Uber Health: Sharing rides is one thing, but what about sharing health information?

Edward Mitchell BARRY NILSSON LAWYERS

What is Uber Health, and what are they trying to revolutionise? What privacy risks are associated with Uber Health, and what are the privacy risks to consumers? What are some recent cases of data breaches, how is Uber Health susceptible to these attacks, and what are they doing to prevent them?

This article comes from the experts behind the Health Law Bulletin. The bulletin covers up-to-date news, information, and analysis on the rapidly changing healthcare industry in Australia. The Australian Health Law Bulletin is essential reading for lawyers and practitioners across the health and medical industries.

Health Law Bulletin subscribers can access the full article HERE.

What is Uber Health?

Uber Health is a new non-emergency patient transport service that has recently launched in Australia. Uber Health allows health professionals and organisations to schedule, manage and pay for rides for their patients, caregivers and staff to and from their clinic, hospital or health service. Australia will be the first market outside the USA to trial the new platform.

Uber Health describes itself as:

a technology solution for healthcare organisations that leverages the ride-hailing power of the Uber platform. The web-based dashboard allows hospitals and other healthcare professionals to request, manage, and pay for non-emergency rides for others, at scale. Healthcare organisations are using Uber Health to help get people to and from the care they need, and to get staff to and from work.

Uber Health is designed to improve patient accessibility to healthcare and address inefficiencies and monetary losses arising from missed appointments. Although access to healthcare appointments in Australia is mostly free, the reality is that the cost of healthcare is incurred by Australian taxpayers. Missed medical appointments are placing an increased strain on the country’s healthcare system, both in terms of financial and resourcing constraints. Uber Health attempts to address these issues whilst capitalising on the need for patient transportation.

There is no requirement for patients to download the Uber app or to even have a mobile phone or credit card — alerts are sent via text message or landline calls with details of the ride provided in more than 20 languages. Health service providers can schedule rides on behalf of patients, caregivers, and staff to take place immediately, within a few hours, or up to 30 days in advance, which allows for transportation to be scheduled for follow-up appointments while still at the healthcare facility. The service is likely to be of particular benefit to Australia’s elderly population to get to and from their medical appointments.

Privacy risks

The potential privacy issues arising from the use and/or storage of health information are obvious. In relation to this issue, Uber ANZ has stated:

The Uber Health dashboard was specifically designed with healthcare companies in mind, so you can safeguard your patients’ information from start to finish … No medical data is stored on the Uber Health platform … We’ve worked with health industry experts to build a robust platform with patient privacy front and centre of this service. We have numerous safeguards in place to protect patient health information, including preventing the collection of any health information that is unrelated to the request for a trip. Ride information is encrypted, and for drivers the trip is no different from a normal Uber trip, to ensure patient privacy is upheld to the highest standard.

Uber has stated that its drivers would not be informed if a trip was booked through Uber Health and that data on Uber Health trips will only be accessible to “those who need it to support the patient”, presumably in an emergency. Whether or not these statements offer adequate reassurance to the Australian public or health professionals in relation to the privacy of health information remains to be seen, particularly given the recent hacking of Uber’s data reported by The New York Times and noting that in 2021, Uber was found by the Australian Privacy Commissioner (APC) Angelene Falk, to have breached a number of the Australian Privacy Principles contained in Sch 1 of the Privacy Act 1988 (Cth) in relation to the cover-up of a cyber-attack. Further, many Australians (more than 2.5 million) have opted out of the federal government’s My Health Record due to security concerns following early issues that prevented clinical use and recently, the South Australian Ambulance Service announced that the personal details of 28,000 patients were stolen when a storage device was stolen from a consultancy firm.

The recent hacks of Optus and Medibank Private resulting in personal data and in the latter case, sensitive information about health claims of almost 10 million current and former customers has highlighted the risks involved in the storage of personal and health information and prompted legislative reform. The amendments set out in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which passed both Houses of Parliament on 28 November 2022 and became law on 13 December 2022, significantly increase the maximum penalty that may be imposed for a serious or repeated privacy breach. Under the new scheme, the maximum penalty for a body corporate under the Privacy Act 1988 (Cth) (Privacy Act) has increased from $2.5 million to either $50 million, three times the value of any benefit reasonably attributable to the privacy breach, or 30% of the entity’s adjusted turnover for the relevant period (whichever is highest).

The amendments also:

• render it an offence for a body corporate to engage in a system of conduct or pattern of behaviour that results in multiple failures to give information, answer a question or produce a document or record when required (punishable by up to $66,600); and
• increase the penalty that may be imposed for a failure to comply with a notice issued by the APC, from $4440 for individuals and $22,200 for bodies corporate, to $13,320 for individuals and $66,600 for bodies corporate.

Under the new scheme, the APC will also be given the power to:

• issue infringement notices;
• obtain information regarding an actual or suspected data breach;
• share information with other Commonwealth enforcement or complaint authorities, State or Territory authorities with functions of protecting the privacy of individuals, or foreign government authorities with functions of protecting the privacy of individuals;
• disclose information where it is in the public interest to do so; and
• where the APC determines that an entity has breached an individual’s privacy, require that entity to:
  • —engage a suitably qualified independent adviser to conduct a review of the entity’s acts or practices, the steps the entity has taken to ensure the privacy breach is not repeated or continued, and any other matter specified by the APC that is relevant to the entity’s acts or practices or to the complaint; and
  • —publish a statement about the conduct that constituted the privacy breach, including what the conduct was and what steps the entity has taken to ensure it is not repeated.

Risks to patient health

In addition to privacy issues, another potential area of concern is the medical risk to patients during a trip. Uber currently offers “Uber Assist”, a service for the transportation of disabled or mobility-challenged people. Uber Assist drivers are required to complete independent training from a third-party organisation about how to help riders into vehicles, however, Uber Health drivers are not required to undertake any additional training. Uber has stated that the healthcare organisations arranging the rides are instructed to never book Uber Health rides for patients who could present a medical risk during a trip, including emergency patients and patients with infectious diseases. State ambulance services already contract non-urgent patient transport to third-party transport providers and more than 9600 people were transported to medical care by taxis organised by Ambulance Victoria in 2020–21. However, in 2018 Ambulance Victoria faced scrutiny for ordering a taxi to take a woman with acute appendicitis to hospital.

Conclusion

Whilst there are numerous potential benefits to Uber Health’s new non-emergency patient transportation service, it remains to be seen whether issues relating to patient privacy and medical risk become real issues for Uber Health, its drivers or its users. The amendments to the Privacy Act certainly provide significant financial incentives to Uber and other large corporations to take measures to protect against privacy breaches.