The doctor will sell you now.

Intimate health information may not be as private as patients think if they don’t look carefully at the forms they sign at the doctor’s office.

There’s a burgeoning business in harvesting patient data to target ultra-personalized ads. Patients who think medical information should come from a doctor — rather than a pharmaceutical marketing department — might not like that.

But the good news is, you have the right to say no.

Here’s what’s going on: A company called Phreesia makes software used by more than 2,000 clinics and hospitals across the United States to streamline check-ins, replacing the clipboard and photocopied forms with screens on a website or app. The company says it was used for more than 100 million check-ins in the past year. Some patients use Phreesia’s software to do early digital check-in at home, while others use it on a tablet at the clinic.

But Phreesia doesn’t just make money by selling its software to doctor’s offices. It also has a business in selling ads to pharmaceutical companies that it displays after you fill in your forms. And it wants to use all that information you entered — what drugs you take, what illnesses you’ve had in the past — to tailor those ads to your specific medical needs.

Here’s why pharmaceutical companies might want this. The ads remind patients to ask their doctors about whatever drug they’re pushing right before they go into the exam room. With access to patient data, Phreesia can ensure that its advertising messages are shown to the most receptive audience at the moment they’re seeking care.

Advertising

But wait a minute: Isn’t health information supposed to be private?

“There is less protection than we all might think,” says Arthur Caplan, the head of the division of medical ethics at the New York University Grossman School of Medicine.

When the Health Insurance Portability and Accountability Act, or HIPAA, was written in the 1990s, medicine looked very different. “The privacy you were thinking about then was who could look at my paper chart,” says Caplan. Now that records are digital, they’ve developed lots of secondary uses.

Phreesia says it isn’t the same as your clinic or hospital, which is considered a “covered entity” under HIPAA. Instead, Phreesia is a “business associate” of providers, and automatically allowed to process data for the purposes of assisting your doctor and collecting payment.

But for Phreesia to make extra use of data to show ads, HIPAA does require that patients opt in. That’s why they want them to tap “I accept” on that form.

You have the right to say no. To do that, be on the lookout for the button labeled “I decline.” If you say no, nothing is supposed to change about your doctor’s visit, Phreesia says. (If you previously tapped “I accept” and now want to change your mind, you can email privacy@phreesia.com or tell your doctor’s office.)

Advertising

More

Phreesia says it does not “sell” data. Instead, Phreesia mines data and uses it to target ads on its own system without passing the information to others. (That’s a privacy argument I also often hear from Facebook and Google.) Phreesia also says it doesn’t track patients in other digital places, and consenting won’t result in eerily targeted ads on other websites and apps.

But still, why would a patient want to say yes? David Linetsky, who runs Phreesia’s life-sciences advertising business, says that in a world filled with misinformation, the ads give people knowledge, skills and confidence to advocate for themselves — and leads to better health outcomes.

He says Phreesia’s targeted ads are particularly useful for people with rare diseases, where they’re part of small patient populations. “It’s very, very hard to get information in front of them — potentially lifesaving information,” said Linetsky. “And I think that we offer a privacy-safe and respectful way of doing that.”

To be clear, Phreesia’s ad business also leads to better outcomes for pharmaceutical companies. The company’s annual report boasts to advertisers that it “increases incremental prescriptions with existing patients.”

Phreesia is not the only medical-data business that wants access to patient records to show them ads. “Patient portals” used by many doctors claim the right to patient information to show ads.

Is this kind of business ethical?

“Everybody who is trying to get you to a secondary use of your data should be required to have clear understandable consent,” said Caplan, the medical ethicist. “You should know what you’re opting into and out of. None of this fine-print stuff.”

Do patients really even know they have the right to decline Phreesia’s ad targeting? The company declined to say what percent of patients say no.