Several states are reviewing how information from public health agencies is used when it is sold to data miners after Bloomberg research found that patients could be reidentified with just a few pieces of information.
Bloomberg reporter Jordan Robertson worked on the research with professor Latanya Sweeney, director of the Data Privacy Lab at Harvard University, who earlier demonstrated that just three pieces of information--Zip code, date of birth and gender--can be paired with other publicly available information to identify anonymous participants in a public DNA database.
When sold, the records are stripped of identifying information such as name, address and date of birth, but patients can be identified using data such as postal code, age and admission and discharge dates when paired with news articles and other publicly available information.
Since the story came out in June, Washington state--site of some of the examples--has developed a confidentiality agreement that all buyers must now sign, according to the new story from Bloomberg.
What's more, Washington, Tennessee, Nevada and Arizona have begun privacy audits as a result of the research; California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already had reviews under way.
State public health agencies are exempt from HIPAA, while healthcare providers, insurers and their business partners are forbidden from disclosing such information. At least 26 states sell information that includes some identifiers, Bloomberg found--in Washington, the database brought just $50.
In follow-up, 18 states said they had made no policy changes and were not reviewing their practices.
With more health information than ever in digital form, various researchers have shown that "anonymous" research participants can be re-identified. Meanwhile, the U.S. Department of Health & Human Services' Office for Civil Rights has said there is no fail-safe method for de-identifying patient data.
To learn more:
- read the new Bloomberg story