TLDR; some pharmacies are able to use the data you shared to register for your flu shot [LIST] for advertising purposes. Are we down with that? PS. This post is very Ontario-specific.
It seems that both Shoppers and Rexall say that your data *may* be used by third parties to sell ads. đ
Maybe thatâs just a legal oversight on their part - a product of copy + paste Terms and Conditions. Or, maybe this is something worth examining in greater detail. đ¤ˇ
My end: Iâve been looking at (*googling with furrowed brow in my âspareâ time) the flu shot booking system stuff b/c I was really curious whether people would be able to re-sell their COVID screening time or flu shot registration; imagining that there was *some* sort of secondary market for them that could also be colonized by scalper bots. Why is that? 1. I need hobbies 2. I am fascinated by our efforts to regulate ticket scalper bots [~foreshadowing a future post~].Â
Which is to say: this more âMiss Marpleâ than The Markup. Like, Iâm literally a lady with a laptop. But I think somethingâs up. đľď¸ââď¸
In order to provide flu vaccinations, the province of Ontario has partnered with pharmacies/pharmacists. And this year, demand is up 500%.
In the event that the vaccine is available, shots are booked online. Right now, itâs a bit of a SNAFU and thereâs a shortage. It sucks! The flu shot is the new toilet paper. Everyone is annoyed. đ¤
Since we know why we canât get a flu shot right now, letâs ask a different question:
What do pharmacies âgetâ when you sign up for a flu shot?
A pharmacy may reward you for registering for a flu shot with them. This is new.
A pharmacy may use the information you share to register for that shot to serve you targeted ads. While this is disconcerting, it is permissible b/c pharmacies are technically data âcustodiansâ under PHIPA (Personal Health Information Protection Act) BUT the digital third parties they partner with are not. Depending on the arrangement, they are the custodianâs âagentâ or âservice provider.â Non-healthcare provider health companies arenât directly subject to health information privacy laws.Â
đ Whatâs the ârewardâ for booking a flu shot?
(*Other than inoculation).
In an online âchatâ with me, Shopperâs shared that:
You have the opportunity to receive 500 PC Optimum points if you register online for a flu shot reminder at shoppersdrugmart.ca/flu by Thursday, October 15th 2020.
(This is the equivalent of $0.50).
So there is a little incentive to register with Shopperâs.
Is this problematic? Somewhat. While itâs not all *that* different than the monetary value of getting a lollipop *after* your shot (my doctor offers full-size Mars bars and this is a huge motivator for me), you donât need to exchange anything in order to get that lollipop - itâs a bonus for getting inoculated, not the price of it. I find this disconcerting and a little silly, but itâs not my main beef.
đ What is Rexall doing with my flu shot info?
Probably not all that much, since theyâre passing the information onto MedMe.
Hereâs what Rexall says:Â
Please be advised that you are entering a website operated by MedMe Health. Rexall bears no responsibility for the accuracy, legality or content of this external site or any links on this website. Please contact MedMe Health for answers to questions regarding the content or operation of this website.
Terms of Service for MedMe Health and Privacy Policy
We may sell, rent or share your Usage Data and other Non-Personal Information including, without limitation, device IDs, advertising IDs or other persistent identifiers and non-precise geolocation information or precise geolocation information (if you choose to allow us to collect it), with third parties who assist us with our operations such as administration, analytics, research, optimization, and with our business partners in order to, among other things, allow them to serve more relevant advertisements tailored to you.Â
What about âRemedyâs RXâ?
Remedyâs RX represents independently-owned pharmacies. You can search online by city/address to see where you can book a flu shot. They use âPharmaclickâ as a secure order management system.
If there are third parties that process RemedyâsRx data, we will require them to hold all personally-identifiable information confidential, and to use our customer information only for the purpose of fulfilling their business obligation.
4 - No Collection of Personal Information for Browsing Purposes
RemedyâsRx does not collect personal information about you unless you either (i) send an email message to RemedyâsRx; (ii) apply online for a position with RemedyâsRx, (iii) use any of the online Customer Access such as, without limitation, PharmaClikâ˘, amongst others.
We do capture the paths taken as you move from page to page (i.e., your "click stream" activity). Information we collect on our websites may be used to enhance your use of these websites in ways such as:
Organize the website in the most user-friendly way;
Customize your browsing experience of this website;
Communicate special offers, information and featured items to you, if you choose to receive such notices;
Respond to your questions or suggestions.
[If youâve seen any weirdo language like this - let me know in the comments and I can update the post].
Itâs scary to think about the flu shot being used as an access point to...sell you stuff.Â
Another reason itâs problematic is the limited alternative(s), which right now is to go to your Doctorâs office, which may be closed or virtual.
