When the investigative journalism organization ProPublica published an article explaining how insurance companies monitor the sleeping patterns of sleep apnea patients via modems attached to CPAP machines, many readers reacted with alarm about a perceived violation of patient privacy. While the article didn’t uncover any HIPAA or general privacy violations about the use of patient data, it did reveal the extent to which consumers are unaware of how their health data is being used.
The ProPublica article detailed how several individuals with sleep apnea—a sleep disorder that causes individuals to stop breathing while they are asleep—came to learn that the devices they use ensure restful sleep were tracking their utilization data and sending it to their insurance companies and equipment suppliers. Individuals with sleep apnea use continuous positive airway pressure (CPAP) machines while they sleep, and new models have either built-in or attachable modems that automatically transmit patients’ utilization and compliance data straight to insurance companies. With older CPAP machines, physicians monitored patient compliance by analyzing the data from a detachable microchip that could be removed from the machines by the patient or physician. Newer models skip that step with modems, which some patients don’t know about until their insurance company refuses to pay for replacement equipment due to noncompliance.
One such patient was ProPublica’s deputy managing editor, Eric Umansky, who learned his insurance company was tracking his sleep when it declined to pay for a new mask by citing Umansky’s noncompliance. Umansky said he was not meeting the required number of hours of use per night—a consequence, according to Umansky, of using a mask that had been worn down by use.
“You view it as a device that is yours and is serving you,” Umansky told ProPublica. “And suddenly you realize it is a surveillance device being used by your health insurance company to limit your access to health care.”
However, privacy experts point out that no privacy rules are being violated in these information exchanges. The insurance companies are HIPAA-covered entities and as long as they have the proper business associate agreements in place with the equipment suppliers, they’re in compliance with the law.
A follow-up article by ProPublica confirmed that CPAP machines are just one of many medical devices that use patients’ data in ways of which patients may be unaware. Heart monitors, glucose monitors, and lifestyle monitors such as FitBits and step counters also collect data that can be used in a multitude of ways.
“It can be packaged and sold for advertising. It can anonymized and used by customer support and information technology companies. Or it can be shared with health insurers, who may use it to deny reimbursement. Privacy experts warn that data gathered by insurers could also be used to rate individuals’ health care costs and potentially raise their premiums,” the article states.
Privacy experts advise that patients usually are asked to give consent for their data to be used—though many are still unaware of downstream uses.