Is your telehealth provider selling your health data?
Health & Biotech
A visit to a new GP always involves a form on a clipboard.
You fill in, with a varying degree of honesty, how much you drink, your family’s medical history, whether you smoke or take illicit drugs, and hand it over to the receptionist.
At no point do you expect this information to be sold or used for any other purpose than informing your new doctor of your medical history.
Yet this is the prospect that users of some telehealth services face, as tech companies enter the highly sensitive health field with privacy policies more in step with an Amazon than a My Health Record.
Two telehealth companies have already been publicly embarrassed, one for selling user data and the other by a technology lapse.
The abrupt rise of the telehealth industry, thanks to social restrictions brought on by COVID-19 pandemic measures, has brought forth everything from tailored virtual consulting services to software that’s been shoe-horned into health.
Some of the latter Frankenstein’s monsters are not “fit for purpose”, according to experts spoken to by Stockhead, and could be laying landmines for an industry still on probation.
Last month small telehealth provider Medinet faced exactly the situation Australian companies in this space want to avoid: a public accusation of data selling and platform misuse.
Shane Solomon, a partner at health consultancy Coligo Health, said on LinkedIn that he used Medinet for a telehealth consult. But rather than a video or phone call, the GP used a chat function to ask four questions online which was then billed to Medicare as a full 20 minute consult.
The new Medicare telehealth billing codes require consults to be via video or phone.
Solomon also said his personal details had been shared with a third party without his permission.
“So disappointed with how some companies are misusing the new Medicare telehealth items,” he wrote.
“I assume they get away with passing my data around and direct marketing because they claim to be only a platform – judge for yourself – looks like a telehealth clinic to me. Please don’t spoil the future of telehealth for the quality operators. We are on trial.”
Solomon has been contacted for comment.
Medinet’s new chief executive Tess van der Rijt swiftly intervened.
Solomon’s outraged LinkedIn followers were somewhat mollified to learn the third party telehealth marketing had been a coincidence, the doctor he’d interacted with had retracted the Medicare bill, and Medinet was changing its platform and privacy policies.
van der Rijt told Stockhead the chat function was a legacy from before COVID-19 enabling doctors and patients to share documents. Now, the company has updated the platform so Medicare claims can only be sent if the audio or visual function have been used.
“We may face some push back from GPs as they are generally in control of their own billings, but in the case where a doctor using Medinet’s platform incorrectly billed Medicare, it was Medinet’s brand that has been tarnished, not the doctor or the medical practice,” she said.
van der Rijt needed to move fast: a Department of Health spokesperson told Stockhead that while doctors were responsible for services billed under their Medicare provider number “anyone who engages health professionals and causes or permits them to provide Medicare services incorrectly or to practise inappropriately” is also considered responsible for that conduct.
But not many people read privacy policies and every person who has ticked the box without reading the T&Cs knows how easily consent is granted.
HealthEngine sold its patients’ information to personal injury lawyers but claims it had explicit consent from users to do so.
In 2018, an ABC investigation into the Seven West Media and Telstra Ventures-backed medical appointment booking platform found that Slater and Gordon, a law firm, was given details for 200 HealthEngine clients each month as part of a referral partnership pilot with another firm, Bannister Law.
“We respect the privacy of our users and appreciate the trust they place in us,” HealthEngine founder Dr Marcus Tan said in a statement at the time.
“We do have referral arrangements in place with a range of industry partners including government, not for profit, medical research, private health insurance and other health service providers on a strictly opt-in basis.
“These referrals do not occur without the express consent of the user.”
Last year the Australian Competition and Consumer Commission launched a lawsuit against HealthEngine for selling the information of 135,000 patients, including their name, phone number, email address and date of birth, between April 30, 2014 and June 30, 2018 to private health insurance brokers.
It said HealthEngine hadn’t told users it would be selling the information.
This isn’t a problem, or outcome, likely to go away because Australia’s weak privacy laws create no incentives for companies here to “do the right thing”, says David Glance, director of the University of Western Australia’s Centre for Software Practice.
