But the good news is that you have the right to say no. I’ll show you what to watch out for.
Several Washington Post readers recently wrote to Ask Help Desk about a consent form they were asked to sign when registering for a doctor’s appointment. Most of us hastily fill out every document presented to us, but these eagle-eyed readers stopped at this:
“I hereby authorize my health care provider to release to the Phreesia registration system my health information entered during the automated registration process…to help determine the health-related documents I will receive in the my use of Phreesia. Health-related materials may include information and advertisements related to treatments and therapies specific to my medical condition.”
Here’s what’s going on: A company called Phreesy manufactures software used by more than 2,000 clinics and hospitals across the United States to streamline check-ins, replacing the clipboard and photocopied forms with screens on a website or app. The company claims it has been used for over 100 million records in the past year. Some patients use Phreesia’s software for early digital recording at home, while others use it on a tablet in the clinic.
But Phreesia doesn’t just make money selling its software to medical practices. It is also in the business of selling advertisements to pharmaceutical companies which it displays once you fill in your forms. And it wants to use all that information you’ve entered — what medications you’re taking, what illnesses you’ve had in the past — to tailor those ads to your specific medical needs.
I can understand why drug companies might want this. The ads remind you to ask your doctor what medicine he is injecting just before you enter the exam room. With access to your data, Phreesia can ensure that its advertising messages reach the most receptive audience when they seek care.
What did you agree on? Tax sites want your data for more than filing.
But wait a minute: isn’t your medical information supposed to be private?
“There is less protection than we all think,” says Arthur Caplanchief of the division of medical ethics at New York University’s Grossman School of Medicine.
When the Health Insurance Portability and Accountability Act (HIPAA) was written in the 1990s, medicine was very different. “The privacy you were thinking about then was who could see my paper file,” Caplan says. Now that the records are digital, they have developed many secondary uses.
I asked Phreesia how they could use our data under HIPAA. The company says it’s not the same as your clinic or hospital, which is considered a “covered entity” under HIPAA. Instead, Phreesia is a ‘business associate’ of your provider and is automatically authorized to process your data for the purpose of assisting your doctor and collecting payment.
But in order for Phreesia to use your data more to show you ads, HIPAA requires you to register. That’s why they want you to press “I Agree” on this form.
You have the right to say no. To do this, be on the lookout for the button labeled “I refuse”. If you say no, nothing is supposed to change when you visit your doctor, says Phreesia.
(If you previously pressed “I Agree” and now want to change your mind, you can email firstname.lastname@example.org or let your doctor’s office know.)
Phreesia says it does not “sell” your data. Instead, Phreesia mine your data and use it to target you with ads on its own system without passing the information on to others. (This is a privacy argument I hear from Facebook and Google just as often.) Phreesia also says it doesn’t track you to other digital places, and that consent won’t cause you to see ads strangely. targeted to other websites and applications.
But still, why would a patient want to say yes? David Linetsky, who runs Phreesia’s life sciences advertising business, told me that in a world filled with misinformation, ads give people the knowledge, skills and confidence to stand up for themselves – and lead to better health outcomes.
He says Phreesia’s targeted ads are particularly useful for people with rare diseases, where they are part of small patient populations. “It’s very, very difficult to get information in front of them – potentially life-saving information,” Linetsky said. “And I think we provide a safe and respectful way to do that.”
To be clear, Phreesia’s advertising business also leads to better results for pharmaceutical companies. The company’s annual report boasts to advertisers that it is “increasing additional prescriptions with existing patients.”
Phreesia isn’t the only medical data company that wants to access your records to show you ads. I have also investigated the “patient portals” used by many doctors who, if you read the fine print of their privacy policies, claim the right to your information to show you advertisements.
Is this kind of business ethical?
“Anyone who tries to trick you into secondary use of your data should be required to have clear and understandable consent,” said Caplan, the medical ethicist. “You have to know what you choose and what you refuse. None of that fine print stuff.
Do patients really know they have the right to opt out of targeted advertising from Phreesia? The company wouldn’t tell me what percentage of patients say no.
I tried to read all of my apps privacy policies. It was 1 million words.
I asked: why doesn’t it say in big bold print at the top: “This part is completely optional?”
“How we collect consent is an ongoing project and we’re open to your feedback on it,” Linetsky said. “I think there’s room to probably make it clearer and do it in clearer, prominent language at the top.”
Clinics and hospitals that put Phreesia in front of patients are also among them. I have written to the leaders of two of the medical groups that Phreesia lists as customers on its website, Piedmont HealthCare and CareMount Medical. Neither of them answered. Phreesia says it does not share ad revenue with its clients.
A One Post reader who asked not to be identified said she refused Phreesia’s request and complained to her doctor – who told her it didn’t matter because “Your information are all over the web anyway!”
This attitude towards privacy can be one of the most concerning aspects of the healthcare data mining business model. Confidentiality builds trust. Patients who aren’t confident they have full control over their information will be less willing to share it with their doctors — and that could directly contribute to the deterioration of medical care.