Skip to main content

Do Consumers Care About Healthcare Privacy and Security?

Analysis  |  By Eric Wicklund  
   August 09, 2023

A recent survey finds that consumers aren't concerned about protecting their personal health information on digital channels, and they may not understand what HIPAA does and doesn't do. But that doesn't mean providers can take it easy on cybersecurity.

Healthcare organizations that are working to protect patient data on digital channels may be coming up against an unexpected barrier: Their patients may not care.

Some 58% of consumers surveyed earlier this year by The Harris Poll on behalf of ClearDATA said they've never considered where their health information is shared while they're using digital health apps, and only 27% of those surveyed place privacy and security among the top three factors when choosing and online care provider.

The May survey of some 2,053 consumers raises an interesting question: Are consumers not that interested in cybersecurity, or are they mistakenly assuming their sensitive health information is being protected?

“As more and more Americans flock to direct-to-consumer digital health apps and resources, most people don’t know the sensitive health data they share with these companies could be passed on to third-parties or sold to data brokers, without so much as a single consent form,” Chris Bowen, ClearDATA's founder and chief information security officer, said in a July press release on the survey's results. “No company should ever be allowed to profit off a person’s private health information. Far more needs to be done to protect PHI at a regulatory level and, in the meantime, digital healthcare companies bear a particular responsibility to better educate patients about how their data will be used, and what they can do to keep their data private.”

Ignorance may be a factor. Some 81% of consumers surveyed said that assumed their data was protected by the Health Insurance Portability and Accountability Act (HIPAA), and 68% reported they're somewhat or very familiar with HIPAA. Yet HIPAA makes no mention of protected health information (PHI) used or stored on digital health apps or by healthcare organizations that aren't "covered health entities," like health systems and providers.

That could be a problem as more and more consumers use digital health apps or seek care from non-traditional care providers, particularly through online channels. It also reinforces an effort within the healthcare industry to have the federal government update HIPAA.

Regardless of the debate around HIPAA, the survey points to a lack of interest among consumers to place a value on privacy and security. While 27% listed privacy and security as one of their top three concerns when picking a care provider, other factors getting more support were acceptance of health insurance (68%), the option for in-person care (49%), and an immediate response to booking an appointment or getting medication (41%).

That's especially true among younger generations who are more accustomed to going online for healthcare. While 69% of those over 65 surveyed regarded privacy and security as more important than convenience, only 54% of consumers between the ages of 18 and 34 agreed. And while only 17% of seniors said they'd still use a digital health app if they knew their data would be shared with third parties for marketing purposes, a staggering 60% of those 18-34 said they'd still use the app.

That said, just because consumers don’t seem to place value in health systems protecting their PHI doesn't mean those health systems can slack off. On the contrary, data breaches, hacks and ransomware attacks are happening with more frequency and complexity, and health systems need to expend more time and effort to make sure their cybersecurity defenses are effective.

In addition, these breaches may result in litigation. Several healthcare organizations, including HCA Healthcare, Johns Hopkins, Norton Healthcare, Mercy Health, Harvard Pilgrim Health Care Plan, and NextGen Healthcare, are facing class action lawsuits over recent data breaches.

The answer, then, may lie in education. Health systems should inform their patients not only what they're doing to protect PHI, but to explain the importance of securing that information from prying electronic eyes. And that education should include information on what HIPAA covers and what it doesn't.

Eric Wicklund is the associate content manager and senior editor for Innovation, Technology, and Pharma for HealthLeaders.


A Harris Poll survey of some 2,000 consumers finds that 58% haven't considered where their PHI is shared when they use digital health apps, and only 27% say privacy and security is a factor when they're shopping for care online.

According to the survey, 81% mistakenly believe HIPAA covers their PHI on digital health apps and when used by non-traditional healthcare providers.

The results should prompt healthcare organization to spend more time and effort on educating consumers, both on how PHI is protected and why that's important. They should also provide information on what HIPAA does and doesn't do.

Get the latest on healthcare leadership in your inbox.