States Selling, Sharing Risky Personal Health Data
Nearly all states collect hospital discharge data with 33 states selling or sharing de-identified information–not covered under HIPAA.
Nearly all states collect hospital discharge data with 33 states selling or sharing de-identified information--not covered under HIPAA.
That raises concerns that the hospitals are turning over data potentially vulnerable to re-identification, according to the Federal Trade Commission.
De-identified information is generally defined under the HIPAA Privacy Rule as information that does not identify an individual and for which there is no reasonable basis to believe an individual can be identified from it. "If you've had a hospital visit, and in most states a physician visit, information about your visit is in discharge data," according to Latanya Sweeney, chief technologist at the FTC. "It doesn't have names, addresses, or Social Security numbers. But, it includes diagnosis codes, procedure codes, and how you paid for it."
Many states make available to the general public--including commercial enterprises--what are considered to be less sensitive versions of this public use data. Nevertheless, Sweeney argues that obtaining discharge data often requires little or no review by the state, and use of the data is subject to few or no restrictions.
Discharge data--mandated under state laws--includes patient demographic information, such as age, sex, county of residence, and race/ethnicity, diagnostic information, treatment information, disposition, total charges and expected source of payment. The data allows for comparisons across regions and states, such as rating hospital and physician performances and assessing variations and trends in care, access, charges and outcomes.
Yet, private companies--not researchers--are the top acquirers of this kind of statewide health data, according to FTC. And, despite the fact that the data is de-identified, Sweeney claims that it is possible to re-identify patients to their medical information. The problem, she says, is that de-identified information can later be used in combination with other publicly available information to identify an individual.
"For $50, we went to the State of Washington and we purchased their hospital discharge data for the year 2011," says Sweeney. Researchers then matched the data with news articles about accidents that contained the word "hospitalization" or referred to individuals being "hospitalized." Many of these news accounts included the name and age of the person, where and when the accident happened, and the hospital at which they were treated. By combining different sources of data, she said they were able to correctly match 43 percent of the news stories to the Washington State discharge data to positively identify the individuals involved.
That raises concerns that the hospitals are turning over data potentially vulnerable to re-identification, according to the Federal Trade Commission.
De-identified information is generally defined under the HIPAA Privacy Rule as information that does not identify an individual and for which there is no reasonable basis to believe an individual can be identified from it. "If you've had a hospital visit, and in most states a physician visit, information about your visit is in discharge data," according to Latanya Sweeney, chief technologist at the FTC. "It doesn't have names, addresses, or Social Security numbers. But, it includes diagnosis codes, procedure codes, and how you paid for it."
Many states make available to the general public--including commercial enterprises--what are considered to be less sensitive versions of this public use data. Nevertheless, Sweeney argues that obtaining discharge data often requires little or no review by the state, and use of the data is subject to few or no restrictions.
Discharge data--mandated under state laws--includes patient demographic information, such as age, sex, county of residence, and race/ethnicity, diagnostic information, treatment information, disposition, total charges and expected source of payment. The data allows for comparisons across regions and states, such as rating hospital and physician performances and assessing variations and trends in care, access, charges and outcomes.
Yet, private companies--not researchers--are the top acquirers of this kind of statewide health data, according to FTC. And, despite the fact that the data is de-identified, Sweeney claims that it is possible to re-identify patients to their medical information. The problem, she says, is that de-identified information can later be used in combination with other publicly available information to identify an individual.
"For $50, we went to the State of Washington and we purchased their hospital discharge data for the year 2011," says Sweeney. Researchers then matched the data with news articles about accidents that contained the word "hospitalization" or referred to individuals being "hospitalized." Many of these news accounts included the name and age of the person, where and when the accident happened, and the hospital at which they were treated. By combining different sources of data, she said they were able to correctly match 43 percent of the news stories to the Washington State discharge data to positively identify the individuals involved.
More for you
Loading data for hdm_tax_topic #reducing-cost...