Lisa McLaughlin, co-CEO of WorkIt Health, says her company is “committed to creating a safe place for our members to receive discreet and accessible virtual care.” A Confidant Health representative reiterated that the company recognizes the importance of privacy in SUD care and “will continue to comply with HIPAA and similar laws, as well as our own internal protocols that we have developed to protect our members.”
Representatives of other companies participating in the study did not deny the use of the third parties identified by researchers, but claimed that it does not pose a threat to patient privacy and is in line with internet and medical standards.
Nick Mercadante, founder and CEO of PursueCare, says his company does not collect, store or forward protected health information from visiting users, and patients do not receive their care directly on the PursueCare site. He also said that PursueCare does not share protected health information (PHI) with third parties, although it “uses Facebook Pixel and Google Analytics for internal reporting purposes.”
“It is a reality that users of most websites on the Internet today are subject to user data collection,” says Mercadante. “Health-related websites, including those of health systems, hospitals, inpatient care facilities and other physical care facilities, are no different.”
Pear Therapeutics, responsible for reSET-O, notes that it does not share PHI without patient consent, does not use digital footprints to identify user identities, and reports data “on an aggregated and anonymized basis.”
Experts remain primarily concerned about the collection of the data, anonymized or not, but acknowledge that what is happening here is not illegal and will likely continue for that reason. Danielle Tarino, who formerly led the health IT team at SAMHSA and now works in cybersecurity, has spent a significant portion of her career exploring the privacy implications of mHealth, especially for people with substance use disorders . She believes the best chance to protect privacy will come from creating and implementing additional tools.
“This is how small tech companies work, and if no one tells you you can’t do that, you can,” she says, wondering if the sites’ use of ad trackers and third-party software is tantamount to finance. Clark also expresses concern that the use of data collection is financially motivated and can be sold or leased to law enforcement or other parties for the right price. “When there are financial incentives, people make the changes. If there are no financial incentives, they are not there,” he says. In short, data privacy experts don’t expect mHealth companies to stop collecting data unless forced to.
The opinions of cybersecurity professionals and CEOs of telehealth companies are relevant, but perhaps most important are the opinions of individuals with substance use disorders, the people who will lose the most if the fears of experts are realized and for whom Part 2 is designed. After showing the data from the analysis, a patient who uses physical caregivers said via direct message, “Thanks for reaffirming why I don’t use telehealth.” He added that he wasn’t sure the findings would deter someone from using telehealth if that was the only way they could get treatment. Those patients should simply trust that their healthcare providers are acting in their best interests.
Another patient using one of the companies analyzed by the OPI and LAC was alarmed by the findings [be required to] have a service that prevents them from following something like that,” he says.
“How much is my information worth?” he asks, wondering if the data from his and other patients’ website usage was more valuable than the few hundred dollars they bring in each month as a patient. ‘It’s so scary. This is the first time in my life I haven’t been on probation in 10 years. Well, that’s not me. Thinking someone could really just look at that… Who knows what’s going to happen?