Patient data might be the biggest business you’ve never heard of.
As a STAT investigation published Monday revealed, data brokers are quietly trafficking in Americans’ health information — often without their knowledge or consent, and beyond the reach of federal health privacy laws. This market in medical records has become highly lucrative — $13.5 billion annually — thanks to advances in artificial intelligence that enable the slicing, dicing, and cross-referencing of that data in powerful new ways.
But the building of these algorithms often sidelines patient privacy. And researchers who’ve been tracking these erosive effects say it’s time to reform how health data is governed and give patients back control of their information.
“Privacy is an elusive concept, but the potential harms when it’s taken away or when it’s lost — those are critically important to understand,” Eric Perakslis, chief science and digital officer of the Duke Clinical Research Institute said Tuesday at the 2022 STAT Health Tech Summit in San Francisco. “And if we can’t figure out privacy in some way with a law we should be figuring out what those harms are and making them illegal.”
One of the most frequent harms he and other researchers have chronicled: Patients being denied care or insurance coverage based on information payers drew from their social media activities after combining datasets to re-identify them. “We hear those stories all the time,” he said. “Data re-identification isn’t illegal. And there’s lots of things like that I wouldn’t even call loopholes. Loopholes imply something’s working. They’re just the truth of the ecosystem.”
Perakslis has been a leading figure in the push to rein in the growing trade of de-identified health record data, which largely is not covered by federal patient privacy protections. HIPAA, the Health Insurance Portability and Accountability Act, was passed in 1996, before most people had smartphones, social media, and the deluge of personal data produced by both. It was designed to make sure people could transfer their health insurance between jobs. The law governs how patient data can be shared between insurers and health care providers, but makes it possible to share that data once it’s been stripped of names, addresses, and other identifying information.
“It’s basically saying that some of your data is less important or less risky than others, and that’s just broken because half that data you can get out of the phone book,” said Perakslis.
Andrea Downing, co-founder of the Light Collective — a group of patient communities advocating for digital rights — said there’s a need to consider updating or replacing HIPAA to restore privacy to the modern health information ecosystem.
To her, patients need to have a say in how datasets are used — her group’s guiding principle is “no aggregation without representation.”
“We’re thinking less in terms of ownership — ownership is a bad framework because data can be replicated in so many different ways,” Downing said. “But we have to get ahead of the bad uses and we do that with representation in governance structures of patient communities that are affected by those data.”
She’s especially keen to outlaw ad targeting on social media by pharma companies. “Those same mechanisms that we use to recruit populations for the good stuff in research can also be used to weaponize information against vulnerable populations,” said Downing. “We need to end surveillance capitalism as a business model in healthcare, 100%.”