Hospital Patient Privacy Sacrificed as State Agency Sells or Gives Away Data
Technology Used by For-Profit Companies Strips Away Inadequate Layers of Security
Maybe you, like so many others, couldn’t get away on vacation this summer. Never mind. If you were a patient in a Texas hospital in the past ten years, the intimate details of your hospital stay made the trip for you. This could be your souvenir: “My hospital story went to Colorado, Arizona, California, New Jersey, Ohio, Tennessee, Washington, D.C., Dallas, Texas, and maybe my employer, and all I got was—heck, not even a T-shirt.”
Let’s say your spouse suffered a heart attack three years ago, was successfully treated at a Texas hospital, and today gratefully eats a Mediterranean diet. You might be surprised to learn that the intimate details of that hospital stay—not just the diagnosis, surgeries, and who paid the bill, but your spouse’s date of birth, gender, and address—were sold by the Texas Department of State Health Services (DSHS). The detailed story of that hospital stay now sits in computers across the country.
The data about hospital inpatients that DSHS collects and distributes is invaluable in public-health and medical research, such as a study of children with asthma in the Rio Grande Valley. But just as often it is non-physicians who use, sell, and re-sell hospital-patient data again and again, generating profit and imperiling personal privacy.
The same patient-data files are sold or given to trade groups, lobbyists, businesses, and even anonymous downloaders. All without your consent.
While the patient data is often privacy-protected by a method called “de-identification,” that method has been discredited by data-security experts. And patient data without that protection, data that includes patient date of birth, is available to those applicants whose research projects are approved by a DSHS review committee.
“I don’t want my medical information sold, and I don’t want it shared with businesses I don’t know about,” said Shirley Bottoms of Austin, whose hospital records are among those offered for sale by DSHS.
But as it stands now, patients have no say-so in what happens to information collected about their hospital stays.
DSHS collects detailed hospital-patient data from nearly every hospital in the state, as directed by law. The agency has sold or given away hospital patients’ data since 1999. That’s about 27,725,534 individual patient stays from 1999 through 2008, according to DSHS. These “Public Use Data Files” are available on the website of the DSHS Texas Health Care Information Collection Center for Health Statistics.
DSHS data sales violate privacy
“The wholesale invasion of families’ medical privacy and the surreptitious commercial use of their hospital-patient data, perpetrated by the Texas Department of State Health Services, is a shocking and appalling breach of people’s constitutional rights, protected by the Fourth Amendment to the U.S. Constitution, and an astonishing ethical breach,” said attorney Jim Harrington, director of the Texas Civil Rights Project, based in Austin.
Texas hospital-patient data for the years 1999 through 2003 are available at no charge. Data for the years 2004 through 2009 must be purchased, but the cost is minimal for a commercial user (more about that later).
The hospital-patient Public Use Data Files contain more than 200 fields of information, naming everything from your insurance coverage, or lack of it, to whether or not your stay included placement of a heart stent, “sterilization,” “abortion performed due to rape,” or a drug- or alcohol-related diagnosis, along with your surgeries, city, state, county, race, and ethnicity.
Buyers may order one of two versions of the hospital-patient files.
Research version—This version of the Public Use Data Files contains complete personal information including date of birth, age in years, and start and end dates of hospital care. To purchase data in the research file, applicants must describe their “research project,” identify themselves as one of 10 organization types (including university; managed care insurer; governmental entity, pharmaceutical, biotechnology or medical product firm; trade group or lobby; and research organization consultant), and select each data field they want. Each application is reviewed by a DSHS committee, which must approve it before the applicant can obtain the data.
As with all the other buyers and free downloaders, applicants must also agree to keep the data confidential.
Until sometime after August 2, 2010, the patient’s street address was available, according to the DSHS research-data application then posted to the DSHS website. The current application forms, however, have removed the patient’s street address, substituting “census block” in its place.
The DSHS research application forms continue to offer a patient’s zip code, state, and county.
De-identified version—For this version DSHS has removed some but not all personal information, in a privacy protection process called de-identification. DSHS removes the patient’s dates of admission and discharge from the hospital, but leaves in diagnoses, surgeries, and payment information.The patient’s gender and full zip code appear in most cases. All the free downloads are de-identified.
