Published Jun 13, 2022 in washingtonpost.com
Author by Geoffrey A. Fowler
There’s a burgeoning business in harvesting our patient data to target us with ultra-personalized ads. Patients who think medical information should come from a doctor — rather than a pharmaceutical marketing department — might not like that.
But the good news is, you have the right to say no. I’ll show you what to be on the lookout for.
Several Washington Post readers recently wrote to Ask Help Desk about a consent form they were asked to sign while checking in for a doctor’s appointment. Most of us just hurriedly fill out whatever paperwork is put in front of us, but these eagle-eyed readers paused at this:
“I hereby authorize my health care provider to release to Phreesia’s check-in system my health information entered during the automated check-in process … to help determine the health-related materials I will receive as part of my use of Phreesia. The health-related materials may include information and advertisements related to treatments and therapies specific to my health status.”
Here’s what’s going on: A company called Phreesia makes software used by more than 2,000 clinics and hospitals across the United States to streamline check-ins, replacing the clipboard and photocopied forms with screens on a website or app. The company says it was used for more than 100 million check-ins in the past year. Some patients use Phreesia’s software to do early digital check-in at home, while others use it on a tablet at the clinic.
But Phreesia doesn’t just make money by selling its software to doctor’s offices. It also has a business in selling ads to pharmaceutical companies that it displays after you fill in your forms. And it wants to use all that information you entered — what drugs you take, what illnesses you’ve had in the past — to tailor those ads to your specific medical needs.
I can understand why pharmaceutical companies might want this. The ads remind you to ask your doctor about whatever drug they’re pushing right before you go into the exam room. With access to your data, Phreesia can ensure that its advertising messages are shown to the most receptive audience at the moment they’re seeking care.
You agreed to what? Tax sites want your data for more than filing.
But wait a minute: Isn’t your health information supposed to be private?
“There is less protection than we all might think,” says Arthur Caplan, the head of the division of medical ethics at the New York University Grossman School of Medicine.
When the Health Insurance Portability and Accountability Act (HIPAA) was written in the 1990s, medicine looked very different. “The privacy you were thinking about then was who could look at my paper chart,” says Caplan. Now that records are digital, they’ve developed lots of secondary uses.
I asked Phreesia how they’re able to make use of our data under HIPAA. The company says it isn’t the same as your clinic or hospital, which is considered a “covered entity” under HIPAA. Instead, Phreesia is a “business associate” of your provider, and automatically allowed to process your data for the purposes of assisting your doctor and collecting payment.
But for Phreesia to make extra use of your data to show you ads, HIPAA does require you to opt in. That’s why they want you to tap “I accept” on that form.
You have the right to say no. To do that, be on the lookout for the button labeled “I decline.” If you say no, nothing is supposed to change about your doctor’s visit, Phreesia says.
(If you previously tapped “I accept” and now want to change your mind, you can email firstname.lastname@example.org or tell your doctor’s office.)
Phreesia says it does not “sell” your data. Instead, Phreesia mines your data and uses it to target you with ads on its own system without passing the information to others. (That’s a privacy argument I also often hear from Facebook and Google.) Phreesia also says it doesn’t track you in other digital places, and consenting won’t result in you seeing eerily targeted ads on other websites and apps.
But still, why would a patient want to say yes? David Linetsky, who runs Phreesia’s life-sciences advertising business, told me that in a world filled with misinformation, the ads give people knowledge, skills and confidence to advocate for themselves — and leads to better health outcomes.
He says Phreesia’s targeted ads are particularly useful for people with rare diseases, where they’re part of small patient populations. “It’s very, very hard to get information in front of them — potentially lifesaving information,” said Linetsky. “And I think that we offer a privacy-safe and respectful way of doing that.”
To be clear, Phreesia’s ad business also leads to better outcomes for pharmaceutical companies. The company’s annual report boasts to advertisers that it “increases incremental prescriptions with existing patients.”
Phreesia is not the only medical-data business that wants access to your records to show you ads. I’ve also investigated “patient portals” used by many doctors that, if you read the small print in their privacy policies, claim the right to your information to show you ads.
Is this kind of business ethical?
“Everybody who is trying to get you to a secondary use of your data should be required to have clear understandable consent,” said Caplan, the medical ethicist. “You should know what you’re opting into and out of. None of this fine-print stuff.”
Do patients really even know they have the right to decline Phreesia’s ad targeting? The company wouldn’t tell me what percent of patients say no.
I tried to read all my app privacy policies. It was 1 million words.
I asked: Why doesn’t it say in big bold letters at the top, “This part is totally optional?”
“The way that we gather consent, that is an ongoing project and we’re open to your feedback on that,” Linetsky said. “I think that there is room to probably make it clearer and do that in sort of plainer language and prominently at the top.”
Clinics and hospitals who put Phreesia in front of patients are also part of this. I wrote to executives at two of the medical groups Phreesia lists as clients on its website, Piedmont HealthCare and CareMount Medical. Neither replied. Phreesia says it does not share advertising revenue with its clients.
One Post reader who asked to not be identified said she declined Phreesia’s request and complained to her doctor — who told her it doesn’t matter because, “Your information is all over the web anyhow!”
That attitude about privacy may be one of the most concerning aspects of the health data-mining business model. Privacy builds trust. Patients who aren’t confident they have full control over their information will be less willing to share it with their doctors — and that could directly contribute to worse medical care.