Open Season on Health Privacy in Washington DC

With Senate bill S.3530, data brokers would remove the last shreds of transparency and control that patients still have over our health data and drive healthcare costs even higher in the process. Will hospitals and the pharmaceutical industry go along?

It’s been 17 years since patients lost control over how our hospitals and insurance companies use our personal health data without any consent or a convenient accounting for disclosures. HIPAA allows so-called Covered Entities to use and sell our data without consent and, separately, often under the pretense of de-identification, through a $100 Billion network of hidden data brokers that we know don’t know about, choose, or oversee. Our data is worth $100 Billion because it helps health businesses to maximize profits and it contributes to an unknown extent to the uniquely high cost of healthcare in the US.

The lack of health data access and transparency under current HIPAA is evident to anyone that wants to understand how much a health service will cost, who wishes there was a rational way to choose a health plan, or anyone that would like to have some idea of the quality of a hospital or the cost-effectiveness of a drug. From a privacy perspective HIPAA has not served patients particularly well.

It could get worse.

The cynically named “Ensuring Patient Access to Healthcare Records Act of 2016” S.3530 a coalition of data brokers is asking Washington to remove the little control over privacy that we have left by giving the data brokers the same HIPAA lack-of-consent treatment that our hospitals and insurance companies already have. Along the way, the data brokers are asking for various safe harbors and elimination of the state preemption parts of HIPAA. (This allows states like California to treat HIPAA as a floor by adding privacy protections such as a patient right of action.) One well-known privacy consultant characterized S.3530 as a “sinister plot”.

At first look, extending Covered Entity status to data brokers seems like a quantitative shift and possibly a benefit to patients. But the deceptive part is that unlike today’s Covered Entities (hospitals, pharmacies, and insurance companies), data brokers do not have to compete for the patient’s business. They’re infrastructure, common to whatever healthcare service we might choose. By giving the infrastructure business the right to use and sell our data without consent or even transparency, we are enabling a true panopticon – an inescapable surveillance system for our most valuable personal data.

Open season on privacy in Washington, DC is not limited to healthcare. Congress is about to make your Web browsing history a matter for surveillance at the infrastructure level as well. A recent article by Bruce Schneier, explains:

“Unlike service providers like Google and Facebook, telecom companies are infrastructure that requires government involvement and regulation. The practical impossibility of consumers learning the extent of surveillance by their internet service providers, combined with the difficulty of switching them, means that the decision about whether to be spied on should be with the consumer and not a telecom giant. That this new bill reverses that is both wrong and harmful.”

There are too many other frightening aspects of S.3530 to go into detail here. One of them, (para 3-D-(2)) however, stands out for the sheer cynicism, where the data broker will sell our own data back to us after purchasing it from other data brokers.

17 years into HIPAA, computers and networks are now effectively free relative to the value of the personal health data being managed. Clearinghouses and other vestiges of the paper age should be irrelevant and not a $100 B hidden surveillance business. From a privacy and patient rights perspective, S.3530 is a disaster. It will be interesting to see how our healthcare providers, pharmaceutical and device manufacturers, and other principals that legitimately need and should have consented access to our private data react to S.3530.

Categories: Uncategorized

9 replies »

  1. Although people should not have to do this: it seems like a market could open up within Direct Care that would guarantee the patient that their records will not be shared with anyone under any circumstances. Health Care off the grid.

  2. “You have zero privacy anyway. Get over it.”
    Scott McNealy, Sun Microsystems January 1999

    HIPAA is only for the little people.

  3. Hey, how about a GOP “pre-existing conditions at the Moment of Conception” bill? Somewhere, some wing nut lawyer is probably concocting an argument that a genetic risk finding is actually tantamount to a “pre-existing condition” to be used for coverage denial.

    The word “ouroboros” comes to mind.

  4. Don’t disagree with you. Just that I went looking to read the exact bill. Not on the 115th legislative calendar I keep watching for other absurd stuff to re-emerge too, like FADA, Pence’s wet dream.

  5. The lobbyists presented this to a number of us this week. Pile on employer access to genomes, changes to the common rule, expansion of behavioral health sharing without explicit consent, steady expansion of law enforcement registries into clinical mandates, and a proposed cut to OCR and the Chief Privacy Officer position… I think we can see a trend.

  6. This bill is not listed in the current Congress session (115th at Congress.gov, 2017-2018). It was posted last year in the prior Congress (114th), ‘‘Ensuring Patient Access to Healthcare Records Act of 2016’’ (S.3530).

    From Legiscan: “Status: Introduced on December 8 2016 – 25% progression, died in committee”

  7. Regardless of what law enforcement is doing, for the sake of our human dignity, our security, and our economy we need to shift to holding individuals responsible for how personal data is used. The current model holds only the institutions accountable and that supports the breach of 10s of millions of records in some incidents. The 2008 sub-prime mortgage crisis is an example – no individuals went to jail even after a crisis that almost tanked our economy. The economic threat of widespread data brokerage and price fixing in 20% of the US economy will turn out to be an even bigger bubble than the mortgage crisis. It’s the responsibility of individuals to prevent such disasters, because we have seen that institutions can’t help themselves from this perspective.

  8. It is my understanding that the operating system for every computer that is sold has a section of code that allows access the computer by the FBI. If you can, please verify the accuracy of my information. Our problem is more likely to be represented by how the data is protected, a record of how it was used, and when it will be verifiably destroyed. In addition, the responsible person/institution for each of these actions should be identifiable. A reincarnation of a ‘Federal Reserve’ for protected data could be applied to keep track of it.