A five-year age range is substituted for the patient’s exact age (some children’s ages appear in shorter ranges, such as “1-4,” “15-17”) and the street address is removed. Patient county, state, race and ethnicity are listed.
Social Security numbers do not appear in any version of the Public Use Data Files, and an alphanumeric identifier replaces a patient’s name, according to DSHS.
Data-security experts say de-identification is inadequate and leaves personal data vulnerable.
In fact, the inadequacy of this method has been reported in journals and the news media for years, while the Texas patient data continued to stream out. DSHS is not alone in using de-identification for medical data; the Health Insurance Portability and Accountability Act of 1996 (HIPAA) also describes de-identification as a method for protecting personal medical information.
An example of de-identification is that for a patient in a small community hospital with few of the same diagnoses, the last two digits of the patient’s zip code would be removed.
“The idea is to suppress the data where there are small numbers involved and to bring larger pieces of data together so that no individuals can be identified using the Public Use Data File,” Assistant DSHS Press Officer Chris Van Deusen said in an e-mail.
“Patient privacy is something we take very seriously,” added Van Deusen, “and protecting a patient’s confidential information is our top priority in managing the discharge data.”
But data-security experts say de-identification doesn’t fully protect patient privacy.
For several years now, data-security experts have punched holes in de-identification as a protector of personal information. Their discrediting of that method has been reported in news media including The New York Times at least as far back as 2006.
These experts have re-identified a significant number of people in de-identified data files by comparing them with other data files. And they can match data to individuals in many cases because so many small bits of personal information have already been collected, elsewhere.
Why do it? There’s money to be made in gathering and selling medical and personal information. Data brokers find medical information especially profitable.
What about the version with exact personal info?
The research version isn’t restricted to, say, physicians and hospitals alone. It’s available to lobbyists, trade groups, private businesses, governmental agencies, and universities, as well.
One group that DSHS approved in 2009 to buy the unrestricted research version of hospital-patient data was the lobby and trade group America’s Health Insurance Plans (AHIP), which represents the nation’s major health insurers. AHIP’s website describes it as a “national association representing nearly 1,300 member companies providing health insurance coverage to more than 200 million Americans.”
Other data purchasers (of either the research or the de-identified versions) include GE, active in the electronic medical records industry, and Abt Associates Inc., a Maryland-based company that, among other activities, runs background checks for the federal SENTRI program (Secure Electronic Network for Travelers Rapid Inspection) at the U.S.-Mexico border.
Austin psychiatrist and privacy advocate Deborah Peel, M.D., calls such data sales a “huge research loophole” derived from federal regulations set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
“The HIPAA research loophole allows any entity doing ‘research’ to be able to use patient data without consent,” Peel said, in an e-mail. “‘Research’ is not defined in HIPAA or other regulations.”
DSHS Texas Health Care Information Collection and state law
The Texas Health and Safety Code regulates the Texas Health Care Information Council and sets forth the provisions for dissemination, confidentiality, and general access to hospital discharge data in the Public Use Data File.
Section 108.013 of the code specifically prohibits the release of or access to any data “that could reasonably be expected to reveal the identity of a patient.” Confidentiality violations include criminal penalties. The code even states that data on patients, and compilations that are produced from data that identify patients, are not subject to discovery, subpoena, or other means of legal compulsion for release to any person or entity except as provided by the code, and such data is not admissible in any civil, administrative, or criminal proceeding.
On the other hand, the code states that “subject to specific limitations established by this chapter and council rule, the council shall make determinations on requests for information in favor of access.”
How to get Texas hospital-patient information
Texas hospital-patient data is available from the Texas Department of State Health Services (DSHS) through its website for the Texas Healthcare Information Collection Center for Health Statistics.
According to DSHS spokesman Van Deusen, between January 2009 and July 2010, buyers paid to download 916 quarter-years of the hospital-patient Public Use Data Files years 2004 to 2009.
