NOCD: Helpers or doing bad things with your data?
Published May 2022
I’ve heard only positive things about NOCD since they showed up on my radar awhile ago. If you haven’t heard of it, it’s a mental health tech company that supports folks with OCD. Their founders and leaders seem to have their hearts in the right place and reports I’ve heard from their clients are overall quite good. They’re providing evidence-based treatments. And I think they are employing active clinicians to advise them on implementation issues. All in all, they seem to be doing things right.
So imagine my surprise when the Mozilla Foundation published this report on their privacy practices. This article understandably ruffled major feathers at NOCD and they published a response, rebutting Mozilla’s claims. I read both and I feel like the Mozilla authors and the NOCD CEO are talking past each other, neither understanding the other’s point of view. I feel like I need to explain medical privacy vs. privacy in general. For those of you who don’t know, my first career was in technology consulting and so while I may have some rust on my gears, tech is also my world.
The Mozilla Foundation has “Privacy Not Included” guide that reviews various technologies against their privacy standards. They are talking about personally-identifiable data that includes both general data (not protected by HIPAA) and medical data. The NOCD respondent seeks (but fails, IMHO) to differentiate private health information (PHI or medical data) from general data about their clients.
Personal (identifiable) Health Information (PHI)
PHI is your personal medical record and most things it contains pertaining to diagnosis and treatment of medical conditions. PHI is covered by HIPAA and the business associate agreements (BAAs) referenced by the NOCD leader. In the USA, if you’re dealing with PHI AND you’re a “covered entity” as defined by HIPAA, you have to keep PHI safe in very particular ways. If you fail to meet that standard, you have to tell the people whose data has been compromised. For example, as a clinician, I would have to notify clients and potentially even the government privacy office AND the media, if I leaked my client’s personally identifiable health information. This is a HIPAA data breach. We all live in fear of these breaches. PHI has a lot of protections and is ONE type of data NOCD keeps and strongly claims to protect (I believe them).
De-identified health information
Let’s remove your name, birthdate, address, and anything that might be traceable to you from your chart and medical data. Boom - you have de-identified health information. When you sign those HIPAA forms at your doctors office, you generally authorize them to use de-identified health information for making business decisions, to conduct research on, and for other purposes that help the people who house it. There is a BIG MARKET for this kind of information! I’m sure NOCD has a policy that lets them do some stuff with de-identified health information. Every health provider does, even me (although I’ve never actually done the research that’s outlined in my HIPAA policies as an allowed use). Let’s say that I have de-identified data set so that you cannot identify WHO my clients are, for the purposes of my own research. Then, let’s say that I leaked that data. Because there’s no way to trace it back to my clients, that’s not a breach of PHI under HIPAA. De-identification makes it a non-breach. You might not like it for the ick factor but it can’t be traced back to you.
Other valuable information NOT covered under HIPAA
Mozilla primarily writes about privacy issues related to this type of data. Let’s call it “general personal data.” This might be when an app on your phone tracks your demographic information, what soda you like, your location, your purchases, what you clicked on when looking at social media, etc. This information is identifiable in that an engineer at Google could probably easily find information on you personally and tell you where you last bought clothing. But this information isn’t tied to your PHI, directly. I rather enjoy that Meta, Inc. knows what clothes to show me when I log onto their platforms because I can hardly dress myself. Quick digression: I saw so many of these brands’ brick and mortar (literally) stores yesterday in beautiful Georgetown and I was like “yep that Meta algorithm has me pinned!” THIS DATA RUNS THE INTERNET AS YOU EXPERIENCE IT. Mozilla has legitimate concerns about how companies profit off of this data about us but I think we’ve had enough conversations about this type of internet privacy to have our own views about it at this point.
When PHI meets “other valuable information” (or does it?)
What’s unclear to me (and most other clinicians I know) is to what degree protections are in place to keep the less-sensitive mountain of data about us used by advertisers from getting cross-referenced with PHI. And of course, where’s the line with PHI? The line HIPAA draws for PHI is actually different than most clinician’s ethical codes about what we treat as PHI (the law is less strict than our ethics).
I’m sure that HIPAA addresses some of this from the LEGAL perspective. But ethically, therapists have been trained to believe that the fact someone is using NOCD at all, would be PHI because it suggests strongly that the person has OCD. The government might not agree. But I think this confusion about the difference between HIPAA and our ethical codes and the lack of transparency about cross-referencability of therapy app data and general data is getting everybody really fired up!
If your head is spinning, I don’t blame you. It’s taken me a whole latte to write this down and I’m sure it’s still not clear. The TLDR version is, “HIPAA, ethical codes, PHI, and other app information is all a giant tangle of misunderstandings and everyone’s mad,” is the best summary I can come up with.
In good news, we’re talking about all of this more and there are some great resources to get started on understanding these concepts:
Only 2 of 32 apps passed the privacy test. https://techacute.com/mozilla-warns-29-of-32-mental-health-apps-have-privacy-issues/
https://www.thecut.com/article/mental-health-therapy-apps.html
I’ll keep adding to this list over the next week!
Still here in beautiful DC. They’ve added some incredible new monuments since I last spent time here as a tourist.