Is Personal Health Data for Sale?


The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that was enacted in 1996 to protect individuals’ private health information from being shared without their consent. However, HIPAA may not apply to personal devices, software-based health-tracking applications, and websites that collect this type of sensitive data.

What is a data broker?

Data brokers are organizations that profit from the collection and sale of personal information. They use certain resources, such as search history, purchase history, online agreements, and public records, to collect various information. Brokers are able to obtain a significant amount of health data, especially mental health data, from a personal device, health-tracking software applications, and numerous websites.

Is it legal?

Unfortunately, it is generally legal for data brokers to collect and sell personal data; however, there are rules on how the companies must operate. There is no federal law protecting consumer privacy. Each state may have different laws in place, such as California’s Consumer Privacy Act, which is an act that provides customers with the ability to see what information broker companies have and gives them the option to delete it.

Impact on individuals

Individuals may not realize how much of their health information is available to others. A good portion of the data that is collected and sold is mental health-related data, including information about diagnoses, symptoms, and prescriptions. Because of the stigmatized nature of mental health conditions, having their information publicly available puts them at risk of being discriminated against in the workplace or being preyed upon by scammers.

Potential benefits

There are potential benefits to data mining, although special care should be taken to ensure privacy and allow consumers to opt out. One study involved the development of artificial intelligence that uses patient health data to predict the risk of adverse outcomes from opioid prescriptions. The database was able to predict these outcomes with 90% accuracy. This could possibly be beneficial in warning physicians of a higher risk for negative outcomes.


Many apps, websites, and types of software have fine print in their user agreements detailing whether personal data will be, or could be, for sale. Be sure to check any agreements for this type of statement. There is often a possibility to “opt out” of data collection by checking or unchecking a specific box. Additionally, using a virtual private network (VPN) helps to protect personal information by encrypting data and hiding the IP address. Different browsers also offer anonymity when surfing the web. It is always best to be selective about what information is shared online, even when it seems private.

PainScale won’t sell or lease your personal data to a third party. To read PainScale's privacy policy, click the link:

Additional sources: Duke University’s Sanford School of Public Policy, McAfee, and The Washington Post