By signing a privacy form at their doctor’s office, patients often assume their medical data is protected. In fact, it’s often redirected into a commercial market where data miners resell that information for marketing purposes.
The influx of computerized patient data has fueled this “health data bazaar” over the last decade, allowing wholesalers to buy and sell information collected from various medical sources, according to a report released by The Century Foundation. The practice is legal because patient data is stripped of any identifying information, which meets the privacy requirements outlined under the Health Insurance Portability and Accountability Act (HIPAA).
But even de-identified data is prone to serious privacy concerns, particularly as the number of data sources increases—including information generated from mhealth apps and the Internet of Things (IoT). According to the report, “re-identification” is emerging as a growing threat as cybersecurity concerns continue to plague the healthcare industry. A recent study found that despite privacy concerns, patients do not withhold information from their doctors.
“You can sell this data as long as it is anonymized to certain standards,” Adam Tanner, author of The Century Foundation report and author of the new book, “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records,” said in a Q&A with the Associated Press.
"However, since the U.S. rules were written decades ago, the ability to gather huge amounts of data and compare it has grown greatly. It means that clues from different aspects of your medical treatments may make it possible for outsiders to figure you out," Tanner added.
Tanner said HIPAA needs to broaden its protections of patient data to cover all health information rather than just data that is individually identifiable. Beyond policy changes, he advocated for patients to reclaim control over how their medical information is viewed or shared in any capacity.
Interoperability and data sharing has been a key focal point for the federal government, although President Barack Obama recently said efforts to digitize patient records have “proven to be harder than we expected.” Others, like Partners HealthCare’s Joseph Kvedar, said the privacy risks of data sharing are worth the reward.