“I didn’t understand the issue of medical privacy. It sounded abstract,” says Deanna Fei, author of the new book Girl in Glass, which covers the premature birth of her daughter Mila and an ensuing storm over medical privacy and ethics. Now she says firmly, “This is an issue of civil rights and social justice. Without the right to medical privacy, ordinary Americans can’t keep information from being used against them.”
Fei’s most intimate story is now public knowledge. A recap: When she went into labor after only five and a half months of pregnancy, she didn’t know if her baby would live or die. She was in pain, bleeding, rushing in a cab to the hospital; and, later, she was staring at the bruised skin of her less than 2-pound daughter, who was too fragile to touch. As baby Mila grew into a healthy one-year-old, a new blow fell. The CEO of AOL, Tim Armstrong, blamed a forthcoming benefits cut on the costs of two “distressed babies” born to employees. One of the employees was Fei’s husband, whose insurance covered the family. People at work started asking him if the comments referred to his family. So Fei decided to speak out. “When I came forward, we were afraid. I was speaking out against my husband’s boss, who runs a powerful company,” she says. “But I just felt it was imperative to speak up to defend my daughter’s basic humanity. I also came to see that to single out any individual for their expenditures undermines the principle of health insurance.” After an uproar, Armstrong quickly apologized and reversed his decision on benefits.
But the episode underscored just how insufficient the existing protections are for individual privacy in the medical realm. Under the Health Insurance Portability and Accountability Act (HIPAA), it’s illegal for health plans and some other entities to reveal medical information about those insured or treated. CEO Armstrong didn’t name names … but they were easily deduced by many employees. If AOL self-insures (which as a large corporation it’s likely to, but will not publicly confirm), then it is considered a health care provider subject to HIPAA. Many medical and legal experts considered Armstrong’s action unethical and possibly a violation of existing medical privacy law. The Office for Civil Rights at the Department of Health and Human Services, which is in charge of investigating violations, would only say, “As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations.”
Medical privacy is a high-stakes game, in both human and financial terms, given the growing multibillion-dollar legal market for anonymized medical data. IMS Health Holdings, for example, acquires data from pharmacies and sells it to biotech and pharmaceutical firms. After looking into its filing to become a public company, ProPublica found IMS’s “revenues in 2012 reached $2.4 billion, about 60 percent of it from selling such information.” Medical data-mining firms claim that this is all harmless because the data is truly anonymous, but their case is not airtight by any means. For example, Latanya Sweeney of Harvard’s Data Privacy Lab bought commercially available data and de-anonymized it by cross-referencing the dates of medical events with local news events and public records. She found that a man publicly identified as a missing person was diagnosed with pancreatic cancer and had attempted suicide, for example. A few of the people she identified chose to speak publicly, including retired Vietnam veteran Ray Boylston, who had his bladder removed after a severe motorcycle crash. “I feel I’ve been violated,” he told Bloomberg Businessweek.
There’s also the risk that medical records will be breached by hackers, or in some cases, by workers manually printing files. When Greg Virgin, CEO of the security firm RedJack, gave NPR a “tour” of sites selling stolen data, he found a bundle of 10 Medicare numbers selling for 22 bitcoin, or $4,700 at the time. General medical records sell for several times the amount that a stolen credit card number or a social security number alone does. The detailed level of information in medical records is valuable because it can stand up to even heightened security challenges used to verify identity; in some cases, the information is used to file false claims with insurers or even order drugs or medical equipment. Many of the biggest data breaches of late, from Anthem to the federal Office of Personnel Management, have seized health care records as the prize.
While many doctors have focused on their personal responsibilities to patients and not ventured into questions of privacy, some have moved to address the problem. Psychiatrist Dr. Deborah Peel remembers patients during the pen-and-paper days asking if they could pay cash and stay out of her paperwork, afraid the information would somehow find its way back to employers. Later, she founded the Patient Privacy Rights organization, realizing the era where paper copies of her records would circulate to perhaps a dozen entities has been superseded by much wider information distribution. “The data holders — hospitals, health plans — they now control where our data goes and we have no idea, no chain of custody for our data,” she says.
