image: ambercoin via Pixabay  

 

Sleep Data Privacy Concerns: How to Keep Your Information Safe

 

By Admin

 

When it comes to developing technologies, laws and regulations often lag behind the pace of progress, but policies are often set in place to keep people and their information safe from compromise. While private rights experts have some concerns with how personal information such as health and therapy data is being transmitted and accessed online, the good news is that patients always retain the right to privacy. Nothing is 100% secure online, but as long as you follow a few safety precautions, know your rights and your options, and keep track of your data, you can retain control of these sensitive records and make your own decisions regarding their use or transmission. As with most safety measures online, it starts with a few fairly simple safeguards, but knowledge, essentially, is the first and most important requirement in self protection.  

What Data is Collected and How

The first step is to find out what data is collected by your specific model, and where it is stored or transmitted. Depending on the specific device and settings, data can be transmitted via Bluetooth connection, stored on an SD card, or sent using an internal modem or mobile wireless capabilities. Machines with wireless capabilities will upload information about patient usage to cloud platforms that present the data in various formats. To set up an account, you will enter a username and password, and can then adjust settings to your own preferences. Now it is important to know that when you register your product with the manufacturer, consent to use the device data is often part of the process. Your account on the manufacturer's website will collect some personal information as well, and every site has its own Terms of Use that imply consent of certain disclosures. These may vary from one website to another, and it is always good to read through the terms before utilizing a service online. The types of information gathered will often include the following:

  • Name, gender, and date of birth
  • Country of residence
  • Phone number and email address
  • Products you use for treatment (device and mask)
  • Therapy starting date
  • Your baseline AHI (Apnea Hypopnea Index)

 

After your treatment begins, your device’s nightly treatment data will either be stored internally, for example, on an SD card, or if a newer model, synched to your account online. This information typically includes:

 

  • Starting and stopping times
  • Mask on and off times
  • Leak information (max, mean, median, percentiles)
  • Sleep scores
  • Device settings
  • AHI for each session

Note: some may include additional health and breathing rate information when related to therapy effectiveness, etc.

 

Manufacturers will have their own privacy policies regarding your personal information and data, but consent must be given or implied through terms of use. Philips Respironics, for example (centered in Australia), states on its website that it will inform the patient and ask for “explicit consent” before collecting sensitive personal data. While ResMed explains in its privacy policy that providing any “sensitive personally identifiable information such as your sleep data and treatment information” is an express consent to process the data in accordance with their policies. Personal data used by manufacturers is encrypted during transit, as well as during any use of the site or service. It also remains encrypted in storage on the company servers. RedMed, for example, uses the AES encryption algorithm along with their own security and privacy controls to protect data and comply with all applicable data protection laws. ResMed, Philips Respironics, Fisher and Paykel, and other PAP device manufacturers have similar statements in their privacy policies against the sale or distribution of personal data. As international companies, they may, however, share data with subcontractors or subsidiaries used to analyze, market, or process information in bulk. These companies are contractually bound to the same policies as specified in their service contracts. Additionally, as ResMed warns in its policy statement, any “sale or partial sale” of the business or its interests may include personal data of clients. Manufacturers may also share unidentifiable data, and this is another area of data usage that has received criticism from security experts demanding that individuals maintain more control over their data, whether used anonymously or not. ResMed, like other companies, allows customers to limit the use of their data, but they must contact the company with a formal request. In the same way, patients can request the correction or deletion of any personal information about them once an account is created. One of the biggest problem areas is the lack of knowledge about how all of this works. Not everyone has the time or incentive to read through a privacy policy or terms of use page before setting up an account or making an order. But if these are areas of concern, there is no good reason to ignore them. Before you can keep your data safe, you have to know who is collecting it, where it’s being collected, and how it’s being used.

