How to protect your online health information
Not all health information is protected by law
Examples of health information that are not protected include data collected by an app you download from an app store and information you share on an online medical forum.
Have you ever thought about how much personal health information you share with apps, chatbots, digital assistants, smartwatches, social media platforms, and web sites? If not, you may want to start.
The information that you share with these devices and platforms isn’t protected by law. This means that whoever owns the device or platform can share or sell your personal health information.
When it comes to apps, many contain software development kits (SDK). These are pieces of code that allow the app to collect data, which can be shared with third-party applications, according to the American Medical Association (AMA).
Personal health information that may be shared or sold includes your daily steps, hours you sleep, and information that you enter in a weight-loss app like the foods you eat and your weight.
If you share information about a skin condition on social media or ask a question about that condition in an online medical forum, your information could also be shared or sold.
When you stop to consider how much health information you share in online spaces, the AMA says this information often begins to look like a medical record.
While this information may look like a medical record, the Health Insurance Portability and Accountability Act (HIPAA) doesn’t protect it.
HIPAA only applies to health information kept by medical doctors like your dermatologist and other health care professionals, health plans, and organizations acting on their behalf.
HIPAA does NOT apply to health information that you:
Store in a mobile app
Keep on your smartphone, tablet, or laptop
Share on social media
Post in a health-related online community like a chatroom or message board
Store in a personal health record that’s offered by someone other than your medical doctor or other health care professional
Without HIPAA protections, your online health information can be shared or sold. “An insurance company, marketing firm, or employer may use this information to decide the cost of your insurance, whether to hire you, or any number of other decisions that affect your life,” according to the AMA.
Fortunately, there are steps you can take to protect your online health information.
9 things you can do to protect your online health information
You have the right to control how your online health information is accessed, used, and disclosed. Here are nine ways you can take control.
Decide what information you feel comfortable sharing. The Federal Trade Commission (FTC) tells consumers that sharing sensitive information always comes with risks. It recommends that you decide what information you feel comfortable sharing, when you know that it could be shared or sold.
Look at the settings on apps and other technology to see if you can control what information is collected and shared. The default setting is often “share.” If you can, select the option that allows you to protect your information. Also see if you can disable share permissions or fully delete the data collected.
Each time you update the app, check your permissions to see if they’ve changed. Sometimes, permissions go back to the default “share” after an update.
Consider using the privacy settings on social media platforms. You can limit who sees your posts by using the privacy settings on social media platforms. For example, when you set your privacy setting to “private,” only your approved followers or friends and friends of friends can see your posts. Some platforms also allow you to decide whether organizations like marketing companies can access your information.
Understand that if you post information on a public forum, you cannot assume that your information is private. A forum is an online space that lets people ask and answer questions. Examples of online forums include Quora, MedHelp (where you can ask a question about your health and get an answer), and Reddit.
Before removing an app from your phone or other device, consider deactivating your account. Here's why deactivating your account is helpful. When you uninstall an app from your phone or other device, it’s no longer on your device. However, your personal information usually stays with the app’s developer. If you don’t want the developer to keep your information, log into your account and deactivate it.
Keep everything updated. The FTC says that one of the best ways to protect your information is to keep your phone, computer, apps, and wearables up to date.
When updates are available, you’ll often receive a message from the company that manages your software like Apple or Microsoft. The message will tell you what updates are available. Always update your devices as soon as possible.
If your update setting is set to “automatic,” the updates should happen automatically. You can also update your phone or other device by going to Settings, finding the update section, and following the prompts.
Your apps and wearables should also automatically update if your settings are set to automatically refresh. If not, check your apps and wearables for updates. Checking your apps and wearables once a month for updates can help you keep them updated.
Use strong passwords and a different password for every account. Strong passwords limit who can access the information on your phone, home computer, and other devices. Protect your information by never sharing a password.
If having numerous passwords becomes a hassle, consider using a password manager. Before choosing a password manager, do your homework. Some are more secure than others.
Report your concerns to the FTC. On the FTC website, you’ll see that it “regularly brings enforcement actions against companies that misrepresent how they use or disclose sensitive health information.” If you think a health app, wearable, or other technology misrepresents how it uses or discloses sensitive health information, you can file a complaint with the FTC by going to ReportFraud.ftc.gov.
Think carefully before sharing your health information online and use privacy protections whenever possible to limit who can access your health information.
Henry TA. “How smartphone apps can—and should—protect users’ health info.” American Medical Association. Last updated 1/10/2022. Last accessed 4/13/2023.
Office of the National Coordinator for Health Information Technology. “Health IT: How to keep your information private and secure.” Last accessed 5/2/2023.
Peters B. “What happens to your personal data after deleting an app.” Techspective. Last updated 12/1/2020. Last accessed 5/3/2023.
U.S. Federal Trade Commission (FTC). “Consumer Alert: Does your health app protect sensitive information?” Last updated 1/13/21. Last accessed 4/21/23.
Zarefsky M. “Privacy concerns grow as more health data goes mobile during pandemic.” American Medical Association. Last updated 2/18/2022. Last accessed 5/5/2023.
Paula Ludmann, MS
Hassan I. Galadari, MD, FAAD
Mona Gohara, MD, FAAD
Roopal Kundu, MD, FAAD
Ivy Lee, MD, FAAD
Jennifer G. Powers, MD, FAAD
Sanna Ronkainen, MD, FAAD
Last updated: 6/22/23