Last month, a Texas online news site, the Austin Bulldog, published a lengthy investigative report on the sale and gifting of patient-level hospital data by the Texas Department of State Health Services.
Reporter Suzanne Batchelor’s remarkable story found that if you’re a Texan, your healthcare data can be given away or sold without your consent. And the Health Insurance Portability and Accountability Act, the main federal health information privacy law, won’t—or can’t—protect you.
In Texas, the health services department gathers claims data from hospitals by law—providers can be fined as much as $10,000 if they don’t hand it over. But the department isn’t a so-called “covered entity” as defined by HIPAA. So, the state isn’t covered under the HIPAA privacy rule if it does anything that would be a violation if performed by a data-providing hospital…
…The state knows the public-use data file is vulnerable. A user’s manual (PDF) contains this caveat: “It may be possible in rare instances, through complex analysis and with outside information, to ascertain from the PUDF the identity of individual patients. Considerable harm could result if this were done.”