HIPAA: The Data Miner's Dream

MDNG Psychiatry, October 2007, Volume 9, Issue 8

Recent media coverage has raised awareness of a variety of our healthcare system's problems and shortcomings. Increased exposure is often the first step in finding solutions.

Recent media coverage has raised awareness of a variety of our healthcare system’s problems and shortcomings. Increased exposure is often the first step in finding solutions. However, the most destructive force in our health system hasn’t yet made it to the front page. By stripping Americans of the right to control access to their electronic medical records, HIPAA is destroying our children’s and grandchildren’s futures. You may think that the HIPAA Privacy Rule actually protects privacy, but the truth is sobering. One single sentence in the 2002 Amended HIPAA Privacy Rule effectively eliminated privacy by “replacing” a patient’s right of consent. The Final Modifications to the Privacy Rule document in the Federal Register states “The consent provisions [in the previous version of HIPAA]… are replaced with a new provision… that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, healthcare operations.”

We should call the HIPAA Privacy Rule what it really is: the “Exposure Rule.” The changes to HIPAA opened up the nation’s electronic health records to surveillance, snooping, unwanted uses, and disclosure by more than four million “covered entities,” including employers, financial institutions, insurers, schools, government agencies, and all of their business associates. Most of the public and the media aren’t even aware of this, and don’t realize the impact of the sentence that wiped out 2,400 years of medical ethics embodied in the Hippocratic Oath, and more than 200 years of strong privacy-protective American laws.

According to HIPAA, stronger privacy-protective state laws, common law, Constitutional law, the physician— patient privilege, and medical ethics are supposed to prevail over HIPAA. But our health data is so unbelievably valuable, most existing technology was designed as if we have no privacy rights. Today, doctors won’t treat patients unless they sign Privacy Notices that violate medical ethics and expose their records to the world. Worse, the current administration and some members of Congress are pretending that HIPAA is still an adequate privacy standard for the nation, even though it was gutted in 2002.

The problem is that covered entities and all of their business associates can use the data in health records to discriminate against everyone who gets sick. Data mining generates untold billions in revenues, but not one dime goes to help a single sick person. For the first time in our nation’s history, our health records may be regularly accessed and disseminated without our consent for all “routine” uses under HIPAA (defined as treatment, payment, and healthcare operations). This may sound reasonable until you realize that entities holding our sensitive personal health information can unilaterally decide to use it, and we cannot object or refuse access.

Any covered entity holding our health records has the right to determine— without consent and without reporting to anyone—the uses of our data that constitute “healthcare operations.” Even worse, there is no way for us to even find out what they are doing, because audit trails are not required for “routine” uses of personal health Data Mining and Personal Health Information IMS Health and Verispan LLC sell the nation’s most current prescription records daily to insurers and the pharmaceutical industry. IMS Health reported revenues of $1.75 billion dollars in 2005. Verispan LLC is privately owned, so its revenues are unknown. Blue Cross Blue Shield set up the Blue Health Initiative last year to sell the medical and claims data on all 79 million Blue Cross enrollees to large employers to help them reduce their costs. Thomson Medstat also sells the data of millions of patients, including Medicare and Medicaid data, to large employers and drug companies.

Researchers, state and federal agencies, law enforcement, public health, prescription-switching companies, pharmacy benefits managers, technology vendors, data aggregators and data miners, hospital corporations, the transcription industry, and even data management corporations also use and sell our sensitive health data. There is no way to tell how many corporations and government agencies are accessing our PHI, because virtually all of these databases are secret, and we have no notice of their existence or chance to opt-out. As we receive care from many different specialists and institutions, our records are scattered in multiple locations. There is widespread agreement that having our records immediately available when needed will save lives, improve the efficiency and quality of medical care, save money, and revolutionize research. Electronic records can offer far stronger privacy protections than would ever be possible with paper systems. But making the transition to electronic health records (EHRs) will exponentially increase the risk of harm to everyone from rampant abuses of privacy unless we control access to our records.

Potential Solutions

Thankfully, there are straightforward and inexpensive technical solutions to restore privacy and gain the life-saving benefits of electronic health records: community health record banks and independent consent management tools. Health record banks can serve as designated agents to store and safeguard a complete copy of our medical records and make them available (in full or in part) solely as we direct. This approach would require institutions (I envision many health record banks competing for patients’ business) to hold the records (as opposed to having each person hold his or her own records) to allow for worldwide immediate availability of health records, coupled with ironclad computer security to protect against unauthorized disclosures and hackers.

Under such an arrangement, whenever patients receive care, their prior records would be available (with their permission) from the health record bank, and the new information generated could be deposited in their account. Health banks must be federally regulated to ensure that they operate in a safe, effective, and trustworthy manner. Regulation must first reinforce patient control—for both primary and secondary use of health records. Health banks must have state-of-the-art security and undergo regular independent audits—with serious penalties for violations. Community non-profit organizations and legislation can set up the regulations.

With health record banks, the immense value of aggregated medical data for research and public health could be unlocked. With informed consent, patients’ data could be included in statistical compilations without ever being released from the bank. Health banks could (and should) operate like the census bureau, which doesn’t release data, but runs the research and queries on the data, releasing only the results. Finally, it would be safe to conduct research and post-market surveillance of drugs and devices through a health bank without compromising our futures or our children’s futures because others would not be able to learn about familial illnesses or genetic vulnerabilities.

Any fees paid for the use of data would be shared by the bank and its customers. Also, patients could be notified about any clinical trials without the sponsors of the trial knowing their identity. Independent consent management tools would give us the power to move our PHI where we want it, at the right time, to the right person, for the right reasons. We would be able to define and manage in one place our consents regarding who can access or use our PHI, instead of setting up consents at every site of our interaction with the healthcare system (physicians’ offices, hospitals, etc).

Every holder of our PHI—physicians, hospitals, labs, health plans, pharmacies, clinics, x-ray facilities, etc—would always have to check electronically with our consent management tools before using or releasing any of our health records. Independent consent management tools would enable us to set standing consents for data to automatically be received from all providers, create advance directives detailing what data is to be shared in emergencies, and allow us to control the flow of information down to single data fields. These tools would also enable us to set up role-based access to our information. Because the consent management tools are electronic, consents can be changed instantly. They would also provide us with complete audit trails of every access or disclosure, so that we will finally be able to know exactly who has seen which parts of our health records.

Most importantly, we need Congress to set the nation’s privacy standards and guarantee Americans a federal right to health privacy. Unelected bureaucrats and industry appointees working at the behest of HHS have no business determining the extent of Americans’ health privacy rights. Only the people we elect to Congress should have the right to alter or eliminate our fundamental constitutional rights to privacy.

Powerful privacy-enhancing technologies can make healthcare more private, safer, more effective, and less costly. But as we make the transition from paper to electronic health records, we must restore and strengthen the right to health privacy and to control access to our health records. Smart consumers who know their privacy is at stake will press for smart technology and smart laws. Help us educate the nation and press Congress to restore our privacy.

Deborah C. Peel, MD, is a practicing physician and national expert on medical privacy. She founded Patient Privacy Rights, a medical privacy watchdog organization, in 2004, to educate and empower Americans to preserve and protect their fundamental human and civil rights to medical privacy. Dr. Peel was recently named as number 4 on the list of the 100 Most Powerful People in Health Care by Modern Healthcare magazine.