People seem to misunderstand the Health Insurance Portability and Accountability (HIPPA) Act. I often hear people citing HIPPA as proof that their medical data is private. However, misunderstandings aren’t reality. Your medical data isn’t private. In fact, it’s for sale:
Your medical data is for sale – all of it. Adam Tanner, a fellow at Harvard’s institute for quantitative social science and author of a new book on the topic, Our Bodies, Our Data, said that patients generally don’t know that their most personal information – what diseases they test positive for, what surgeries they have had – is the stuff of multibillion-dollar business.
The trick is that the data is “anonymized” before it is sold. I used quotation marks in that case because anonymized can mean different things to different people. To me, anonymized means the data has been scrubbed in such a way that it cannot be tied to any individual. This is a very difficult standard to meet though. To others, such as those who are selling your medical data, anonymized simply means replacing the name, address, and phone number of a patient with an identifier. But simply removing a few identifiers doesn’t cut it in the age of big data:
But other forms of data, such as information from fitness devices and search engines, are completely unregulated and have identities and addresses attached. A third kind of data called “predictive analytics” cross-references the other two and makes predictions about behavior with what Tanner calls “a surprising degree of accuracy”.
None of this technically violates the health insurance portability and accountability act, or Hipaa, Tanner writes. But the techniques do render the protections of Hipaa largely toothless. “Data scientists can now circumvent Hipaa’s privacy protections by making very sophisticated guesses, marrying anonymized patient dossiers with named consumer profiles available elsewhere – with a surprising degree of accuracy,” says the study.
With the vast amount of data available about everybody it’s not as difficult to identify who “anonymized” data applies to as most people think.
HIPPA was written by an organization that hates privacy so it’s not surprising to see that the law failed to protect anybody’s privacy. This is also the why legislation won’t fix this problem. The only way to fix this problem is to either incentivize medical professionals to keep patient data confidential or to give exclusive control of a patient’s data to that patient.