The HIPAA law, meanwhile, has been changed several times. A provision in the stimulus bill in 2009 said that patients should have access to disclosures about where their data is sold or shared. But it hasn’t been turned into concrete regulations and implemented. “They do not want us to know how many people and technology vendors and software companies access and use our data. If you’re in a hospital you’ll have more than 100 human accesses per day, but you may have thousands of contacts” with devices and computer systems tracking you as a patient, says Peel. (The Office of Civil Rights at HHS says the agency is “in the process of additional fact finding.”) Addressing the need for medical research and privacy, Peel says, requires coming up with a cyber-credential system that would allow researchers to query individuals, who could choose to grant access to only the parts of their medical history they wanted to disclose. “If a million people get their data queried, then we get research and we get privacy,” she argues.
Lawsuits are another response to privacy violations. Indiana attorney Neal Eggeson has filed and won HIPAA-related cases on behalf of individuals by framing the disclosures as medical malpractice. In one case, a Walgreen’s pharmacist shared information with her husband about his ex-girlfriend, who she thought may have given the man a sexually transmitted disease. The husband texted his ex-girlfriend; the jury found Walgreen’s liable for 80 percent of the $1.44 million damages. (The case is under appeal.)
Medical data resides in unexpected places — including wearable health devices, which can range from a glucometer for someone with diabetes to a fitness tracker. But the HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) laws are geared to regulate health care providers, insurers, employers and schools, not private device manufacturers. Privacy policies can be murky. For example, the first paragraph of Fitbit’s current policy states, “We will never sell your data, and will only share personally identifiable data when you direct us to (or under the circumstances outlined in our Privacy Policy).” Much later, it adds, “De-identified data that does not identify you may be used to inform the health community about trends; for marketing and promotional use; or for sale to interested audiences.” (Fitbit did not respond to a request for comment.) Sen. Charles Schumer raised concerns in August 2014 about its privacy policies. After Fitbit hired the lobbying firm Heather Podesta + Partners, and tweaked its privacy policy, the senator backpedaled, saying of Fitbit, “This company cares very much about their privacy and security.”
During a 2013 FTC panel on “Connected Health and Fitness,” University of Colorado law professor Scott Peppet said, “I can paint an incredibly detailed and rich picture of who you are based on your Fitbit data,” adding, “That data is so high quality that I can do things like price insurance premiums or I could probably evaluate your credit score incredibly accurately.” In addition to selling its devices, Fitbit also sells an analytics platform to employers. Some employers are using the data to negotiate down their insurance rates. Others, like the energy company BP, offer reduced premiums to employees who walk a million steps in a year and take other measures in a rewards-point system. The question is whether employers will use the system in reverse — for example, deciding that someone’s health metrics make them a bad choice for a promotion.
The threats to individuals seeking to protect their medical data can come externally, from data breaches; internally, from “rogue employees” and others with access; or through loopholes in regulations. Fei, whose daughter Mila is now a healthy two-year-old, has embraced her role as a public advocate. “We need comprehensive laws to safeguard our right to medical privacy,” she says. “Most ordinary Americans don’t understand how vulnerable our health data is. And once we understand, there’s not much that we can do. If an employee is coping with a medical problem, they are dependent upon their employers and there’s not much incentive for them to come forward.” Although there’s no way to know how many people have experienced a violation of medical privacy and chosen not to speak up for fear of retaliation or shame, many have responded gratefully to the chance to share their stories. Fei started a website, ourdistressedbabies.org, but found that people were posting about other forms of health-shaming or questionable practices. One man, for example, had high job ratings but was let go after having had a kidney transplant, the aftercare for which would have raised the company’s premiums. “The people who wrote to me, they saved me,” Fei says of the way it ended her sense of isolation. “They told me, ‘I was never able to speak up. I hope you will be able to keep talking.’ These stories haunt me.”
There are National Security Exceptions written into the Privacy Disclosure Policies of most California Health Care Providers.
Thank you so much for this in-depth overview.
