I care deeply about privacy, and as a professional researcher, I take meticulous notes.
During my recent maternity leave, I spent most of my hands-free time trying to figure out why my doctors were trying to give my medical data away to advertisers — even after I opted out.
I had two different providers for the duration of my pregnancy, because one closed their doors before my baby arrived. At both providers, upon my arrival the staff would hand me a tablet made by Phreesia, a company with a roughly $1.7 billion market cap, to check in. Phreesia collects demographic information, with fields including information as sensitive as the number of abortions the patient has had and their social security number. Each time I checked in, a form labeled “Required” in bright red letters sought authorization to share my data.
But that label was deceptive — and felt intentionally so.
Patients are indeed required to acknowledge a typical HIPAA privacy policy in order to be seen so that their physicians’ practices can use that data for internal operations or billing, for example.
This HIPAA authorization form was different. Phreesia was asking for consent to mine the data I entered through the check-in process to show me targeted ads. Buried eight paragraphs down is language informing me I can opt out without losing access to my providers, but most readers likely click through hurriedly so they can get to their appointment in time. My OB-GYNs are committed to the ethics of patient confidentiality. Why would they encourage me to give away my reproductive privacy at the digital front door to their office?
I methodically clicked “I decline” to the terms at each routine visit and kept a photo record, but that wasn’t enough to safeguard my consent. Staying in control of my data privacy is a burden that requires proactive attention. Pregnancy is exhausting, and I already had a very active toddler to run after, plus a full-time job. A patient seeking a long-awaited appointment with a specialist isn’t going to cancel, even if they are uncomfortable, because getting care is the priority. And yet, privacy harms add up. The Markup investigated hospitals that send your data to Facebook, Google and others when you visit their websites. The Federal Trade Commission recently fined GoodRx $1.5 million for doing the same and banned the company from sharing consumers’ sensitive health information for advertising when patients use its service to obtain discounts on prescription drugs.
In September, after revisiting a June 2022 article about Phreesia’s privacy practices, I wrote to its privacy inbox to confirm that it had no consent from me on record. To my surprise, the representative, a compliance analyst, simply offered to revoke my authorization. I was
