The December 2022 issue of IEEE Spectrum is here!

Close bar

U.S. States Selling Hospital Data that Puts Patients' Privacy at Risk

Data can be used to re-identify patients despite their being made "anonymous"

3 min read
U.S. States Selling Hospital Data that Puts Patients' Privacy at Risk

Given this week's revelations about the privacy—and the lack thereof—of our personal communications, maybe it's time to reconsider what former Principal Deputy Director of National Intelligence, Dr. Donald Kerr, meant when he said back in 2007 that,

Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture… We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment.”

And maybe we can even anticipate the next privacy crisis by taking a good look now at the ongoing assault on what I think most people agree remains an “essential privacy,” i.e., their private medical information.

Coincident with the NSA privacy flap, Bloomberg News ran a story this week on how many U.S. state health organizations are selling supposedly “anonymous” patient information to pharmaceutical companies, insurance companies and researchers that can, using other publicly available data and well-known analytical techniques, personally re-identify those patients. Bloomberg gave an example of a Washington State resident who went into diabetic shock and, as a result, had a motorcycle accident. The accident was covered in a local paper but only the most basic details were given of the person involved and the cause.

The Spokane hospital where the individual was treated sent as required all of his medical treatment  information including his age,  ZIP code, admission dates, and payment information to Washington State’s Department of Health Comprehensive Hospital Abstract Reporting System, or CHARS, a database of 650 000 previous state health care hospitalizations which is available for sale to the public. Bloomberg News bought the information for apparently less than US $175, and with some data analytic help by Harvard University’s Data Privacy Lab, was able to re-identify the individual as well as other patients who had received treatment at the same hospital.

You may wonder how this is possible, given the Health Insurance Portability and Accountability Act, or HIPAA, which sets strict rules on the disclosure of individually identifiable health information. HIPAA allows the disclosure of de-identified health information to be disclosed, but only if information on “the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual” as well as their name, address, birth date, etc. has been removed.

As it turns out, state-public health agencies received an exemption from HIPAA rules when it was enacted in 1996. So if an individual is treated at one of these state health agencies, exactly how “private” their personal medical information is all depends on the whims of the state where the treatment was performed. Some states have voluntarily decided to follow HIPAA guidelines, but Bloomberg found at least 26 states that don’t, including New Jersey, Tennessee, Texas, and Arizona, despite the additional risks to the patient of fraud or worse.

A few years ago, Bloomberg ran a story on how pharmaceutical companies were pushing hard to be able to analyze New York State health agencies hospitalization databases to help the companies identify potential patients to participate in their drug trials. While the drug companies wouldn’t re-identify the patients per se, they would be able to identify them to sufficient detail where the hospital that treated them could identify them. The hospital would notify the patient’s doctor of the drug company’s interest, who in turn could contact the patient to see whether he or she wanted to be part of the drug trial. That may or may not be objectionable, but it shows the power of the databases and the futility of the anonymitizing process.

Last year, USAToday did a story on how hospitals are mining their patient information to try to market them their services, while a story in the Guardian last month described how personally identified patient information collected by the UK National Health Service was being sold for a pittance (£140, or about $200) to a number of companies including the international healthcare company Bupa. The NHS says that it needs to provide this information to commercial companies to improve patient health by finding new medical treatments, not to mention helping UK pharmaceutical companies potentially make more money.

Given all the personal information publicly available for sale—the medical information databases join readily-available commercial databases for driver license information and web surfing habits and location data, to name just two—the NSA flap looks almost tame in comparison.

Photo: Danil Melekhin/iStockphoto

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less