Ten years ago even the most skilled social prognosticator could not have foretold the way that electronic data theft would become acceptable in our society.
While most people are genuinely concerned about data loss, few take few steps to remedy the situation. We accept the convenience of credit cards, for example, as a fair exchange for the risk of identity or financial theft that comes with them. The credit card company provides us with the assurance of protection using interest rates to offset their risk; a financial arrangement that estimates the number of afflicted consumers and is continuously updated based on fraud data and what the market will bear.
We’ve all heard that healthcare data is different. It’s personal, potentially damaging, and can be very private. In my experience it can also be stultifyingly boring with a signal-to-noise ratio that greatly reduces its utility to a thief.
What of the vast HIPAA breaches that occurred over the last two years?
What you may not know is that in most of these cases it is highly unlikely that any clinical diagnosis data was actually lost. I contend, based on my reading of the HHS wall of shame and listening to talks from entities such as Anthem, that in most cases it’s billing metadata that is being stolen from databases rather than clinical data.
This isn’t exactly surprising. After all, it’s far easier for a hacker to monetize billing data than clinical data. While the hacker could infer your diagnosis from codes or the name of the institution, I really doubt they are going to do so.
We should also consider the vast amount of over-reporting that occurs. If the covered entity or it’s business associate didn’t know how much data was accessed, the lawyers advise them to disclose anything that could have been touched. Anthem spoke to this at HITRUST15 and mentioned that the actual numbers of affected patients may be much lower than the 80 million reported.
Are you now less concerned about privacy breaches, based on my assertion that it’s most likely meta data and not private diagnoses that are being stolen?
It may depend on your point of view. A recent article in the WSJ reported on this topic from the perspective that meta data can be used to bill for procedures. For example, the sensationalist case of a patient with a foot amputation bill and both feet still firmly attached. This is of course a legitimate concern, though the idea that health records are pristine vaults of clean data prior to such alteration is somewhat facile. Healthcare data is, by it’s very nature and the nature of the ecosystem in which it lives, inherently messy and in need of reconciliation with the patient.
We should all read out benefit statements to ensure what’s billed matches our recollection!
In many of these cases it’s the identity theft that is the true damage, and although HIPAA privacy laws seek to protect all patient data, they do need to protect different forms of patient data in different ways.
When I consider who I most want to not share meta data with, it’s not my immediate friends or family, or even those acquaintances I might meet on the physical (or virtual) street. It’s that odd aunt, the nosey lady down the street, closely followed by my employers, insurance companies, or depending on your political views, the government and associated political bodies who seem most likely to misuse my data. Do they need to know I was a patient at a cancer center? Probably not.
Perhaps I’m being too European in my views on privacy. Some American voices such as John Halamka of Beth Israel Medical center have called for a different approach, choosing to make their data public, arguing that any social stigma is minor in contrast to the advantage of sharing information that could potentially help us improve the health of populations as a whole.
John has shared data which does contain some personal information, but not data concerning mental health or substance abuse data that is potentially more intimate. I applaud this approach, and through my affiliation with “Patients Like Me” I’ve tried to do my part in a limited, and less publicly identifying way.
I find my views on privacy are not absolute, but rather exist in a continuum that correlates to my life and mood. Pain can certainly make me considerably less concerned about privacy. I also doubt that the views I hold in my 40s will persist to my 70s as so much can change in thirty years.
To conclude, losing meta data does matter to me, but perhaps less than losing a diagnosis of a stigmatizing disease might. It’s just identity theft in another form, and I can detect it by reading my benefit summaries in the same way I can detect credit fraud by reading my bills. There’s certainly a great opportunity for companies moving into benefits statement monitoring here!
What I would like to see is a system whereby the impact of healthcare breaches upon my privacy is more cleanly delineated. Segregating data into “clinical” and “administrative” reporting categories to match diagnostic and meta data classes would be a great start.
After all, losing one’s credit card data really isn’t the same as being publicly revealed as the bearer of a nasty health condition, because once that information is “out” there’s no way to recall or recover from the damage caused.