They paid $4,600 per year, or $1,400 per quarter, for the years 2007–2009, according to the data order form. For years 2004–2006, buyers paid $525 per quarter. All buyers also paid DSHS a processing fee of $100 per quarter-year of data. (Hospitals receive discounts.)
But downloaders of the state’s free hospital-patient Public Use Data Files remain anonymous. The free, de-identified files are those covering the years 1999 through 2003.
Van Deusen wrote in an e-mail that, during those same 19 months (January 2009 to July 2010), the free hospital-patient data files, years 1999 through 2003, were “accessed 963 times.” Van Deusen cautioned that in the case of the free records, “We can’t say for sure that they were downloaded each time they were accessed.”
“The problem is, once this gets out, there’s no way to know where it went forever,” said Deborah Peel, when asked to comment on the state’s data downloads. Peel leads Patient Privacy Rights, a foundation that’s part of the Coalition for Patient Privacy she founded in 2006. The coalition describes itself as “a bipartisan network of state and national organizations and health IT corporations working to restore our right to control access to our sensitive health records.”
“There is no control over any third-party use,” Peel said.
“A lot of insurers sell our data,” said Peel, who has testified before Congressional committees on the loss of medical-records privacy. “Blue Cross Blue Shield—Blue Health Intelligence is the name of their entity that does it; GE is in the electronic health record business and sells the data. They say it’s ‘de-identified’ but it’s virtually impossible to de-identify and anonymize health care info. We’ve never seen the formula for that yet.”
There are no federal laws against re-identifying data, Peel said.
Who buys the DSHS hospital-patient data?
Buyers of the 2004–2009, hospital-patient Public Use Data Files include trade groups, lobbyists, health insurers, and businesses.
An Open Records request seeking information on who bought Texas hospital-patient data from January 1, 2009, through April 1, 2010, produced a wide-ranging list of customers. Among the 98 buyers listed, along with Texas health care institutions like the Texas A&M Health Science Center and Midland Memorial Hospital, appeared others, including:
3M Health Information Systems of Silver Spring, Maryland
Abt Associates of Bethesda, Maryland
America’s Health Insurance Plans of Washington, D.C.
Blue Cross Blue Shield of Texas of Richardson, Texas
Data Advantage LLC of Hermitage and Louisville, Kentucky
Econ One Research Inc. of Los Angeles, California
Fundamental Clinical Consulting, LLC of North Richland Hills, Texas
Health Info Technics LLC of Brentwood, Tennessee
Ingenix of Westerville, Ohio
Intellimed International Corporation of Phoenix, Arizona
McKinsey & Company of Florham Park, New Jersey
MedAssets Inc. and Aspen Healthcare Metrics, a MedAssets company, of Englewood and Centennial, Colorado
Medtronic Inc. of Mounds View, Minnesota
Premier Inc. of Philadelphia, Pennsylvania
Sanofi Pasteur, the vaccines division of Sanofi-Aventis Group, a pharmaceutical company based in Lyons, France
Here are brief descriptions of three of these data purchasers:
Data Advantage—According to the company’s website, Data Advantage “provides ‘Business Intelligence for Healthcare’ to healthcare executives, clinicians, suppliers, consultants and analysts. …Since 1992, thousands of customers have relied on Data Advantage to provide independent, transparent and objective business intelligence to make the right decision every time.”
Data Advantage offers custom-made databases: “We are able to design reports from any of our data sets, or we can integrate our data sets with any of your information.” One such data product is the company’s “State All Payer Hospital Inpatient Data. Data Advantage currently has this information from: Arizona, California, Florida, Maryland, Massachusetts, Nevada, New Jersey, New York, Oregon, Pennsylvania, Texas, Virginia, and Washington.”
3M Health Information Systems—This part of 3M is “a leading supplier of clinically-based computer systems and software for hospitals, health networks, managed care organizations and medical group practices. They offer comprehensive enterprise-wide patient care systems with decision support applications and are the foremost developer of coding, grouping and reimbursement software,” according to the company’s website. The website states they sell to “end users” but also distribute their products through “vendor relationships.”