Disclosing “protected” health information (PHI) without consent is an oxymoron. The modern version of the Hippocratic Oath includes the following provisions: “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”
Weakening of the HIPAA privacy rule has destroyed that trust.
Consolidation of health care information is a topic that should be as important as the consolidation of insurance companies and hospitals. Health data consolidation gives rise to information inequality and profits over people. Through pricing mechanisms, unknown to both the doctor and patient, access to care erodes.
HIPAA rules regarding “clearinghouses” give them “business to business” privileges to our PHI without notice and consent. Calculations of drug costs, discounts, or copayments are health care operations if performed in the aggregate for a group of individuals. Quality assessment and improvement activities also count as health care operations.
A retired physician, I just submitted a complaint to the HHS Office for Civil Rights regarding Oregon’s All Payer All Claims database. ~95% of insurance claims in this state are in the hands of Milliman Inc., a global actuarial firm. Claims data includes diagnoses and prescriptions–highly sensitive PHI.
In 2008, the FTC hand-slapped Milliman for their creation of pharmacy risk scores through data purchased from pharmacy benefit managers. Pharmacy risk scores were an efficient way for insurance companies to mine for pre-existing conditions.
Claims data also includes negotiated prices–something that insurance companies doesn’t want disclosed because they are “trade secrets.”
If insurance companies can get away with that, we should be able to copyright our PHI.
How do we know whether insurance companies are submitting accurate pricing data? After all, insurance companies were complicit in low-balling prices to a former UnitedHealth Group subsidiary, Ingenix (rebranded OptumInsight). That led to class action law suits in 2008 because “usual, customary and reasonable” rates for doctors were lower than they actually were, leaving patients responsible for more out-of-pocket costs.
How can we ever evaluate what is “actuarial sound” versus profit-seeking when Milliman’s bread is buttered by the insurance industry? With Obamacare, cost-sharing is the way to profits.
Milliman is one of many profitable vendors that hoard our PHI in all claims databases. The list also includes defense contractors. http://www.apcdcouncil.org/vendors
My insurance provider continues to call asking me to participate in their efficiency scheme which will surely land them a profit for providing my data to additional data droolers who will then dictate new terms to our contract. I’ll end up looking like a car built of chopped liver parts.
My doctor and his mismanaged mispurveyors of data can spill my beans enough for my pain and suffering, thank you.
I went in for what turned out to be shin splints from gimping too much like a crip, but it was the Doc who told me he thought he was having a heart attack dealing with the hacks who now manage our data…WATSON, are you killing our doctors, here, too? We know GCHQ do…
The issue of drivers license scanning at doctors offices is going to become a big one
This is a big problem for security and privacy
What you show here is not the Red Cross; the Red Cross features a red cross, not a white one. What you show is the Swiss flag.
Not only one should have privacy of medical data from corporations but also from governments(most important). NSA and CIA in good old days(1960s MKULTRA days) loved families with child abuse so they used to make a list of families with child abuse and domestic voilence and then American kids as young as 5 were added to these programs of behavior modification.American kids were put in cages and abused(sexually,physically) with and without parents permission to reasearch human mind.Google is doing massive research on after death and would not lose a chance to dig for someone who has critical data about their research topic. Today, same thing is happening all over again. Who thinks human research ended when US senate told them to stop experimenting on kids? NSA is not there to stop child abuse.NSA is there to detect child abuse,domestic voilence to find children who have weak mind so that those children can be used for human research for Monarch Mind Control.The RT has recently done a documentary on this topic on how US intelligence is deeply interested in finding children where child abuse is common so they can be used for experiment.RT in June 2013 also did a program on Remote Nueral Monitering(searh on youtube). Nowaday, NSA poltiely asked parents first to join them for child abuse, if they don’t NSA will start gang stalking or cause divorce(Snowden knows such cases) and then convince the other half parent to hand over children or use Remote Nueral monitering torture to force parents to let NSA experiment on their children. Its a sick world but Intercept is quiet about this. Intercept is busy talking about how NSA can intercept an email but Intercept has no guts to talk about these insane programs of Remote Nueral Monitering,US intelligence involvement in child abuse and these crazy issues.At end, if intercept wants to remain credible then they should release documents about RNM and child abuse monarch program or they will be thought as another distraction to the real issue. Anyone who is genuine journalist can be killed within seconds in the sleep by heart attack using RNM.. just like some journalists from NYT who spoke too much.