Compliance Data

So what is Compliance Data? Also referred to as “usage data,” compliance data is a summary of the data listed above for purposes of confirming and assessing proper adherence to prescribed treatments. Health Insurance companies use this data to determine whether the expenses of a CPAP machine are needed, or should be continued. In some cases, insurance providers will require a rented machine first in order to prove compliance before a purchase is made. In response to these demands by insurance providers, device manufacturers have made it easier for the companies to access the data needed to make an assessment, but some backlash has occurred in response to the limitations of the requirements, usually based upon the Centers for Medicare and Medicaid Guidelines for PAP device therapy (at least 4 hours per night during 70% of the nights in an initial thirty-day period). Some have even voiced concerns that the data is being used to deny patients a life-saving treatment, while insurers point out that compliance for PAP therapy is barely over 50 percent. This is an ongoing debate and requires further scrutiny to ensure that patient needs are being met in a fair and lawful manner, but the controversy surrounding health insurance practices and patient coverage is not likely end anytime soon. While providing patients with immediate feedback on treatment appears to have some positive influences on overall compliance, there are legitimate concerns about privacy and security. It is simply up to the patient to decide whether the risks involved are reasonable or not. Some patients appreciate the convenience and immediacy of data transmissions, as any physician or health provider can check their progress and therapy results without a visit to the office. Other patients may prefer to wait and share their data using an SD card simply for the piece of mind it gives them in maintaining control of sensitive information. It is up to the patient to make that decision.

The Controversy

Modern, data-capable PAP devices are another step in the direction of more effective, tailored care, and may even increase compliance, but it also raises concerns at a time when personal data is a controversial topic. The issue is twofold: involving both privacy and security. Cloud services, the Internet of Things (IoT), and wireless-capable devices can be prone to security vulnerabilities, and though tight policies and new laws help to protect information, there are always going to be risks of data breaches, data loss, malicious activities, and unfair practices by those in possession of your information. Lawsuits have arisen over the complications involved in using PAP device data to prove compliance. And both doctors and legal experts have raised concerns that data could be used to discriminate against patients or raise their costs.

It should be emphasized here that your insurance company will have access to all your medical records, including the data you eventually give to your physician if you’ve opted for using data cards to avoid wireless transmissions. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that insurance companies, healthcare providers, and equipment providers all maintain the highest levels of security available for personal data, but it does not forbid them from sharing data with other entities NOT covered by HIPAA. Once consent is given or implied through use of their services, they have the right to share as long as they use the precautions outlined in U.S. privacy law. What worries some doctors is that treatment decisions are being made arbitrarily using data alone. Assessment of such an important set of data with life-or-death consequences may require more than a health plan operations executive to provide the best treatment decision. If any of this concerns you, a data card can be used at any time. Simply turn off your device’s wireless adapter or switch to sleep mode to end transmissions of your data. Just make sure that you are entering the proper settings to keep your data stored and secure.

Privacy Laws

The controversy over PAP therapy data is part of a larger discussion about privacy rights in general, and laws such as the recent California Consumer Protections Act, signed into law last year, have increased protections for private and personal information. The location of the stored data and the legislation that protects that data, along with how the data is protected during transmission, have become important issues that need to be scrutinized for a more effective set of standards across the board. But as it stands now, any party holding the private information of others needs to ensure that all reasonable steps are taken to protect the information from misuse, tampering, loss, or disclosure. Importantly, the rights largely reside with the patient, and access to information about a person must in general terms be provided when they ask for it. Like many privacy laws in other countries, the strength of HIPAA lies in its focus on consent. The law protects personal health information in most circumstances, but manufacturers are not covered under its stipulations. Specifically, HIPAA covers data collected by healthcare providers, insurance companies, and billing systems, but not other entities involved in processing or storing the data are limited only by their contracts and the law’s demand for high security measures in data processing. Earlier this year, the eHealth Initiative Foundation and Manatt Health issued a brief calling for the creation of a values framework to better protect health information that is collected, stored, and used by organizations not covered by HIPAA rules. The Brief, entitled, Risky Business? Sharing Data with Entities Not Covered by HIPAA addresses the issue of HIPAA and data processing, as well as online forums and applications where gray areas emerge between entities sharing data. At the same time, a number of private rights organizations are seeking similar guidance in regard to data ownership, hoping to end free use of aggregated data that can be traced back to the individual. It is a rapidly changing medium, but the current momentum in the direction of personal rights to information is beginning to show progress.

