I received two very poorly “targeted” emails last week.
This has everything I love. Synergies, streamlining workflows, and also the fact that I’m not a healthcare institution.
They must see the irony in saying they respect privacy.
Hip, hip, HIPAA!
Apparently Facebook was thinking about working with hospitals to share patient data. As I watched Zuckerberg testify in front of Congress about the Cambridge Analytica debacle and how third-party data is used in other industries, I couldn’t help but think about HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 to protect sensitive healthcare data and enable patients to get their hands on their data. HIPAA has had some addendums since then, but technology seems to be far outpacing it.
For one, the point of “precision medicine” is to get more granular data about patients to better cater to their specific needs. To abide by HIPAA, organizations can’t send identifiable information such as name or address to non-covered entities (generally speaking, organizations that are not involved in a patient’s bills directly). But your health data is also getting so personalized that you might actually be able to use it to identify someone.
For example, your genome is unique to you and a valuable part of datasets used in research and clinical settings. But we’re learning more about how genes get expressed which might eventually help us identify who you are. We can already create an very general approximation of your face using your genome, which could get more specific over time.
Secondly, even if you send a deidentified dataset, breakthroughs in data science are slowly making it easier to re-identify individuals. We’ve seen multiple cases where this has been possible with existing deidentified datasets like your billing records, discharge records, voter registration information. While reidentification is still very tough now, connecting to other increasingly granular datasets might make it easier in the future.
Selling my body (data)
Technology breakthroughs aside, people are making money off of your deidentified data without you seeing any of that $$$! That’s been IQVIA’s historically lucrative business, and pharma companies pay quite a bit for this. Pfizer apparently pays $12M per year alone for this kind of data.
Maybe it’s time we revisit HIPAA and understand whether it’s still working as it was initially intended. New technology is making it harder to keep data private, so we can either make reidentification illegal or better manage WHO accesses that data. For example, we’re seeing a lot of companies planning to use blockchain to give patient’s control over who accesses their records or help them monetize their data when it’s used for research.