Health and Privacy

Once upon a time, if you were having trouble managing your diabetes that information was written down on a paper chart, stuck in a manila folder and locked in a cabinet. Only you and your doctor knew. Nowadays, many more people might know, or guess. The most common way for health data to leak isn’t when hackers steal it. It’s when you give it away click by click. Just as marketers put bits and pieces of online information together to predict what toothpaste you buy, doctors and hospitals are using the same techniques in the hope of improving your health on the basis of stuff you haven’t told them. The rise of electronic health records, wearable devices and smartphone apps tracking your every breath, meal and heartbeat can only speed the spread of health information.

The Situation

Carolinas Healthcare, which runs the largest hospital chain in North and South Carolina, has been plugging retail data for 2 million people into algorithms designed to identify high-risk patients, while Pittsburgh University Medical Center, Pennsylvania’s biggest healthcare system, has started using household and demographic data. Meanwhile, to better target their ads, drug companies are using systems run by companies like IMS Health and Symphony Health Solutions that buy up prescription data that’s been stripped of individual identities, but that can be linked through their software to a patient’s web browsing history. And researchers are finding ways to mine data generated by smartphones or other devices. One study used smartphones’ GPS systems, light sensors and microphones to predict whether someone was becoming depressed. It’s unclear what rules would protect that kind of information outside a research setting. More traditional data faces security threats, too, especially since the U.S. government started giving doctors financial incentives to switch to electronic health records under the 2009 economic stimulus law. Since then, there have been more than 1,100 incidents in which health information involving at least 130 million individuals was breached, including information on 80 million Anthem customers. Health data can leak out in attacks on other employers, too, as Sony employees discovered.

The Background

Medical information has long been collected outside of the doctor’s office. Data brokers used to mail surveys asking for details on everything from pet food preference to cancer history, information sold to companies marketing a drug or medical device. And there were prying eyes at hospitals, employees who would peek in on the chart of a celebrity or friend. What has changed is the amount of information now being collected through smartphones, workplace wellness programs, health websites and electronic medical records and the number of people who can access it.  In the U.S., the Health Insurance Portability and Accountability Act, or HIPAA, protects information shared with a health provider, insurer or someone working directly for one of those parties, but any medical information shared outside those confines, like via a phone app or website, is fair game. Even some workplace wellness programs may not be protected by HIPAA.  In many parts of Europe, data collectors must register with the government and consumers have more rights to review data that companies have on them and correct inaccuracies. Another new factor in the U.S. is the incentive created by the Affordable Care Act for doctors and hospitals to hold down costs. Since a small number of patients generate a big percentage of total spending, identifying them and stepping up preventive measures can pay off for providers.

The Argument

Hospitals hope big data will help give them a better picture of a patient outside the few minutes they spend in the doctor’s office — if retail data, for instance, shows that a former smoker with asthma starts buying cigarettes again, the hospital could contact that patient before there’s a trip to the emergency room. But privacy advocates say such information could be used to take advantage of those who are disabled or mentally ill, or could facilitate identity theft. There is also fear that the information could be used by employers to avoid hiring those with costly medical conditions. Others say the problem isn’t the collection of data, it’s who controls it. Giving patients access to their own files and to new data collected by apps, like those that track blood sugar levels or physical activity, can let them monitor their own health, while reducing waste and medical errors. Programs that analyze large pools of anonymous data to find the most effective treatments would seem less controversial — but the U.K.’s National Health Service had to postpone the launch of its Care.data project for a year over privacy concerns.

The Reference Shelf

  • The U.S. Federal Trade Commission produced a report after an investigation into the data brokerage industry.
  • The U.S. Department of Health and Human Service’s database of health data breaches.
  • Acxiom, a data broker, has created a site that lets consumers who register see some of the data the company has collected on them.
  • A Bloomberg News article on how hospitals are using retail data.

    First published April 23, 2015

    To contact the writer of this QuickTake:
    Shannon Pettypiece in New York at spettypiece@bloomberg.net

    To contact the editor responsible for this QuickTake:
    John O'Neil at joneil18@bloomberg.net

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE