There’s a hot new commodity on the market: individuals’ medical records, available literally for pocket change. It’s not only legal, but it’s a thriving industry.
In fact, McKinsey & Co. forecasts that the trade in medical data will be a $10-billion annual industry by 2020, driven largely by health agencies’ conversion to electronic medical records to save the cost, time and space needed to manage and store paper.
Those who buy and sell the data claim that it’s been “anonymized” — stripped of all personal identifying information, leaving only the medical details. But privacy hawks are demonstrating how easy it is to attach these anonymized case files to individuals by name, using nothing more than a newspaper and a few clicks of a computer mouse.
Who’s peddling the details of your hospitalization for depression or your spouse’s hemorrhoid surgery? Mostly, public health agencies.
In September 2012, the government of England threw open the archives of the National Health Service. Prime Minister David Cameron declared it “a waste” not to be mining the aggregated statistical data of health care records. In the U.S., states are exempt from the federal Health Information Privacy and Accountability Act — HIPAA — passed in 1996. Your doctor and insurance company are forbidden to release your health records to the public, but states can and do: Arizona, New Jersey, New York, Tennessee and Washington are among the states hawking their residents’ medical data. The National Association of Health Data Organizations reports that 37 states have mandated their health departments to scoop patient data from hospitals and 17 states collect case histories from physicians’ offices and clinics.
Those who buy the data often resell it to third parties, typically after having collated, refined, organized, combined or otherwise added value to it.
The motive is noble as well as practical. By selling the data to insurance carriers, drug companies, hospital chains and other private businesses, public agencies hope to improve care and trim costs. For example, if analysts show that 22 percent of Hospital One’s knee-replacement patients have post-operative infections, but only 3 percent do at Hospital Two, then One can learn something from Two. Health care becomes more competitive. Patients are happier, insurance companies face fewer claims, and the cost of care goes down.
The idea is proving its value. Utah has had one of the lowest rates of Cesarean births in the U.S., but researchers used aggregated case data to show that rural hospitals had four times the rate of C-sections than did urban care centers. Interviewing doctors and administrators, state officials found that rural obstetricians often lacked the expertise to handle tricky deliveries, so Cesareans became a way to avoid risk. The problem: C-sections are more dangerous to mother and infant and can cost twice as much or more as natural births.
Now the state has built telecommunications links that allow rural hospitals to consult specialists in large medical centers who guide them through difficult cases. As a result, the number of rural C-sections has fallen, as have costs, while patients’ satisfaction with services has risen.
Privacy vs. cost benefits
But these benefits come at the risk of losing personal privacy. Latanya Sweeney, while a graduate student in computer science at Carnegie Mellon University, proved the point.
In 1997, the Massachusetts Group Insurance Commission decided to make state employees’ hospitalization records available to researchers at no charge. The commission required that, before being released, all personal identifiers be removed from the data. Personal privacy was preserved, the commission declared.
Sweeney wasn’t satisfied. She paid $20 for the supposedly anonymized data set, dug in, and produced the individual medical record of William Weld, Massachusetts’ governor at the time, who recently had been hospitalized after collapsing at a public event. The record she retrieved even included his diagnosis and prescriptions. Graciously, she didn’t release the records publicly but simply gave them to the governor to emphasize how thoroughly the commission’s vaunted privacy protections had failed.
Critics give her achievement a grudging nod but argue that Sweeney performed her feat before HIPAA’s “safe harbor” standards took effect. These standards mandate that 17 unique identifiers, from e-mail addresses to vehicle license plate numbers, be removed from individual medical records before they’re released. A University of Chicago study found that when the safe harbor standards were observed, only two individuals could be identified out of 15,000 separate medical records.
But, in many cases, those standards have been ignored. Exempted from HIPAA, most states at first observed less stringent rules — and there are still people like Sweeney, now director of Harvard University’s Data Privacy Lab, prowling through the world of information.
In 2011, in a project for Bloomberg News, she scoured newspapers until she found the word “hospitalized.” She opened the article and found the name, age, and town of residence of a man involved in a motorcycle accident in Washington state. On the Internet, she found his address and zip code. The data allowed her to match the accident victim’s name to his medical record in an anonymized batch that she’d bought for $50 from the state’s health department. In all, Sweeney was able to put names to 35 of the 81 medical cases in the data set. She says the odds are strong that she can put a name to any medical record if she has a person’s name, zip code, and date of hospitalization; moreover, after sifting 1990’s census data, she claimed that 87.1 percent of U.S. residents can be identified by a determined snoop using only a person’s zip code, birth date and gender.
Denise Love, executive director of the National Association of Health Data Organizations, points out that Washington state stiffened its privacy controls after the incident and that virtually every state now either complies with HIPAA’s safe harbor rules or has instituted their own, more stringent policies. “But those in our industry are never comfortable with the privacy protections we have,” she adds. “We’re always looking for something better.”
No stopping the data train
This tension between personal privacy and the relentless hunger for medical data can’t be resolved: the bits of data essential to researchers are the same data that allow peepers to find us. However, that tension can be eased.
Some argue for controls that would limit the amount of data any single entity could possess or the number of times a data set could be sold, and recommend buyers be banned from re-selling data to third parties; private encryption schemes could be shared between buyer and seller but not others; and harsh sanctions might be imposed on hackers and “re-identifiers.” Sweeney has designed a mathematical computer algorithm she’s dubbed “k-anonymity” that flummoxes would-be re-identifiers without compromising the usefulness of the data to researchers.
But neither technology nor other humans can guarantee the privacy of your medical history. The best advice: if you see a doctor or enter a hospital, guard your medical data like you guard your credit cards.