Hospitals in the U.S. pledge to keep a patient’s health background confidential. Federal law even establishes stringent standards for the use and dissemination of personal health information. Yet states like Arizona, Tennessee, New Jersey, New York, and Washington are endangering patient privacy by selling medical records that can be used to link a person’s identity to medical conditions via public information.
Bloomberg News, in conjunction with Latanya Sweeney, Director of Harvard’s Data Privacy Law, re-identified 35 people out of 81 sample cases searched in a database of hospital discharge records that Washington State sold to the public for $50. In another patient database sample, Latanya Sweeney was able to identify the Governor of Massachusetts using ‘anonymized’ data her lab purchased from the state. Whether intentionally or unintentionally, certain states are exposing the personal medical information of millions of patients.
The data is supposed to remain anonymous. However, a specific “state exemption” from federal regulations allows states to sell large volumes of ‘hospital discharge data’ to data brokers and nationwide specialty consumer reporting agencies. Although seemingly ‘anonymized’, researchers at the Harvard University Data Privacy Lab have demonstrated that individual patients can be identified using only publicly available information and their medical background.
Twelve of the most populous states generated $1.91 million from 1,698 requests for data from 2011, the latest year for which figures are available, according to state records reviewed by Bloomberg News. Washington sold its database 95 times in 2011 and generated just $15,950.
One company purchases state medical records is IMS Health, owner of one of the world’s deepest pools of medical information. IMS, based in Danbury, Connecticut, has prescription-drug dossiers on 260 million people, said Jody Fisher, U.S. marketing director for IMS.
The data is all anonymous, and IMS doesn’t try to re-identify patients, Fisher said. IMS’s revenue was $2.19 billion in 2009, the year before the company was taken private. About 85 percent of the total came from pharmaceutical companies, which use the data to design sales pitches for doctors and craft direct-mail and online-ad campaigns for consumers.
Bloomberg News made records request to each of the 20 most-populous states for lists of who’s buying their hospital discharge data. Only 12 states responded and supplied the data; the states are Arizona, California, Florida, Illinois, Maryland, Massachusetts, New Jersey, New York, Pennsylvania, Tennessee, Texas, and Washington. Public and privacy corporations, including corporations designated as “credit reporting agencies”, were the most frequent multi-state health profiles buyers. For more, see the list of the top purchasers of medical data in 2011, ranked by the total number of states that purchasers bought from, as well as the corresponding states.
- Who is Buying Your Medical Records from the Hospital?
- Medical Information Privacy: The American Medical Association Judicial Council Rules (AMA)
- Patients Have to Beg Doctors to Opt-Out of Medical Data Collection (American Medical Association)
- American Medical Assoc. Senior VP tells how your Medical Data is Identified
- Personal Prescription Data is Bought and Sold by Insurers and Pharmaceutical Companies
- Which IT Vendors does the American Medical Association (AMA) License to Sell your Medical Data?
- Nobody Knows the Medical Information Bureau (MIB) (Secrecy and Privacy)
- Privacy Issues Complicate Obama’s Plan to Link Electronic Medical Records and Health Data