The right to privacy and confidentiality for health information is deeply rooted in American history and tradition and in federal and state law. People living with HIV also have special concerns in keeping their health information private. These individuals have long faced harassment, discrimination, and stigma from society because of their HIV infection, and they still face this in today’s society. HIV also disproportionately affects marginalized populations such as gay and bisexual men, people of color, people engaged in sex work, and people who use drugs, and these groups face increased stigma.
In recent years, there has been increased concern with companies and new technologies not keeping HIV status information private. This blog post will discuss the Aetna privacy breach last year where 12,000 customers of Aetna had private information about their HIV status exposed. It will then explore the recent news that the dating application Grindr provided HIV status information to third party companies. Finally, it will look at the new field of molecular HIV surveillance, which can be used to identity and target effective HIV prevention interventions but also raises some privacy concerns for people living with HIV.
Aetna Privacy Breach
In July 2017, the insurance company Aetna mailed letters containing information about changes in pharmacy benefits and access to HIV medications and accidentally exposed customer HIV statuses in clear envelope windows. The plastic window on the envelope not only revealed patients’ names and addresses but also referenced filling prescriptions for HIV medications. The implication of this was that whoever saw the letter was able to see individuals’ protected health information.
The letters were sent to Aetna customers taking medications for HIV treatment as well as for pre-exposure prophylaxis (PrEP), which involves people at high risk for HIV taking a pill containing two HIV medications to prevent HIV infection. In August 2017, attorneys from the Legal Action Center and the AIDS Law Project of Pennsylvania wrote a letter to Aetna demanding that Aetna stop sending customers mail that illegally exposes that they are taking HIV medication. Sally Friedman from the Legal Action Center said at the time that this disclosure of HIV status information by Aetna “creates a tangible risk of violence, discrimination, and other trauma.”
Aetna ended up settling a class action lawsuit related to this breach and agreed to pay $17 million to the individuals impacted. The settlement included a provision that Aetna institute a new “best practices” policy to prevent such a privacy breach from happening in the future.
Grindr Privacy Breach
Grindr is a dating app for LGBTQ individuals and has more than 3.6 million daily active users worldwide. The app has recently worked to address the stigma surrounding HIV and encourage users to get regularly tested for sexually transmitted infections. The app also offers free ads to remind users to get tested by showing HIV testing sites and has an option to remind users to get tested every 3 to 6 months.
News broke in April 2018 that Grindr was providing two other companies, Apptimize and Localutics, with information from the dating profiles of Grindr users. This information included an individual’s HIV status and a last tested date where users could list the date they were last tested for HIV. Grindr sent this information to the third party companies with GPS data, phone IDs, and individuals’ email addresses. This made it possible to identify specific users and their HIV status. Grindr claimed the information was being sent to these companies because they are software vendors hired to improve the app, but Grindr agreed to no longer provide HIV status as part of the data sent to third party companies.
Molecular HIV Surveillance
In the fight to end the HIV epidemic, there is now more of a focus on interrupting HIV transmission within clusters of people. There is an emerging field of molecular epidemiology that is using phylogenetic analysis to examine mutations in HIV strains to identify transmission patterns within communities and sexual and drug-using networks. The application of these tools offers an exciting way to effectively identify and intervene in places where HIV transmission is occurring. But there are some limitations and concerns with this type of information that must be considered. While the information can give a probability that two persons with HIV are closely linked, perhaps suggesting HIV transmission from one person to another, it does not show who transmitted HIV to whom. This technology also raises numerous unresolved privacy issues. These issues include potentially exposing individuals to criminalization, employment discrimination, or physical harm.
The O’Neill Institute will conduct a stakeholder convening in June 2018 that will bring together people living with HIV, federal, state and local health officials, ethicists, medical providers, and other stakeholders to identify and understand critical issues and facilitate a dialogue for how to proceed with the development and exploration of this technology in the way that maximizes HIV community support and minimizes harm. An appropriate investment in policy development to protect individuals will be critical to effectively using this technology to prevent HIV transmission.