Medical data is too sensitive for companies to exchange it lightly. The United States regulator, the Federal Trade Commission (FTC), has just put companies that manage health-related applications on notice that any movement related to this type of information must be made with the consent of the affected user. If not, the responsible company will face fines of up to $ 43,792 per violation per day. The movement takes on special relevance because most of the big technology companies (Amazon, Google, Microsoft or Apple) have launched in recent times to assault the healthcare market.
US regulations have traditionally been lax when it comes to protecting privacy. With one important exception: health data. The Health Insurance Transfer and Accountability Act (HIPAA) set the standards in 1996. It was prohibited to provide medical data to anyone other than the patient himself, unless he had his consent. A 2009 rule, the Health Breach Notification Rule, extended those responsibilities to the digital environment: companies subject to HIPAA must maintain the same confidentiality in cyberspace.
The new FTC order broadens the focus of the regulation even further: companies whose main activity is not health but still manage medical data must also comply with the same guarantees. Although it does not mention them, the regulator refers to companies such as Google, Apple, Amazon or Microsoft, which have been collecting this type of data from various sources, such as connected devices or applications.
“The Commission has realized that health applications, which can track everything from diabetic blood glucose levels to parameters related to fertility or hours of sleep, increasingly collect sensitive and personal data from consumers. ”, Highlights the FTC statement. “These applications have a responsibility to ensure that they keep the data they collect secure, which includes preventing unauthorized access to that information.”
Health-related applications and other connected devices, the FTC points out, are not only widely used by the population, especially after the pandemic, but are also coveted targets for cybercriminals. “And yet there are few protections for your privacy,” the report said.
“Although [la normativa de 2009] It imposes some measures so that the technologies that misuse our information are held accountable, there is the problem of the commercialization of people’s sensitive medical information. Businesses can use that information to feed their targeted advertising or analytical tools, ”said Commissioner Lina M. Khan in a statement. “Given the prevalence of targeted advertising, the Commission should monitor what data is collected and whether the business models that develop around it create incentives that put the security of that data at risk,” he added.
In the European Union, if a company wants to share the personal data of its customers with other companies, it must make it known to the user. This is established by the General Data Protection Regulation (RGPD), one of the most guaranteeing regulations in the world in this regard. American regulation has always been more permissive in terms of privacy than in Europe. “There are regulations that defend the privacy of users, such as that of the State of California, but there is still no federal regulation. In general, they are less strict, although the trend is that little by little they will converge with us ”, explains Borja Adsuara, an expert in digital law.
“In the United States, the regulations do not usually place such emphasis on the protection of individuals, but companies know that if they break the law they will be persecuted relentlessly,” says Frederic Llordachs, co-founder of Doctoralia, a portal for recommendation of physicians that he defines as “the Booking of doctors” and a good connoisseur of the regulations applicable to the sector.
The technological assault on health
The FTC order is a clear warning to big tech that the regulator is going to be aware of how they treat medical data. The health sector is, in fact, one of the sectors that currently exerts the greatest attraction on GAFAM (Google, Amazon, Facebook, Apple and Microsoft). Perhaps the most ambitious bet in this regard is Amazon Care, a program already available in some cities in the United States that combines telemedicine through its own application with home visits by doctors.
Microsoft, for its part, in April spent about 16,500 million euros to buy Nuance, the most respected artificial intelligence and speech recognition company in medical environments. As it was the second largest acquisition in the company’s history (it only spent more, about 22,000 million, when it bought LinkedIn), the message it gave to the industry was clear: they want to become the benchmark in the processing of healthcare data.
Alphabet, the parent of the world’s most used search engine, has an entire division, Google Health, dedicated to “developing tools and initiatives that help everyone make more informed health decisions.” One of the pillars of its strategy, according to its website, is to make medical information more accessible. As for Apple, the company’s efforts to collect data on the health of users of its products, especially the iPhone and Apple Watch, is well known.
These companies and many others should be more careful from now on with the treatment they apply to their users’ data. “The FTC must use all the tools at its disposal to protect users’ medical data, although we also have to control the business models that monetize it,” Khan tweeted.
You can follow EL PAÍS TECNOLOGÍA at Facebook and Twitter or sign up here to receive our newsletter semanal.