It was the perfect job, the job of my dreams – as a family counselor. I started to work and got the employment contract soon later. I went to my boss: This must be a mistake. It is only for six weeks. He said: No, this is your first contract. You get the second one for one and a half years if the woman who is pregnant has given birth to a healthy baby. Otherwise she may return to work and you have to leave – of course.
Maybe I should not have accepted the job but I already had started to work… And I got a second contract. But the friendly and highly motivated young social worker on the other floor left some months later. The woman who owned the job came back – after giving birth to a dead baby. I never talked to her.
I was asked to go for another contract (a second child) but I denied. As it was one of the main christian welfare organisations in Germany I decided to leave christianity. Because of a nightmare of six weeks.
Greetings from Germany and keep talking! <3 <3 <3
Something was lost in translation, or you are a baby, keller.
I appreciate disappointments, like losing a job somewhat predictably, OR A CHILD. Did you not speak to the mother not to be because she lost you your job along with her baby?
I’ve always thought you were pretty enlightened. Please tell me why religion has anything to do with you losing it…I always found you to be kind. Don’t take personally a personnel issue. Stay goal focused, on the children, no?
Sorry you got your feelings hurt by life and death, keller. Get used to it, social worker.
Great, great article, but really, the same CEO psychopaths one finds in banking and oil companies are to be found in the health sector, sad to say!
And regarding the three major health insurers, who are the ultimate owners of them?
With the one recently in the news, Anthem, which is purchasing Cigna, making it the number two insurer, who is the major investor?
Vanguard Group, T. Rowe Price, State Street Corporation and FMR LLC (Fidelity).
So who are the major investors in T. Rowe Price (Vanguard Group, State Street Corp., JPMorgan Chase and BlackRock)?
And the major investors in JPMorgan Chase? (Vanguard Group, State Street Corp., FMR LLC and BlackRock)
Ultimately, the Big Four (BlackRock, Vanguard Group, State Street and FMR LLC) own the majority of everything when one drills down far enough.
The very same applies to the numer one insurer, Aetna and the number three insurer, UnitedHealth.
So, essentially the same Big Four are the major investors of the top three insurers!
Kind of seems like privacy will never be . . .
I’ve heard from people working in health care that the federal government has been tying substantial monetary incentives to the adoption of electronic medical records by health care providers. Gee, I wonder why the government is so gung-ho about that…it couldn’t be a plan to make it easier for the government to collect more personal data on everyone, could it?
Nah, that would be a “conspiracy theory,” believable only by those who wear “tinfoil hats.”
as someone who grew up with a ‘pre-existing’ condition, this whole thing bothered me when I was working in healthcare for an organization trying to expedite EHR. I thought all of their ‘security’ stuff was b.s., once it’s out there electronically, not much you can do to control access. Supposedly it’s to ‘improve’ healthcare so important information doesn’t get lost, but I don’t think it works very effectively to help on that end with healthcare workers too busy to care, but seems to me it just makes it easier to be medically labeled and to have that label follow you everywhere. Scary.
This is an important and timely article; thank you. Perhaps this is a good time to mention, as a sidebar, the Cybersecurity Information Sharing Act, now back in Congress.
http://www.theguardian.com/world/2015/aug/03/cisa-homeland-security-privacy-data-internet
The question here has to do with medical information handled by data firms other than those covered by HIPAA, or whether something in the final bill could negate HIPAA. Certainly the banks, credit card companies, search engines, and suchlike that touch on our medical data might not feel so constrained.
Those of us who remember what an HIV-positive finding meant, in the 1980s, as a scarlet letter, or those who remember what it was like when “pre-existing conditions” had the power to ruin you, this kind of proposal should be scary.