Scarcity of the shot aside, policy people should be PISSED about these data grabs. đĄ
There are two levers of consent that are of interest here:Â
Consent to marketing;Â
Consent to healthcare. Â
So data-sharing with the pharmacy doesnât necessarily mean that the bargain with Canadaâs [mostlyâŚ] public health care system is changing to more closely mirror that of much of the internet - âif youâre not paying for it, you are the product.â
You shouldnât have to pay with your browsing data or trade any privacy to book your flu shot. People should have a clear choice to share their PII/PHI but not lose access to services.
The reality is that pharmacies may have to provide data to health care providers - to public health officials - if requested/authorized by law. The bigger issue is, of course, whether they are de-identifying registration information and selling insights on it.Â
Whereâs the policy opportunity here?
Itâs difficult to appreciate why third-party digital platforms working directly with pharmacies arenât considered to be health information custodians when they are being entrusted with the same information.
How can we clarify the role of private sector service providers under personal health data legislation and deem them responsible as âcustodiansâ or âtrusteesâ if they want to promote basic virtual care services to reduce strain on physical health care infrastructure?
If Shoppers/Optimum/PC/health care apps are just service providers and are only âcaughtâ by PIPEDA and not PHIPA, then that goes against consumer expectations.Â
Should consumer expectations align with actual regulatory decisions? We expect all health data is protected similarly, but itâs only given special protection if it is collected, used, or disclosed in the context of delivering health care.Â
đĄ It might also be a good idea to figure out the data boundaries with this online booking business before they carry over to the COVID-19 vaccination.
The Ontario legislature is clearly concerned about health privacy (they recently updated PHIPA) but have not yet brought the new provisions into force, which contemplate electronic agents.
đ´ââď¸ A source of inspo here? How about: Pelotonâs Terms? h/t Ellie.
Peltonâs terms are impressive for their comprehensiveness and how well theyâve made one policy apply for GDPR, CCPA and everywhere else. Itâs a reminder that one jurisdiction like California or the EU can have the side effect of making companies provide more rights/transparency in other jurisdictions. Given that Ontario has specific health privacy legislation, digital companies that partner with pharmacies should be able to comply with PHIPA. We just need to make sure the legislation accurately captures them.
đ Zooming out to the macro issues, a recent report from the Ada Lovelace Institute explores the âdataficationâ of health.
The âdataficationâ of health has profound consequences for who can access data about health, how we practically and legally define âhealth dataâ, and on our relationship with our own wellbeing and the healthcare system. Health information can now be inferred from non-health data, and data about health can be used for purposes beyond healthcare.
*Jesse Hirsh wrote about the report in his newsletter here.
đ˘ regs
The Personal Health Information Protection Act âPHIPAâ (2004) is Ontarioâs health-specific privacy legislation. It governs that manner in which personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians, as well as individuals and organizations that receive personal health information from custodians.
With limited exceptions, PHIPA requires custodians to obtain consent before personal health information is collected, used or disclosed. In addition, PHIPA provides individuals with a right to access and request correction of their personal health information.
PHIPA also provides a means for redress through the Office of the Information and Privacy Commissioner of Ontario (IPC) when privacy rights relating to personal health information have been violated.
If pharmacies + their digital partners are being leveraged as health providers, they should fall under this legislation as a âcustodianâ [!]. AKA we need to proactively enforce recent updates to PHIPA.
Registering online for a flu shot requires you to offer certain information like your name, date of birth, address, and gender.
đ° riches
Digital data can be (or seem) valuable from an advertising perspective. We shouldnât blur the boundaries associated with handing medical data w/ advertising.
e.g. Companies like Carebook (which just raised $21M) have been collecting flu shot sign up information AKA I think they alsoâŚbuy it.
e.g. Companies like MedMe - a âpatient care platform to help pharmacists schedule, conduct, and track clinical services at scaleâ - which has partnered with Rexall for the flu shot - may be benefitting from digital data collected.
tldr;
đŠ People are getting screwed.
đ No one can get a flu shot.
đą But! Information you volunteered to register for one *might* be used to serve you ads, even though itâs not supposed to be.
đ New Digital Infrastructures of Workplace Health and Safety
Earlier, I profiled âSafen Labs,â new workplace tech that pledges to protect employees in the name of public health. I pointed out how the technology doesnât need formal Health Canada approvals as itâs ânot a medical device.â đ
A new report from the Centre for Media, Technology & Democracy at McGill and data & Society warns of how the pandemic is normalizing collecting employee information and surveillance.
