Bloomberg is reporting that states hungry for revenue and flush with the power to requisition individual medical records are moving to capitalize on the value of that information by selling the information in them to all comers. Unlike private companies, states and their agents are exempt from HIPAA requirements and therefore do not have to take data privacy especially seriously.
In an experiment, researchers were able to match several dozen people with their supposedly de-identified medical records by combining public record searchers and the information in a sample group of records purchased for $50 from Washington State. Among other things, “an executive treated for assault was found to have a painkiller addiction,” and a “retiree who crashed his motorcycle was described as arthritic and morbidly obese.”
Bloomberg reports notes that states that exclude zip codes, and admission and discharge dates are less vulnerable to records identification. But even “de-identified” data sets contain significant personal information that could be used to identify individuals, especially in rural areas with small populations.
The “de-identified” data set for Colorado includes type of insurance, gender, month and year of birth, city of residence, race/ethnicity, month and year of admission, where service was provided, the zip code of where service was provided, the DEA code or National Provider Identifier number code for the person providing service, all payment data, details of the drugs prescribed and how they were delivered, and all payment details for everything. The de-identified data set also includes details of family relationships such as whether the person receiving services is the spouse or child of the person who owns the family insurance policy.
Montrose hospital in Montrose, Colorado, hosted 2,563 surgeries and 469 births in 2012. Its service area includes the city of Redvale, population 236. Nine people in its population were Hispanic according to the 2010 Census 2010. Matching the medical record of a birth to a Hispanic mother from Redvale to a specific individual wouldn’t take much effort.
Unless ObamaCare is repealed and states give people the power to opt out of databases, if you need health care and you have, or have ever had, a health condition that you do not want to make public, you might be wise to seek care in a state or foreign country that takes medical privacy seriously.