I would like to see the Intercept do a more thorough job on Fitbit. It doesn’t sound like the kind of thing that people would have much personal, voluntary desire for, yet the company is listed on the NYSE. How many users are employees of companies like you describe, and are being coerced? I see from its Wikipedia article that its GPS data has already been used in a criminal case … I imagine it has many other uses. Can you show an intelligence connection of any of the company principals? I should add that it’s rather funny that they had a trademark lawsuit with a similar but more honestly named company, Fitbug… by the way, what other ‘features’ are in this device?
Most of the current fitness and health apps and (afaik) the majority of ‘personal devices’ are networked and require logins and tracking and data storage on remote servers. I’ve always been twigged about that. I agree it’s a massive invasion of privacy. I don’t think people realise just how *much* of an invasion of privacy they are. I suspect people tend to believe data will only be used for the intention they have for it to be used, not realising that’s not how the world works — a form of tunnel vision. Yes, it might be nice or useful for people to share their data and diets with one another, but the fact that it’s becoming difficult to find anything that doesn’t make that compulsory is disturbing. That’d be a cool investigative article.
I do wish to perhaps suggest an alternative to this, though — you wrote “It doesn’t sound like the kind of thing that people would have much personal, voluntary desire for, yet the company is listed on the NYSE. How many users are employees of companies like you describe, and are being coerced?”
These sorts of devices were made popular by TV shows like ‘The Biggest Loser’, ‘Extreme Weight Loss’ and the like. They’re considered status symbols and tools for weight loss and maintenance for quite a bit of the middle and upper class. Given the rate of obesity and morbid obesity in the English speaking world (their primary markets) it doesn’t surprise me at all that people are using them voluntarily. Entire systems exist that encourage using statistics and monitoring and tracking daily goals. I’m not inclined there’s much coercion to use them (other than maybe peer pressure by other people using them) — I’m more bothered that companies are getting access to the data at all (see: analytics platforms).
So yeah, maybe it’ll become more of a coercion thing (oh, American health insurance premiums!) — or the goal is to make it one so companies like this can make more money and create alternative/additional revenue streams for themselves. I suspect it’s more likely to get swept up with every other kind of data than something ‘planned’, but something which can easily be incorporated into plans (plural) — it’s handy, but only because it’ll already exist, and the more data points, the more ‘useful’ the data to paint a picture. I think we both agree those pictures shouldn’t be painted to begin with.
The biggest and least-reported problem with medical privacy is the transfer of wealth for privacy-related damages from the victims of the privacy breaches to the U.S. government. Over the course of the last 3 years, courts federally and in states have basically gutted medical privacy laws (see Clapper and the three separate decisions by California Court of Appeal on this issue), requiring the victims to prove that they sustained actual financial injury and proof that a third-party actually viewed the records. This is basically impossible (I know because I am a privacy lawyer). This is all occurring during the same time period when the U.S. OCR is ramping up its HIPAA-related enforcement actions, claiming that they will prosecute “exponentially” more HIPAA violations going forward, than since HIPAA and HITECH were put into place. So, instead of the victims being entitled to damages and statutory damages for these mass privacy violations, they are being left with basically no remedy while the same violations are being pursued by the U.S. and the damages/settlement monies paid to the U.S. instead. It is a very clever way of re-allocating the price of privacy breaches from the citizen to government.
Very nicely put.
Read this part over 10 times. Because the CEO’s use of the data was to disclose it publicly enough to draw attention, medical and legal experts get a chance to cluck over it and consider it possibly a violation of the law. But CEOs and large companies are very adept at gaming the labor laws over the years, shifting project memberships around, cancelling projects is one way, moving people and doing a plant closing is another, transferring people, and the list goes on and on.
To make a long story short, if CEO Armstrong had instead just decided to get rid of the two employees with the “distressed babies”, nobody would have ever had the chance to challenge his ethics. And that, in a nutshell, is how so many older employees principally, but all employees with a “risk” of higher health costs were shed by employers in the period leading up to and including the “Great Recession.”
It’s great that the employer as health provider part of HIPAA is getting some sunshine. Since the most pressing reason for the privacy had been to keep health information away from employers in the first place, one is hesitant to call it a loophole, since you can literally shove an entire mutinational corporation through it without touching the sides.