“Even the egregious behaviour of HealthEngine has pretty much been forgotten and they got away without much consequence. The levels of potential consequences for companies doing the wrong thing in Australia are minimal,” he told Stockhead.
While some global companies are changing their practices and process to fit within Europe’s General Data Protection Regulation (GDPR), the Californian Consumer Privacy Act and the New York SHIELD Act, Australia does not have equivalent regulation.
“Australian privacy laws are based on organisations adhering to a set of ‘principles’. As a consequence, any organisation can claim that they are following these principles without doing anything meaningful,” Glance said.
“There are specific regulations that cover breaches and breaches in particular relating to My Health Record but I haven’t seen anything come of that.”
Glance says users of digital services are getting more wary of software that requests too much information without seeming justification, but for people in pain or desperate for medical help that may seem a small price to pay for urgent attention.
There are effectively two types of health information people give to health websites: health information such as a Medicare number, details of medical conditions, and test results which is classified as “sensitive” and given a higher level of protection under the Australian Privacy Principles; and general information such as contact details, date of birth, and browsing behaviour.
Selling sensitive data is illegal. Consumers must consent to general information being sold.
The privacy policies of 13 telehealth providers viewed by Stockhead reserve the right to the company to share the latter data with third parties as required.
Klaus Bartosch, chief of telehealth company 1st Group (ASX:1ST), says that’s normal, citing flu vaccines as an example: by law all vaccines are uploaded into the Australian Immunisation Register (AIR).
“Do you as a consumer have visibility over how your data is being used in every situation? No,” he told Stockhead.
“For you as a consumer that this is happening behind the scenes but it’s happening for all the right reasons”, even if you didn’t explicitly give your permission for it to be done.
But in telehealth a middle-man manages the consultation channel and the transfer of highly sensitive documents between doctor and patient.
Few limit themselves to handling and keeping as little information as possible.
Bartosch says companies with purpose-built telehealth software can handle this but others demand “phenomenal rights” over users’ data and are deliberately vague around how they plan to use it.
Stockhead looked at privacy policies of 1st Group, Genie Solutions, HealthEngine, GP2U, Phenix Health, DPV Health, Global Health, Cliniko, Instant Consult, Icliniq, Docto, Doctoroo, and Telstra’s Healthnow.
All 13 privacy policies were big on consent, even though most internet users will happily tick any box without reading the T&Cs they’re agreeing to.
Generally, these sites require both general and sensitive information in order to facilitate consults.
Only Docto explicitly says it does not use personal information for direct marketing nor shares it for third party marketing.
Bartosch says 1st Group doesn’t record consults and permanently deletes any documentation shared afterwards, because he doesn’t want responsibility for storing them on the site.
Global Health explicitly identifies itself against the risk of its overseas employees mishandling Australian users’ data, and gives itself the right to share users’ data with a very wide range of groups.
Genie, which provides an Amazon-backed telehealth service for specialists among other services, gives itself wide permission for how it collects information, the type of information it collects, and what it does with it.
The extra layer of non-medico data collection concerns conservative bodies like the Royal Australian College of General Practitioners (RACGP), which is jittery about telehealth’s potential to further separate the fragmenting GP-patient relationship.
RACGP president Dr Harry Nespolon says the organisation is concerned about corporate technology startups being allowed to handle private patient information and health data.
“Patients need to feel confident that when they see their GP, whether in-person or by telephone or videoconference, whatever they discuss will remain private – they are in a safe environment,” he said in a statement to Stockhead.
“Only a GP or other healthcare provider providing care should be collecting patient information and it needs to be stored in a secure way. It would be very concerning if bots or lay people were allowed to collect this information.”
Misuse of Medicare billing codes and technology risks such as data security on working-from-home internet networks have been consistently mentioned since telehealth began its steep ascent to a healthcare must have rather than a nice to have.
But as yet risks around privacy and unwittingly granted permissions have taken a back seat, potentially laying landmines in the future for the whole industry.
This article has been updated to correct certain factual inaccuracies.