by Craig Klugman, Ph.D.
Part of the Affordable Care Act was an effort to increase efficiency in sharing and storing health data through electronic health records. The idea was that patients could see their health information and communication more easily with a physician through an online portal that they could access at home. This requires you to send and receive some private health information over the internet. How you get to the internet and log onto the portal is through your Internet Service Provider (ISP). By federal regulation, your ISP has not been permitted to collect or sell your information to anyone. Now, the U.S. Congress passed and Trump signed a law that allows your ISP to sell your internet data.
Your ISP can see everything you do on the internet: What websites you visit, what you write in your emails, everything. There are some exceptions. You might go to websites that start with HTTPS (instead of HTTP). This is a low level of encryption but does help prevent people from listening on your internet conversation. Say you were in a public café and logging onto your health portal. If you used only HTTP, it would be fairly easy for someone to find your username and password by listening to the conversation between you and the website. Your ISP would know exactly what you typed into the portal and what documents you downloaded. With HTTPS, your username and password are encrypted, so it harder to see what you are doing. What you do at the portal is hidden from your ISP, but your ISP and a hacker can still see where you are going on the internet.
My health care provider has an HTTPS address meaning that there is some encryption and my ISP cannot see what happens in the portal. But the ISP can see where I go when I leave the portal. Let’s say I log into the portal and discover I’ve been referred to a specialist, maybe a dermatologist. I then google that specialist to see who she is and where her office is located. That search is not secure and thus can be seen by my ISP. Under the new rules, my ISP could sell that I have been looking at a dermatologist to an insurance company or a pharmaceutical company. I might suddenly find my online feeds filled with ads for dermatology medications or even some old-fashioned mailers arriving at home. Similarly, if I look up my test results on the portal and then look to see “what is normal cholesterol” or “how to treat high cholesterol,” my ISP now can sell that I was searching for those topics or looking at WebMD. Since an ISP is not a health care provider, it is not subject to HIPAA regulations preserving my confidentiality and privacy.
Portals have been helpful in increasing patient contact with physicians and helping people to become more engaged with their health care. A 2015 Nielsen survey shows that few patients use these portal technologies to email a doctor, receive appointment reminders, and get medical advice. The risk to one’s private health information may be small if use of these portals is limited. Never mind, that the portals tend to reinforce health disparities as they are mostly used by older, college-educated, white patients with higher socioeconomic status.
Another privacy solutions is to use a virtual private network (VPN). In this situation, a secure tunnel is created between you and the VPN provider. All of your web searching is then done via the VPN servers and cannot be tracked back to you. Thus, your ISP cannot see where you are on the internet and what you are doing. However, you have to trust that your VPN is keeping your data and web history private.
I have found my provider’s portal to be helpful for communicating and for seeing my health information. If I want to continue to use this tool, then I need to use a VPN and be careful that I do not look for any health-related information from the same computer in a close period of time. In other words, I would have to “game the data” through a workaround. Or, I can just accept that my ISP can easily figure out some of my health information and will sell that data. Either way, allowing ISPs to track and sell my internet usage data without my permission diminishes my ability to use an online portal securely or to look up medical information on the internet. I could not care, but since I do regard privacy as important, I am left with workarounds.