With Senate bill S.3530, data brokers would remove the last shreds of transparency and control that patients still have over our health data and drive healthcare costs even higher in the process. Will hospitals and the pharmaceutical industry go along?
It’s been 17 years since patients lost control over how our hospitals and insurance companies use our personal health data without any consent or a convenient accounting for disclosures. HIPAA allows so-called Covered Entities to use and sell our data without consent and, separately, often under the pretense of de-identification, through a $100 Billion network of hidden data brokers that we know don’t know about, choose, or oversee. Our data is worth $100 Billion because it helps health businesses to maximize profits and it contributes to an unknown extent to the uniquely high cost of healthcare in the US.
The lack of health data access and transparency under current HIPAA is evident to anyone that wants to understand how much a health service will cost, who wishes there was a rational way to choose a health plan, or anyone that would like to have some idea of the quality of a hospital or the cost-effectiveness of a drug. From a privacy perspective HIPAA has not served patients particularly well.
It could get worse.
The cynically named “Ensuring Patient Access to Healthcare Records Act of 2016” S.3530 a coalition of data brokers is asking Washington to remove the little control over privacy that we have left by giving the data brokers the same HIPAA lack-of-consent treatment that our hospitals and insurance companies already have. Along the way, the data brokers are asking for various safe harbors and elimination of the state preemption parts of HIPAA. (This allows states like California to treat HIPAA as a floor by adding privacy protections such as a patient right of action.) One well-known privacy consultant characterized S.3530 as a “sinister plot”.
At first look, extending Covered Entity status to data brokers seems like a quantitative shift and possibly a benefit to patients. But the deceptive part is that unlike today’s Covered Entities (hospitals, pharmacies, and insurance companies), data brokers do not have to compete for the patient’s business. They’re infrastructure, common to whatever healthcare service we might choose. By giving the infrastructure business the right to use and sell our data without consent or even transparency, we are enabling a true panopticon – an inescapable surveillance system for our most valuable personal data.
Open season on privacy in Washington, DC is not limited to healthcare. Congress is about to make your Web browsing history a matter for surveillance at the infrastructure level as well. A recent article by Bruce Schneier, explains:
“Unlike service providers like Google and Facebook, telecom companies are infrastructure that requires government involvement and regulation. The practical impossibility of consumers learning the extent of surveillance by their internet service providers, combined with the difficulty of switching them, means that the decision about whether to be spied on should be with the consumer and not a telecom giant. That this new bill reverses that is both wrong and harmful.”
There are too many other frightening aspects of S.3530 to go into detail here. One of them, (para 3-D-(2)) however, stands out for the sheer cynicism, where the data broker will sell our own data back to us after purchasing it from other data brokers.
17 years into HIPAA, computers and networks are now effectively free relative to the value of the personal health data being managed. Clearinghouses and other vestiges of the paper age should be irrelevant and not a $100 B hidden surveillance business. From a privacy and patient rights perspective, S.3530 is a disaster. It will be interesting to see how our healthcare providers, pharmaceutical and device manufacturers, and other principals that legitimately need and should have consented access to our private data react to S.3530.