Privacy Across Borders

It is also important to understand that when information is transmitted across national borders, the laws of your own country may not apply. This issue can come up if, for example, a software company uses servers located in another country (i.e. a country other than the one the data owner resides in). For the most part, other countries where device manufacturers are located, for example, Australia, have similar if not tighter protections for personal data. But even in the case of contracted services from areas with limited protections, companies like ResMed and Philips Respironics will include protections within the contract itself.

Best Practices for Patients

To ensure that your information safe, the first and most important step is it look before you leap. Any device or application that you use should first be checked for any default transmissions of data. Once you begin treatment, the data will already begin uploading, so this must be done first as a precaution. If you are not sure about the default settings, take your device to your doctor or the retailer to check all settings and make the necessary changes to match your preferences. And remember, it is easy to simply click on “I Agree” on website account setups without fully reading and comprehending the policies involved. These details are worth your time to read and understand, especially if you have privacy concerns. By engaging in these few simple safeguards, you can better protect your personal data and retain the privacy rights that your deserve as an American citizen:

 

1. Always check for any automated functions of a newly purchased device or application. In many cases, information is immediately transmitted to third parties of interest. If you are uncertain, turn off the wifi until you need it.

2. Always use an antivirus program on compatible devices.

3. When registering with websites or applications, be sure to use unique passwords with a variety of letters and symbols.

4. Always read the full text of any privacy policies of services that you use.

5. If you use a mobile device to monitor your sleep, be sure to enable password protection for the home screen.

6. Get regular updates for any software, apps, or PAP device accessories involved in your therapy, as updates are often security related and can keep your data and equipment safe trom the most recent threats.

7. Be careful about providing personal information to begin with, especially online. Never read, open, or otherwise click on emails or text messages you aren’t certain of.

 

Again, If you’re not 100% sure, opt for an SD card. You can always switch to wireless transmissions later after you have looked into it and taken all necessary precautions.

 

If you take these measures seriously and follow through with them, you should be able to keep your data as secure as it can be in the rapidly developing technological world we live in. The threats are real, but so are your rights. Keep that in mind, and you should be able to sleep easier, which is the objective in the first place.  

 

Sources

Bloomberg Law - https://news.bloomberglaw.com/health-law-and-business/is-your-sleep-apnea-machine-snitching-to-your-insurer

Canadian Respiratory Journal - https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2679572/

Digital Information Law - https://digitalinfolaw.com/what-you-should-know-about-anonymous-aggregated-data-about-you/

eHealth Initiative - https://www.ehidc.org/resources/risky-business-sharing-data-entities-not-covered-hipaa

HIPAA Journal - https://www.hipaajournal.com/concern-sharing-health-data-non-hipaa-covered-entities/

Journal of AHIMA - https://journal.ahima.org/2018/12/05/patients-frequently-unaware-that-many-medical-devices-gather-share-data/

Infosec - https://resources.infosecinstitute.com/how-to-safeguard-against-the-privacy-implications-of-cloud-computing/#gref

National Public Radio - https://www.npr.org/sections/health-shots/2018/11/21/669751038/you-snooze-you-lose-how-insurers-dodge-the-costs-of-popular-sleep-apnea-devices

Propublica - https://www.propublica.org/article/you-snooze-you-lose-insurers-make-the-old-adage-literally-true

ResMed - https://myair.resmed.com/myAir-mobile_privacy-policy.aspx

Reuters - https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing

Wiley Online - https://onlinelibrary.wiley.com/doi/full/10.1111/resp.13183