Some virtual care companies putting patients’ personal health data at risk, new study finds
This story is part of CBC Health’s Second Opinion, a weekly analysis of health and medical science news emailed to subscribers on Saturday mornings. If you haven’t subscribed yet, you can do that by clicking here.
If you visit a doctor virtually through a commercial app, the information you submit in the app could be used to promote a particular drug or service, says the leader of a new Canadian study involving industry insiders.
The industry insiders “were concerned that care might not be designed to be the best care for patients, but rather might be designed to increase uptake of the drug or vaccine to meet the pharmaceutical company objectives,” said Dr. Sheryl Spithoff, a physician and scientist at Women’s College Hospital in Toronto.
Virtual care took off as a convenient way to access health care during the COVID-19 pandemic, allowing patients to consult with a doctor by videoconference, phone call or text.
It’s estimated that more than one in five adults in Canada — or 6.5 million people — don’t have a family physician or nurse practitioner they can see regularly, and virtual care is helping to fill the void.
But the study’s researchers and others who work in the medical field have raised concerns that some virtual care companies aren’t adequately protecting patients’ private health information from being used by drug companies and shared with third parties that want to market products and services.
Spithoff co-authored the study in this week’s BMJ Open, based on interviews with 18 individuals employed or affiliated with the Canadian virtual care industry between October 2021 and January 2022. The researchers also analyzed 31 privacy documents from the websites of more than a dozen companies.
The for-profit virtual care industry valued patient data and “appears to view data as a revenue stream,” the researchers found.
One employee with a virtual care platform told the researchers that the platform, “at the behest of the pharmaceutical company, would conduct ‘A/B testing’ by putting out a new version of software to a percentage of patients to see if the new version improved uptake of the drug.”
Concerns about how data might be shared
Matthew Herder, director of the Health Law Institute at Dalhousie University in Halifax, said he hopes the study draws the public’s attention to what’s behind some of these platforms.
“All of this is happening because of a business model that sees value in collecting that data and using it in a variety of ways that have little to do with patient care and more to do in building up the assets of that company,” Herder said.
Other industry insiders were concerned about how data, such as browsing information, might be shared with third parties such as Google and Meta, the owner of Facebook, for marketing purposes, Spithoff said.
The study’s authors said companies placed data in three categories:
- Registration data, such as name, email address and date of birth.
- User data, such as how, when and where you use the website, on what device and your internet protocol or IP address.
- De-identified personal health information, such as removing the name and date of birth and modifying the postal code.
Some companies considered the first two categories as assets that could be monetized, employees told the researchers.
Not all of the companies treated the third category the same way. Some used personal health information only for the primary purpose of a patient’s virtual exchange with a physician, while others used it for commercial reasons, sharing analytics or de-identified information with third parties.
The study’s authors said while each individual data point may not provide much information, advertisers and data analytic companies amalgamate data from browsing history and social media accounts to provide insights into an individual’s mental health status, for example.
One study participant described how a partnership for targeted ads might work: “If an individual is coming through our service looking for mental health resources, how can we lean them into some of our partnerships with corporate counselling services?”
Conflict-of-interest questions
Lorian Hardcastle, an associate professor of law and medicine at the University of Calgary, studied uptake of virtual care in 2020. She highlighted issues of continuity of care, privacy legislation and consent policies.
Since then, she said, uptake in virtual care accelerated during the COVID-19 pandemic.
“I think that the commercialization of the health-care system raises concerns around conflicts of interest between what is best for patients on the one hand and then on the other hand, what has the best return for shareholders,” said Hardcastle, who was not involved in the BMJ Open study.
Hardcastle said it is helpful to have industry insiders acknowledge problems that health professionals and academics have expressed about commercialization.
The Privacy Commissioner of Canada, which funded the study, said in an email that health professionals conduct commercial activities, and therefore the federal Personal Information Protection and Electronic Documents Act applies. The exceptions are in British Columbia, Alberta and Quebec, which have substantially similar legislation.
Hardcastle also suggested that self-regulatory bodies, such as provincial colleges of physicians and surgeons, may need to revisit policies around relationships between health providers and industry.
Virtual care industry responds
CBC News heard from some Canadian virtual care companies that said they take the privacy of individuals seriously.
“Patient data is only used with patients’ explicit consent and only when it’s required for health-care interactions between a patient and a doctor,” a spokesperson for virtual care platform Maple said. “We do not exploit patient data for marketing or commercial gain.”
In a statement, Rocket Doctor said it is important to note that the company “does not do any of the things listed by the researchers as common in the telehealth industry.”
Telus said that all of the data collected from its virtual care service is treated as personal health information.
“Telus Health doesn’t receive any funds from pharmaceutical companies for our virtual care service and we do not sell any patient data collected,” said Pamela Snively, the company’s chief data and trust officer.
Source of information hard to pin down
Hardcastle said it may be difficult for some people to distinguish between receiving reliable and accurate information from a health-care provider on an app and getting services marketed to them that the health provider may or may not find useful.
“Your family doctor isn’t trying to collect superfluous information in order to market services to you,” she said.
Some provinces and territories pay for the virtual services. In other cases, patients pay themselves or are covered by employer or private insurance.
Nova Scotia’s government, for example, has a contract with Maple to provide residents without a primary care provider with unlimited virtual visits. Those who do have a regular provider can have two visits per year paid for by the province.
Tara Sampalli, senior scientific director at Nova Scotia Health Innovation Hub, said the province’s contract with Maple means residents’ data can’t be used in other ways, such as by third-party providers.
The province doesn’t have that level of control over other providers of virtual care, said Sampalli, who holds a PhD in health informatics.
Calls for an opt-out choice
Herder, of Dalhousie University, said users should be able to easily opt out of having their data used for commercial purposes. He also said that if the data doesn’t represent the full diversity of Canada, algorithms shaping clinical decision-making could be racially biased.
Spithoff said while patient awareness is important, patients aren’t in a position to fix this problem.
“We need better legislation, regulation, and we need better funding for primary care,” she said. “Or people can get virtual care integrated into their offline care.”
Spithoff and her co-authors said self-regulation by the industry is unlikely to lead to change.
The researchers acknowledged they were limited to publicly available documents and that they did not interview those affiliated with the third-party advertisers.