search security


No Privacy: Online Searches Are Not Protected by HIPAA

, , , , , , ,

search security

Websites that offer free health information may share the searches on their sites with other companies.  It happens more often than many people realize, according to a recent study in JAMA Internal Medicine.

Advertisers track search terms in order to target ads to specific audiences. Many free websites include extra code that leaks search information to third parties, many of whom use  it to track consumers. This type of information could be purchased by anyone willing to pay, according to the study.

Dr. Marco Huesch of the University of Southern California Los Angeles explored 20 popular health sites while using privacy tools and interception software that revealed hidden traffic. His search terms included “depression,” “herpes” and “cancer.”

Most government sites, such as the National Institutes of Health or the Food and Drug Administration, do not share information with third parties, nor do sites geared toward providers like the New England Journal of Medicine or PubMed.

But Huesch found that consumer-oriented sites like, Men’s Health and do leak search terms to manufacturers and marketers.

The study did not determine how the leaked info was used, but Huesch believes the very fact that it was leaked will surprise most people.

Business models evolve

“Technology and the business models have matured much, much faster than many people understand,” Huesch explained.

Print publications like the New York Times have had to lean heavily on online ad dollars because subscription revenues have tumbled.

“They’re very clear on their need to monetize their online user activity,” he said.

Sites that don’t depend on that business model may be a better bet.

“Any kind of website that has a business model, is commercial. So you have to get comfortable with that leakage, or you have to protect yourself with online privacy tools,” he pointed out.

Huesch used Ghostery and Do Not Track, which don’t stop targeted advertising, but do stop data leakage to third parties.

HIPAA and personal medical info

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of medical information, but doesn’t fully take into account the Internet’s role in everyday life.

Your IP address, a unique numerical label assigned to devices like computers and printers, can be used to trace search info back to you. But they are not on HIPAA’s list of “unique identifiers,” such as your name or street address.   That means search terms aren’t linked to some anonymous computer, but can be traced easily to individual users.  It’s  perfectly legal,  but that doesn’t necessarily mean your information is being used against you, he noted — only that it could be used that way.

“Just because there’s a technological capacity to do tracking, and just because we see some leakage, doesn’t actually mean people get harmed by it,” Huesch said.

What’s the harm?

In a best case scenario, your Internet browser would simply get extremely targeted ads.

But it’s also possible that third parties could use that information to charge people different rates for goods and services, or refuse to provide the services at all, he said.

You could claim on a life insurance application that you don’t have arthritis. But if you buy a lot of over-the-counter arthritis medication online, or search for “arthritis” on medical sites, this information could affect how much an insurer charges.

“As a life insurer, I might say ‘this guy seems thicker than I thought. I’m going to re-price that guy upwards without telling him,’“ Huesch said.

That kind of price discrimination is illegal under the Affordable Care Act.

It’s all theoretical, but “you could imagine a whole bunch of scenarios where people, without their knowledge, are not seeing the same range of opportunities,” Huesch said. ”This could be a kind of punishment related to what they thought was a private activity.”