthcare Policy and Innovation (IHPI) recently published a piece in Science about health care data that fall outside the scope of HIPAA regulations. When paired with existing health care information, these data, often collected online, are called “shadow” records. Less regulated than their HIPAA-bound counterparts, shadow records have proven helpful investigative tools for the medical field. But, researchers warn, there are concerns regarding the mishandling and selling of data, such as the potential for insurers to “identify high-cost patients to avoid,” or for targeted marketing strategies to exploit personal information.
Medicine at Michigan spoke to co-authors and IHPI members W. Nicholson Price, J.D., Ph.D., assistant professor of law; and Kayte Spector-Bagdady, J.D., MBioethics, assistant professor of obstetrics and gynecology, and chief of the Research Ethics Service in the Center for Bioethics and Social Sciences in Medicine. Timo Minssen, Dr. jur., a professor of law at the University of Copenhagen; and Margot E. Kaminski, J.D., an associate professor of law at the University of Colorado Law School, were additional co-authors.
What kind of information constitutes a shadow record?
We used the term “shadow health record” to mean a collection of health-related data that exists outside the health system — but that can still provide detailed insight into an individual’s health.
What is the difference between how HIPAA-protected information and shadow record information are gathered?
HIPAA only protects health information gathered by “covered entities,” such as health care providers, plans, or clearinghouses, or their business associates. Shadow record information comes from other sources, such as health or wellness apps, social media posts, or internet searches. It can also come from information that once was covered by HIPAA, but has now become unprotected.
Why isn’t the information in shadow records protected or regulated under HIPAA?
Because almost all of our health data in the United States is protected by method of acquisition, the same piece of data can be regulated completely differently if you gave it to your doctor versus if you plugged it into a health app (like for your wearable fitness device). When the HIPAA Privacy Rule was promulgated in 2000, no one envisioned the massive amounts of health data people would choose to freely share over the internet decades later.
In what ways can shadow records aid research? Conversely, how can that information be misused?
In order to be useful, health data must generally be associated with health factors and variants, and also with outcomes. For example, it would be helpful to understand how certain genetic variants, when compounded by the smog of city living, can lead to asthma and related morbidities and mortalities. The more data we have about people, their lifestyles, health problems, and outcomes, the better we can assess which variants are most likely to affect those outcomes to develop new diagnostic tests or treatment.
Regarding how the information can be misused — it depends on your definition of “misuse.” Traditionally, data ethicists consider misuse to be any use which is not disclosed or consented to. However, we know that often — even when uses are disclosed and people check off that they agree to terms and conditions — people don’t actually read the disclosures and are still upset when they find out about uses of their health data. And a narrower definition of “misuse” might focus on activities that harm or manipulate people (targeting them for unnecessary treatment ads or discriminating against them in hiring), rather than focusing on individual disclosure or consent.
One could inadvertently contribute to or distribute one’s shadow record without knowing — for example, by uploading data to a third party, like a genealogy website. Are there any policies in place to warn individuals, or to suggest their information could be used without their consent?
Different platforms and apps have different levels of disclosure. Some have quite comprehensive terms and conditions and privacy policies. Others do not fully disclose potential future uses. Anyone who is concerned about the privacy of their health data should always read these policies carefully and not use the platform if data privacy terms are not available or you cannot understand them.
Europe and California have taken steps to ensure individuals’ shadow records are more fairly regulated and protected. Can you explain what these steps are?
Both the European Union and California recently put in place new data privacy regulatory regimes that apply to personal information, including health data. The General Data Protection Regulation (GDPR) in Europe applies to “personal data” (including health data) that are “processed” by a wide range of public or private entities. The GDPR requires companies to obtain such personal data legally (e.g., with consent); to collect and process only as much data as necessary; to notify individuals when their data have been received (usually); and much more. California’s new Consumer Privacy Act applies only to personal information about California residents. It creates notice and access requirements for businesses that collect, sell, or disclose information, and consumers may request that certain information be deleted and may opt out of the sale of their information.
Do you believe more states and countries should adopt similar methods of regulating shadow records?
We believe that the U.S. needs a more comprehensive data regulatory regime. Given the fluidity with which data travel between states, state-by-state legislation is neither an adequate nor efficient solution. It’s up in the air whether state action like California’s will effectively force federal action (which could be good or bad, depending on what it looks like), and how far the GDPR’s effects will stretch.
Are there potential unintended effects of bringing such regulations to bear on shadow records?
Regulating shadow records will unacceptably constrain innovation; right now, they’re an awkward workaround but do have some potential benefit. But it’s also important that people know how their data will be used when they share it, and that benefits resulting from such new data sharing and research are distributed in equitable ways. Both additional transparency and accountability are necessary to increase much-needed public trust in data science.
What might shadow records look like a decade from now?
It’s not at all clear. They might have mutated to take account of new privacy rules — focusing more on proxies and less on direct health measurements. They might look pretty much like they do now. Maybe we’ll actually have good big-data infrastructure; if there are ways to share data usefully and effectively, perhaps such records don’t need to be in the shadows at all.