Five years ago, The New York Times famously ran a piece explaining how Target sent maternity coupons to a customer that they (correctly) inferred was pregnant by examining her purchase history, before she had even told her family about it. More recently, Gizmodo ran a story about a person who was (incorrectly) targeted with a mailed letter inviting her to join a psoriasis clinical trial. Not only did she not have psoriasis, but the only relevance to her was that she had researched psoriasis and other skin care topics online recently.
These two stories had opposing conclusions (only one targeted ad was actually correct), but this topic causes a lot of discomfort and leads to a lot of interesting questions. Who sold data to whom? Is this a violation of privacy? Is this against the law?
One question in particular sticks out for medical device developers: Can this type of information be leveraged in medical device development?
Let’s start with a bit of background.
How is user information inferred? Companies seeking to tailor their advertisements to specific people or demographics use a combination of consumer profiles and public information about user devices to first identify the user (not necessarily by name) and then choose how and if to target them. Consumer profiles, in the case of Target, are mostly based on a purchase history that associates a name with a credit card.
Online public information is a different story. In the case of online ads, a retailer joins a marketplace and is offered the option to purchase an advertisement that will be served to a person using a specific device ID—let’s call it ID#12345. An auction for ad space is presented publicly (if you know where to look) for device #12345 while they browse a website that sells, let’s say, hearing aid batteries. This all happens quickly and automatically—between the time the user clicks a link and the time the page loads. By watching auctions for extended periods of time, you can find out exactly what kinds of websites #12345 visits. That can be used to form a consumer profile to eventually conclude a lot about that user, including the amount of time they use their hearing aids.
Is this type of observation a violation of general privacy? In my experience, public consensus seems to land on the idea that it’s usually a worthwhile exchange to give up some general information about yourself in exchange for use of certain websites or platforms for free, even if a startlingly accurate profile can be created for you. You may think that all changes when we talk about Personal Health Information (or PHI), but as a generalization it does not.
Is this type of observation a violation of personal health privacy? Information is only PHI if there is a caregiver-patient relationship, which is clearly not the case when observing anonymous online users. In our example, let’s say we watched device #12345 for years on end. We may "know" that the main user is a man who is 67 years old, lives at a certain address, and suffers from deafness in one ear. Still, this information is not PHI in this type of relationship, and therefore is not subject to the Health Insurance Portability and Accountability Act (HIPAA). That means that in this situation, ethics are more relevant than legality.
How can we use this in medical device development? The potential applications of this type of information are meaningful. The obvious application for success is in market evaluation. In this scenario, publicly available online user information could be used to evaluate a market in advance. This information could help a developer understand how many people have a condition, the patient demographic, and the condition's impact on patients' lives. A preliminary, inexpensive understanding of these issues enables better product direction and earlier investor engagement, as well as footing for early design assumptions.
What about medical device sales? As the earlier example demonstrates, sales of medical devices are already an application of public browsing information. A non-medical example of this is Amazon’s rumored interested in acquiring Slack, which would likely lead to an opportunity for targeted sales based on online use behaviours. Not only that, but it could be a tool to determine suitable markets based on the number of potential customers.
So where does this leave us? Most of us have known for years that the internet is never really all that private, but the public has some faith that their PHI will be protected by law. The gray area of where general information ends and PHI starts is becoming more and more important to define, especially with the onset of wellness devices and the continued improvement of user targeting algorithms. Regardless, this data is a handy potential resource for medical device developers and could be used for a variety of purposes, not the least of which is understanding the target market.
However this all plays out, I’ll rest assured knowing that I can finally predict when I’m going to die: 3-5 days after I start getting targeted ads for caskets online.