Sale of State Databases Puts Patient Info At Risk
Public health agencies exempt from HIPAA requirement to remove identifiers
Hospital data compiled by states and sold to researchers, marketers and others could be used to identify patients when combined with other publicly available information, according to a recently published investigation by Bloomberg. The year-long investigation found that public health databases can be paired with news stories and other information to identify patients.
Bloomberg reporter Jordan Robertson teamed up with professor Latanya Sweeney--director of the Data Privacy Lab at Harvard University--for the investigation. Sweeney recently revealed that just three pieces of information--Zip code, date of birth and gender--can be paired with other publicly available information to identify anonymous participants in a public DNA database.
HIPAA's privacy protections apply only to healthcare providers, insurers, billing and claims processors and their contractors, according to the article, while public health agencies remain exempt.
The investigation found that states often sell their databases to deep data miners serving the pharmaceutical industry. It pointed, in particular, to Washington, New York, New Jersey, Tennessee and Arizona. Buyers use the information to analyze hospital costs, prescription-drug use and to identify and recruit top-performing physicians.
HIPAA requires that identifiers such as age, Zip codes or admission and discharge dates be removed from discharge data. Yet more than 25 states release some combination of the three, according to the article.
In all, the Bloomberg team was able to identify 35 of 81 subjects of news stories that contained the word "hospitalization."
"All I have to know is a little bit about a person and when they went to a hospital, and I can find their medical record in this kind of data," Sweeney said. "The real takeaway is we can do better than this."
In addition to Sweeney's research, a team from Whitehead Institute for Biomedical Research in Cambridge, Mass., was able to identify nearly 50 men from public genomic data sets, leading to a call to better inform participants that their data--as well that of their relatives--might not be secure.
The U.S. Department of Health & Human Services' Office for Civil Rights has warned that neither the expert determination method nor the safe harbor method of de-identifying patient data is 100 percent effective.
To learn more:
- read the Bloomberg article
Anonymous research patients easily re-identified, Harvard researchers find
Patients can be ID'd in 'anonymous' public genetics databases
CIOs: Patient data segmentation will be one of HIPAA's biggest challenges
OCR: No fail-safe for de-identifying patient info
Thank You Fierce Health IT, Ms Hall, and Bloomberg
4th Amendment, US Constitution
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
"Nothing to see here folks, move along."