Privacy advocates fear massive fed health database

Please see the article “Privacy advocates fear massive fed health database” in Computer World, by Jaikumar Vijayan.

Many state and federal agencies either release or will soon release massive free or low cost “public use data files” without testing to make sure that our sensitive personal health information cannot be re-identified or obtaining our consent to use our health information.

Describing data bases as “anonymized” or “de-identified” lulls the public into thinking that their health records are safe and cannot be re-identified. But that isn’t true. Every method to prevent data from being re-identified should first be tested and proven.

Patient Privacy Rights recommends that any health data set should be subject to “adversarial challenge criteria” to assess the actual threats/risks of re-identification of the data before release. See “Notes About Anonymizing Data For Public Release” by Andrew Blumberg PhD at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf

After the challenge criteria are used to test the data, patients should be informed of the risk of re-identification and asked for consent to include their data.

Even the NIH had to close down a database of genetic information that was supposedly de-identified after the 141st researchers who downloaded the data base reported that they could re-identify actual patients.

It’s extremely hard to create health data sets that cannot be re-identified. Given that fact, patient consent should be required for the use of health data and patients should be informed of the risks of re-identification BEFORE their data is included in public use data sets.

Without basic protections, i.e., requiring informed consent and adversarial challenges, our health data will be used to create valuable, detailed profiles of each of us—and our own health records will be sold and used to discriminate against us in employment, credit, and other opportunities in life–not for research to improve our health and improve treatment.

Unsafe data in Texas

Last month, a Texas online news site, the Austin Bulldog, published a lengthy investigative report on the sale and gifting of patient-level hospital data by the Texas Department of State Health Services.

Reporter Suzanne Batchelor’s remarkable story found that if you’re a Texan, your healthcare data can be given away or sold without your consent. And the Health Insurance Portability and Accountability Act, the main federal health information privacy law, won’t—or can’t—protect you.

In Texas, the health services department gathers claims data from hospitals by law—providers can be fined as much as $10,000 if they don’t hand it over. But the department isn’t a so-called “covered entity” as defined by HIPAA. So, the state isn’t covered under the HIPAA privacy rule if it does anything that would be a violation if performed by a data-providing hospital…

…The state knows the public-use data file is vulnerable. A user’s manual (PDF) contains this caveat: “It may be possible in rare instances, through complex analysis and with outside information, to ascertain from the PUDF the identity of individual patients. Considerable harm could result if this were done.”

Comments: ONC studying risks of de-identified patient records

It’s nice to know that that the federal government will “analyze the science of de-identification and re-identification” before releasing health data. See article from Government Health IT: ONC studying risks of de-identified patient records (written by Mary Mosquera).

But instead of each of patient being informed about the level of risk and then deciding if that level risk is acceptable before agreeing to participate in research, the government will decide the “acceptable level of risk in order to be able to use the data”.

Two major problems need to be addressed before “de-identified” public use data (PUD) is released for “research”:

1) The “research” loophole in HIPAA allows any corporation to get access to our health data without consent, at low or no cost, simply by claiming that it is doing research. This loophole needs to be closed. Most ‘research’ use of health data today is NOT what Congress intended: i.e., research to improve patient health or to prevent illness. Instead corporations claim our data will be sued for ‘research’ when in reality they sell it or use it for business analytics. Business analytics is used by industry to discriminate against people in jobs, credit, and educational opportunities. The health data mining industry is exploiting the “research loophole” to obtain Americans’ health data to improve revenues, not to improve patient treatment or health. The name for that is fraud.

2) Who decides what level of de-identification is ‘safe’ enough? Should the federal government decide for us? Or should we be able to decide what risk we are willing to accept?

Patient Privacy Rights submitted a memo to CMS highlighting the difficulties of anonymizing data for public release and advocating an “adversarial challenge” criterion for assessing the threats associated with such releases. See: NOTES ABOUT ANONYMIZING DATA FOR PUBLIC RELEASE, by Andrew J. Blumberg.

BTW—-what if banks suddenly decided that account holders would now have to accept a .04% risk of electronic theft of funds and/or a .04% rate of errors in our deposits was ‘safe’ enough? Would you accept that low a level of risk? Is any rate of theft or error acceptable for our money?

Why should we accept anything less than a zero% risk of theft or error for our health records?

And TX isn’t the only state selling your information…

Texas is not the only state in the US selling or giving away sensitive hospital records to anyone who wants them; this is a devastating privacy problem every state must face.

See the Investigative Report done in Texas.

$39 billion dollars in stimulus funds will be used to build a nationwide health IT superhighway system, exponentially expanding the theft, sale, and use of the health information of all 300 million Americans. Texas will get $38 million to exchange Texans’ health data.

How much money will your state get? BEWARE the form of consent used for Health Information Exchange (HIE) in your state.

  • Each state sets up its own consent rules for HIE and industry is pressuring states to use the worst kind of consent: “opt-out”.
  • The state of NY is going to share EVERYONE’S health data unless they “opt-out”.
  • In AZ, the use of “opt-out” for health data exchange failed.
  • TX has yet to decide what kind of consent it will use for data exchange.

Its critical to insist that your state empowers you to SELECTIVELY disclose PARTS of your sensitive health data–NOT ALL OR NONE. No one should be forced to give up privacy to benefit from data exchange.

Great consent and segmentation technologies exist and should be required for all data exchange so we can exchange ONLY the information we want to disclose. (See video of the Consumer Choices Technology Hearing in DC where 7 consent and segmentation technologies were demonstrated LIVE: http://nmr.rampard.com/hit/20100629/default.html. See transcript of the Hearing and written testimony about the 7 privacy-enhancing technologies at: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19477#062910

Do you know whether YOUR state is selling or giving hospital data away? (SEE story here). Quotes from the story:

Buyers may order one of two versions of the hospital-patient files:

  • Research version — contains complete personal information including date of birth, age in years, and start and end dates of hospital care. To purchase data in the research file, applicants must describe their “research project,” identify themselves as one of 10 organization types (including university; managed care insurer; governmental entity, pharmaceutical, biotechnology or medical product firm; trade group or lobby; and research organization consultant), and select each data field they want. Each application is reviewed by a DSHS committee, which must approve it before the applicant can obtain the data.
  • De-identified version — For this version DSHS has removed some but not all personal information…DSHS removes the patient’s dates of admission and discharge from the hospital, but leaves in diagnoses, surgeries, and payment information. The patient’s gender and full zip code appear in most cases.
    A five-year age range is substituted for the patient’s exact age (some children’s ages appear in shorter ranges, such as “1-4,” “15-17″) and the street address is removed. Patient county, state, race and ethnicity are listed.

Texas officials imagine that simply taking names, parts of addresses, etc off our health data means that our records cannot be traced back to us. WRONG!

It is extremely easy it is to re-identify what they call “de-identified” information. Making health data IMPOSSIBLE to re-identify is extremely difficult; solutions which make it impossible to re-identify data have not been proposed.

Unless we build consumer control over personal health information into state and national health IT systems, we will destroy everyone’s privacy and ensure generations of discrimination.

This kind of wholesale giveaway of Americans’ sensitive health information is an extremely serious problem. States and the federal government must address this BEFORE expanding today’s privacy-destructive health IT systems and data exchanges. Once sensitive health and demographic data is exposed, it’s too late. It can never be made private again.

Federal funds for HIE should be used to buy MODERN, privacy-protective technologies in every state. Unless we act NOW, the stimulus money IN YOUR STATE will be used to exponentially facilitate health information exchange, and facilitate the systemic collection, theft, sale, and misuse of sensitive health information.