wouldn't medical data be covered under HIPAA? (I really don't know - it's possible anonymized data etc. might get around those restrictions). I would hope that when it comes to medical data laws would prevent some of the usual privacy concerns around googles data collection.
HIPAA anonymized data sets can be combined with any other data set(s) to reidentify the individual, and it is 100% legal to do so. In fact, data brokers (there are 4,000-8,000 of them in the US) will sell lists of people with, for example, 150 columns of data tied to them, with one of the columns being "presumed medical conditions". Social media companies and other marketers use these lists.
In theory, HIPAA anonymized data sets should be nearly impossible to reidentify in combination with any other data set.
In practice, that's probably still true for “safe harbor” deidentification, but less true for “expert determination” deidentification [0] that doesn't need the safe harbor rules. The latter option should be eliminated.
The practice spooky23 reports in the thread you cite appears to be blatantly illegal, and the assurance that it was not came from someone who was paid to protect the company; no complaint was made to anyone responsible for enforcing the law.
That's probably the biggest problem with HIPAA, not the law or supporting regs (which have problems, like the one I address upthread), but that most people's first and only complaint of a problem will be to the wrongdoer themselves, not anyone with an interest in enforcing the law. (In Spooky23’s case, there was some effort to go beyond that, but not to an entity actually responsible for enforcing the law in question, or even an agency of the right sovereign entity.)
In any case, while the practices spooky23 raises are, legal or not, a real concern, they in no way justify characterizing my criticism of the specific problems with HIPAA deidentificationn rules as naive in the context of a pre-existing discussion of reidentification of deidentified data (which is a completely different issue than sharing, legally or not, data which is not deidentified as is the issue in spooky23’s case.) Again, it's a real issue, just not a germane one to where it was agressively thrown into the discussion.
Did you read the second comment on that link from Spooky23? It is legal. Also the second linked article ascribes to the practice being legal. It was a Propublica report.:
"Yes, you are. The events surrounding what happened to my wife was very painful (an ectopic pregnancy that nearly killed her), and a thoughtless reminder was very unwelcome. I still feel violated and betrayed.
In our case, I found out the marketing list from Enfamil and bought it for my zip code. _I complained to the hospitals’ privacy officer and the state regulator and found that everything was legal._
In our case, the hospital pharmacy issued drugs to her indicative of a pregnancy. The pharmacy or insurer provides that information in real time to data brokers. The pharmaceutical companies assign quotas and send salespeople for certain drugs. There are other ways for data to get out that we’re not certain of. Perhaps the insurer “anonymizes” and sells subrogation information. Or the lab. In any case, they knew that my wife was admitted to an OB floor of a hospital, but didn’t know the outcome.
It’s not going away. The US government uses these same techniques with companies like Google to combat extremism or terrorist conversions — they actually use factors like this to target potential recruits with counter-information via ads. "
> Did you read the second comment on that link from Spooky23?
Yeah, as you can tell by the fact that I responded to the post pointing out that the two people complained to were:
(1) A person whose job it is to make sure the hospital doesn't get sued, who is never going to admit wrongdoing, and
(2) An official from the wrong agency (and even the wrong government) when it comes to the law in question.
Also, note that the link you've copied that isn't a 404 is only tangentially related, as it is about gathering and sharing data that never comes under the protection of HIPAA, not resharing PHI as addressed in spooky23’s post, which again is a different issue than reidentification of HIPAA deidentified data that I was responding to here. There are lots of different issued around health data, and or isn't helpful to conflate them, much less to hurl abuse at people for failing to conflate the different issues.
I am not so certain about this. SPecifically, the claim that HIPAA anonymous datasets can be used to reidentify- yes, we know this is technically possible. But, the implication that's it's legal- I don't think that is specifically correct. By the terms of the law (of which I am far too familiar), if you did this you would generate PHI, which would fall under the privacy rule (and could not be resold).
I don'tknow the specifics about the data brokers you're describing, this is a huge and complicared area, but I think it's correct to say that companies cannot re-identify de-identified data and then resell it as identified data, legally, under HIPAA.
> By the terms of the law (of which I am far too familiar), if you did this you would generate PHI
You can't generate PHI if you aren't a covered entity.
> By the terms of the law (of which I am far too familiar), if you did this you would generate PHI
You are wrong. If an entity that is not a covered entity acquires deidentified data and reidentifies it, it can do whatever it wants with it under HIPAA.
Wouldn't the entities you're describing be Health Clearinghouses?
"""Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “valueadded” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity."""
My read is that the entities I'm describing would fall under this. If you can point to a specific example which you believes violates this (not an anecdote, I'm talking about investigative journalism or a court case or an academic with credentials in this area), I'd love to hear about it.
> Wouldn't the entities you're describing be Health Clearinghouses?
No, a clearinghouse is (to summarize the definition you posted from the regs) an intermediary between providers and/or payers in handling transactions for which standards exist under HIPAA.
They receive PHI in either standard or nonstandard forms, transform it to or from standard forms if necessary and transmit it on; it'd PHI the whole time through that function.
An entity acquiring deidentified data (which is explicitly not PHI under HIPAA, that's the whole point of deidentification) is not (for that reason) a clearinghouse, and if they can get other data and reidentify the deidentified data, they can do whatever they want with it.
The theory of deidentification is that the risk of this is minimal (indeed, other than scrubbing virtually everything that could possibly be used to reassociate the data, the only way for PHI to be deidentified is to get a notionally-qualified expert to certify a very low risk of reidentification.)
The problem is that all such certifications are based on a faulty premise: if data is not completely scrubbed so that reidentification without having essentially the equivalent to the original PHI is impossible, the risk of reassociation is almost never very low, because the process is automatable and the marginal cost is near zero.
OK, so do you have examples of "An entity acquiring deidentified data, if they can get other data and reidentify the deidentified data, they can do whatever they want with it." actually happening, outside of academic articles?
Specifically: can I go to a data broker, today, in the US, and obtain records under my name that were derived from entirely de-identified data, that has been re-identified by the data broker?
I've been talking about legality, not what is in the wild (other people have made claims about what's happening in the wild, but some of those seem to be conflating direct release of PHI, reidentification of deidentified data, and other issues.)
> from entirely de-identified data
What do you mean by “entirely de-identified”? That sounds like you are referring to the HIPAA safe harbor option (which specifies an extensive array of things which must be completely purged), rather than the alternative HIPAA “expert certification of low risk” option. The problem is that the latter has the exact same legal effect as the former, though the only reason to ever use it is because the data isn't entirely de-identified.
The risk is with legally de-identified data, which is not restricted to entirely de-identified data.
Why does it have to be entirely re-identified data? You seem to get all of the "value" under discussion by correlating de-identified PHI with normal non-restricted non-PHI.
HIPAA governs entities ("Covered Entities"), not data. If you have data but you're not a covered entity, you're probably not governed by HIPAA requirements.
The constitution protects against warrantless search and seizure specifically against "their persons, houses, papers, and effects". Courts in overwhelming number interpreted that to mean cops can take paper money from you without a warrant.
You trust them to do the right thing for HIPAA in regards to a multi billion dollar enterprise?
