Whenever we go to the doctor, we assume that our data is confidential and will never be revealed to the outside world. It seems like that would be the case, but the harsh reality is that my data, your data, and everybody’s data could be shared without consent.
It’s important to understand how healthcare data privacy works in the U.S. Currently, all personal healthcare information (PHI) is protected under the Health Insurance Portability and Accountability (HIPAA) which was enacted in 1996. Under HIPAA, all “individually identifiable health information” must be de-identified to ensure that nobody can find which patient the data belongs to. Because of the rapid advancement of data storage and electronic healthcare affairs, HIPAA has made efforts to create reasonably effective de-identification methods. Insurance companies, clearinghouses, and healthcare providers must comply with HIPAA’s de-identification standards which mainly consist of removing any attributes in data that can identify a person such as age, zip code, and sex.
While this seems like a useful method to ensure the protection of patient data, there are key flaws in the HIPAA guidelines. To understand the magnitude of these flaws, it’s important to recognize why patient data can be so useful and to realize what happens after patient data is de-identified.
Healthcare information is valuable to large businesses because it could be used to produce targeted ads that exploit certain populations for monetary gain. At this point, HIPAA guidelines are no longer helpful due to the fact that “De-identified health information [...] is no longer protected by the Privacy Rule because it does not fall within the definition of PHI.” Usually, a patient must give their informed consent for usage of their data; however, once data is de-identified, it can be shared without the explicit consent of a patient.
Even if the patient’s data was completely unidentifiable, the inherent sensitivity of personal data leads to a major breach of privacy. However, it has been shown that re-identifying patient data is shockingly easy. A study published in Nature by researchers in Europe found that with just 15 demographic attributes, the PHI of 99.98% of Americans could be correctly re-identified. This incredibly valuable data could be used to sway votes in politics, force impulsive buying in the retail industry, and do much more harm if it falls into the wrong hands.
Patient privacy is of utmost importance and it’s crucial that our legislation addresses that.