Assault on Medical Privacy

Current indications suggest that the health IT requirements in the new federal health law will be combined with state initiatives to make medical privacy a quaint historical notion. Which raises an essential question—at what point does lying to your doctor make sense given that your medical history and your identity are an open book?

The Commonwealth Fund, AcademyHealth, and the Robert Wood Johnson Foundation are funneling money to efforts to convince state governments to pass laws requiring that all health care providers provide data to state run databases on every health care transaction. The goal is the creation of electronic records that can be used to track the type of medical care provided to each patient and the health behaviors of those judged to need oversight. These state efforts will be the building blocks for the ObamaCare electronic medical records system.

The private funders have been crucial in creating the appearance of legitimacy for the effort to create electronic health records systems. In Colorado, the current all-payer database bill, House Bill 10-1330, even explicitly directs the state to seek private funding to create a database that will:

Put health privacy at risk. Colorado state government will have access to all health information, including medical records, for any health service, whether or not it is publicly paid for. The authority will be authorized to share that information with any third party it wishes. It may also audit providers whenever it wishes, ostensibly to ensure data accuracy. No one may opt out of the database.

Impose fines on those who do not submit required data. Those fines are set by government officials and are not limited by the proposed statute.

Collect data without any legal requirement to protect it or any consequences for improper disclosure. Though the proposed Colorado all-payer claims database law says that that the data will be held securely, the legislation neither defines secure nor provides for any redress in the event that the data are disclosed. It also specifies that the data may be widely shared. Widely distributing data compromises security, and previous state promises of secure data storage have proven to be little more than empty rhetoric. In one 2006 case, the State of Colorado lost “secure” personal data on 1.4 million people. Employers had been required to report those data to the state’s Directory of New Hires, a “centralized, confidential, and secure repository responsible for receiving new hire data reported by employers in the State of Colorado.” That rhetoric became empty when thieves stole a desktop computer from a state contractor. The contractor was processing child support payments. The computer had the new hire records on it.

Collect data that is not protected by the privacy provisions of federal law. Supporters of indiscriminate health data collection mendaciously claim that HIPAA will protect medical privacy. HIPAA was designed to protect disclosures by private providers. It has large exceptions for the disclosure of personal health information [PHI] to government, and it specifically allows the disclosure of personal health information when state law requires it for public health purposes. A CDC report instructs that “Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local,” and that “Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law.” Public health activities are very broadly defined, and disclosure does not have to be authorized.

Allow private funders to build and control the database and the data in it. The funders are unknown, but as the database will be created only if “sufficient funding is received through gifts, grants, and donations,” it is likely that both non-profits with an agenda and rent-seeking businesses will be the primary source of funding and, therefore, exert significant control over the collection and disposition of private medical information.

The proposed statute stipulates that an administrator be appointed to determine the content, structure, and reporting requirements for the database. The legislation leaves the administrator free to contract with third parties as necessary, to share the data regionally, and to make recommendations for future statutory changes.

The fiscal note, the document that is supposed to discuss the effect a piece of legislation has on the Colorado state budget, is about as reliable as the estimates of the cost of federal health care reform. It states that the database is cost-free, and has the temerity to officially assert that the database will result in “potential increase in funding from all sources.”

Collect information without protecting personal identities. The content of the proposed legislation makes it crystal clear that the database information is intended for use in tracking the medical care provided to individuals for the “continuous review of health care utilization, expenditures, and quality and safety performance in Colorado.”

Even assuming that reliable metrics for evaluating medical quality and safety exist and have been extensively tested, which they don’t and haven’t, when the detailed data on individuals required for the proposed “continuous review” are combined with known techniques of data mining and behavioral surveillance, there is no known way to protect personal identities.

As Professor Paul Ohm of the University of Colorado Law School puts it, “data can either be useful or perfectly anonymous but never both.” Sincere efforts to avoid disclosure would require using disclosure avoidance techniques. But those techniques require altering the data available for analysis. This would likely compromise the data’s analytical value. As J. Trent Alexander, Michael Davern, and Betsey Stevenson, have shown, even the Census Bureau wrestles with, and has failed to solve, this problem.

Their February paper showed that the data errors introduced by Census Bureau disclosure avoidance techniques introduced errors into the Census, Current Population Survey, and American Community Survey public use microdata samples that render them unfit for certain statistical analyses. They conclude that “Until a solution is devised, researchers should not use the affected sample to conduct analyses that assume a representative sample of the population by age and sex for people ages 65 and older.”

Any statistical evaluation of appropriate treatments, safety, cost, and quality, will require a great deal more information than even the Census Bureau collects. Researchers would need individual health information that, to start with, includes information on age, sex, height, weight, race, marital status, family status, medical history, comorbid conditions, health habits, geographic location, occupation, employment, medications, and compliance with existing health recommendations.

This level of detail makes matching an individual with his health record straightforward even if facile promises to encrypt social security numbers are carried out. The insouciant tone of the proposed legislation suggests that its authors are heedless of the fact that their proposal eliminates individual medical privacy, that privacy violations cause real, significant, and irreparable harm.

On March 1, 2009, for example, the Daily Record reported that the UK’s Emergency Care Summary System data were hacked into. Records containing names, ages, addresses, current medications, and adverse reactions to prescribed medications, were stolen. The stolen files contained information on British Prime Minister Gordon Brown.

In reviewing the use of large, detailed, government and commercial databases for finding terrorists, a report from the National Academies finds that existing law is inadequate to protect privacy in “the context of information-based programs” like data mining. It recommends that programs using data about individuals first be extensively tested using synthetic population data, that any proposed data collection technique and use be deployed in phases, that robust independent oversight be provided, and that meaningful redress be provided to any individuals inappropriately harmed by their operation.

The slapdash approach to personal data collection and use embodied in this legislation, and in health IT policy in general, fulfills none of these requirements.

Print