Medical Privacy Under Threat in the Age of Big Data
“I didn’t understand the issue of medical privacy. It sounded abstract,” says Deanna Fei, author of the new book Girl in Glass, which covers the premature birth of her daughter Mila and an ensuing storm over medical privacy and ethics. Now she says firmly, “This is an issue of civil rights and social justice. Without the right to medical privacy, ordinary Americans can’t keep information from being used against them.”
Fei’s most intimate story is now public knowledge. A recap: When she went into labor after only five and a half months of pregnancy, she didn’t know if her baby would live or die. She was in pain, bleeding, rushing in a cab to the hospital; and, later, she was staring at the bruised skin of her less than 2-pound daughter, who was too fragile to touch. As baby Mila grew into a healthy one-year-old, a new blow fell. The CEO of AOL, Tim Armstrong, blamed a forthcoming benefits cut on the costs of two “distressed babies” born to employees. One of the employees was Fei’s husband, whose insurance covered the family. People at work started asking him if the comments referred to his family. So Fei decided to speak out. “When I came forward, we were afraid. I was speaking out against my husband’s boss, who runs a powerful company,” she says. “But I just felt it was imperative to speak up to defend my daughter’s basic humanity. I also came to see that to single out any individual for their expenditures undermines the principle of health insurance.” After an uproar, Armstrong quickly apologized and reversed his decision on benefits.
But the episode underscored just how insufficient the existing protections are for individual privacy in the medical realm. Under the Health Insurance Portability and Accountability Act (HIPAA), it’s illegal for health plans and some other entities to reveal medical information about those insured or treated. CEO Armstrong didn’t name names … but they were easily deduced by many employees. If AOL self-insures (which as a large corporation it’s likely to, but will not publicly confirm), then it is considered a health care provider subject to HIPAA. Many medical and legal experts considered Armstrong’s action unethical and possibly a violation of existing medical privacy law. The Office for Civil Rights at the Department of Health and Human Services, which is in charge of investigating violations, would only say, “As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations.”
Medical privacy is a high-stakes game, in both human and financial terms, given the growing multibillion-dollar legal market for anonymized medical data. IMS Health Holdings, for example, acquires data from pharmacies and sells it to biotech and pharmaceutical firms. After looking into its filing to become a public company, ProPublica found IMS’s “revenues in 2012 reached $2.4 billion, about 60 percent of it from selling such information.” Medical data-mining firms claim that this is all harmless because the data is truly anonymous, but their case is not airtight by any means. For example, Latanya Sweeney of Harvard’s Data Privacy Lab bought commercially available data and de-anonymized it by cross-referencing the dates of medical events with local news events and public records. She found that a man publicly identified as a missing person was diagnosed with pancreatic cancer and had attempted suicide, for example. A few of the people she identified chose to speak publicly, including retired Vietnam veteran Ray Boylston, who had his bladder removed after a severe motorcycle crash. “I feel I’ve been violated,” he told Bloomberg Businessweek.
There’s also the risk that medical records will be breached by hackers, or in some cases, by workers manually printing files. When Greg Virgin, CEO of the security firm RedJack, gave NPR a “tour” of sites selling stolen data, he found a bundle of 10 Medicare numbers selling for 22 bitcoin, or $4,700 at the time. General medical records sell for several times the amount that a stolen credit card number or a social security number alone does. The detailed level of information in medical records is valuable because it can stand up to even heightened security challenges used to verify identity; in some cases, the information is used to file false claims with insurers or even order drugs or medical equipment. Many of the biggest data breaches of late, from Anthem to the federal Office of Personnel Management, have seized health care records as the prize...
Get the full story at The Intercept.
https://firstlook.org/theintercept/2015/08/06/how-medical-privacy-laws-leave-patient-data-exposed/
0 comments: