U.S. States Selling Hospital Data that Puts Patients' Privacy at Risk

Given this week's revelations about the privacy—and the lack thereof—of our personal communications, maybe it's time to reconsider what former Principal Deputy Director of National Intelligence, Dr. Donald Kerr, meant when he said back in 2007 that,

Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture… We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment.”

And maybe we can even anticipate the next privacy crisis by taking a good look now at the ongoing assault on what I think most people agree remains an “essential privacy,” i.e., their private medical information.

Coincident with the NSA privacy flap, Bloomberg News ran a story this week on how many U.S. state health organizations are selling supposedly “anonymous” patient information to pharmaceutical companies, insurance companies and researchers that can, using other publicly available data and well-known analytical techniques, personally re-identify those patients. Bloomberg gave an example of a Washington State resident who went into diabetic shock and, as a result, had a motorcycle accident. The accident was covered in a local paper but only the most basic details were given of the person involved and the cause.

The Spokane hospital where the individual was treated sent as required all of his medical treatment  information including his age,  ZIP code, admission dates, and payment information to Washington State’s Department of Health Comprehensive Hospital Abstract Reporting System, or CHARS, a database of 650 000 previous state health care hospitalizations which is available for sale to the public. Bloomberg News bought the information for apparently less than US $175, and with some data analytic help by Harvard University’s Data Privacy Lab, was able to re-identify the individual as well as other patients who had received treatment at the same hospital.

You may wonder how this is possible, given the Health Insurance Portability and Accountability Act, or HIPAA, which sets strict rules on the disclosure of individually identifiable health information. HIPAA allows the disclosure of de-identified health information to be disclosed, but only if information on “the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual” as well as their name, address, birth date, etc. has been removed.

As it turns out, state-public health agencies received an exemption from HIPAA rules when it was enacted in 1996. So if an individual is treated at one of these state health agencies, exactly how “private” their personal medical information is all depends on the whims of the state where the treatment was performed. Some states have voluntarily decided to follow HIPAA guidelines, but Bloomberg found at least 26 states that don’t, including New Jersey, Tennessee, Texas, and Arizona, despite the additional risks to the patient of fraud or worse.

A few years ago, Bloomberg ran a story on how pharmaceutical companies were pushing hard to be able to analyze New York State health agencies hospitalization databases to help the companies identify potential patients to participate in their drug trials. While the drug companies wouldn’t re-identify the patients per se, they would be able to identify them to sufficient detail where the hospital that treated them could identify them. The hospital would notify the patient’s doctor of the drug company’s interest, who in turn could contact the patient to see whether he or she wanted to be part of the drug trial. That may or may not be objectionable, but it shows the power of the databases and the futility of the anonymitizing process.

Last year, USAToday did a story on how hospitals are mining their patient information to try to market them their services, while a story in the Guardian last month described how personally identified patient information collected by the UK National Health Service was being sold for a pittance (£140, or about $200) to a number of companies including the international healthcare company Bupa. The NHS says that it needs to provide this information to commercial companies to improve patient health by finding new medical treatments, not to mention helping UK pharmaceutical companies potentially make more money.

Given all the personal information publicly available for sale—the medical information databases join readily-available commercial databases for driver license information and web surfing habits and location data, to name just two—the NSA flap looks almost tame in comparison.

Photo: Danil Melekhin/iStockphoto

Related Stories

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributors

 
Contributor
Willie D. Jones
 

Newsletter Sign Up

Sign up for the ComputerWise newsletter and get biweekly news and analysis on software, systems, and IT delivered directly to your inbox.

Advertisement
Advertisement