Bloomberg is reporting that states hungry for revenue and flush with the power to requisition individual medical records are moving to capitalize on the value of that information by selling the information in them to all comers. Unlike private companies, states and their agents are exempt from HIPAA requirements and therefore do not have to take data privacy especially seriously.
In an experiment, researchers were able to match several dozen people with their supposedly de-identified medical records by combining public record searchers and the information in a sample group of records purchased for $50 from Washington State. Among other things, “an executive treated for assault was found to have a painkiller addiction,” and a “retiree who crashed his motorcycle was described as arthritic and morbidly obese.”
Bloomberg reports notes that states that exclude zip codes, and admission and discharge dates are less vulnerable to records identification. But even “de-identified” data sets contain significant personal information that could be used to identify individuals, especially in rural areas with small populations.