America’s Health Insurance Plans—AHIP is the trade and lobby group for the country’s major health-insurance corporations. Based in Washington, DC, AHIP fought against health care reform measures in Congress. The group gained notoriety in 2009 when a New England newspaper discovered AHIP’s political-marketing consultant was in fact the author of numerous letters to the editor railing against health care reform. The letters were signed with the names of local citizens who, the newspaper learned, had not written the letters and objected to the use of their names without permission. This August, AHIP actively opposed the new health care reform requirement that health insurance companies spend 80 cents of every dollar they get in premiums to pay for patient care, as reported by the New York Times.
Recent AHIP members included State Farm Insurance, Wells Fargo, WellPoint (administers Blue Cross Blue Shield plans in many states), John Hancock Financial Services, Aetna, Aflac, USAA Life Insurance, and Cigna. According to the nonpartisan Center for Responsive Politics, AHIP spent more than $31 million dollars on lobbying between 2005 and 2009.
Interestingly, AHIP bought the full “research” version of Texas hospital-patient data, ordering information including patient age, the start and end dates of the hospital care, and the “patient unique index” (a 10-character identifier DSHS describes as a “unique identifier assigned to the patient by THCIC”), according to information obtained through an open records request. In its application to DSHS, AHIP described its “research project” as studying whether Medicare Advantage (private insurance) plans are preferable to traditional Medicare (fee-for-service) coverage. In fact, this is an ongoing project for which AHIP has purchased several years of the Texas hospital-patient data.
AHIP members have long defended the additional federal payments they receive for their private Medicare Advantage plans. The plans cost more than the same services delivered through Medicare directly, health care reform advocates claimed. With the extra federal payments at stake, AHIP’s research might be considered biased.
Noting research that counters AHIP’s position, a 2008 New York Times editorial titled “Medicare’s Too Costly Private Plans” stated, “Private health insurance plans were supposed to bring better care and lower costs to elderly patients covered by Medicare. Instead they have increased the cost and complexity of the program without improving care, according to new analyses published by the respected journal Health Affairs. …Medicare currently pays the private plans—now called the Medicare Advantage program—13 percent more on average than the same services would cost in the traditional fee-for-service program.”
‘Monetizing’ your de-identified medical data
“The sale of protected health information for ‘research’ is actually a widespread form of fraud—and not just by the EHR, PHR, and HIT (terms for electronic health records) industries, but by the health insurance, pharmacy, analytics industries and others that sell data supposedly for research, but really for revenue, without telling shareholders or patients what they are up to,” said Deborah Peel, the Austin psychiatrist and privacy advocate.
Hospitals and physicians are eligible for $19 billion in federal stimulus funds to help them adopt electronic medical records by 2013. Many companies have rushed to provide them with software and storage services.
Some, like San Francisco-based Practice Fusion, offer free medical-records software (containing ads), and charge for an ad-free version.
Dell Inc. now partners with Practice Fusion, the companies announced this June, in providing doctors and hospitals their package of electronic health record software, off-site storage of patient medical records, plus hardware and support. The medical records stored by Practice Fusion and Dell then become a source of revenue through resales.
Cerner Corporation, which maintains electronic medical-record systems for 8,000 health care providers, offers free software, too, and sells its “vast warehouse” of de-identified medical records, according to an October 2009 report in The New York Times.
“How can healthcare software be free?” asked Chris Anderson (author of The Long Tail). In his 2009 book, Free: The Future of a Radical Price, Anderson’s answer, displayed in a bar chart representing one such company’s profits, shows that “Selling data can be more profitable than selling software.”
Anderson used Practice Fusion as an example of this business model, describing how, since 2007, Practice Fusion has resold the medical data pouring into its servers, while reassuring physicians that the data is, of course, “de-identified.” Many physicians do not know that de-identification does not fully protect patients’ privacy.
Anderson estimated that Practice Fusion’s sales of “research” data bring in $250 million annually. “Each chart (patient record, in health care terminology) can be sold multiple times for any number of studies being conducted by various institutions. If each chart generates $500, over time that revenue would be greater than if Practice Fusion sold the same 2,000 practices software for a one-time fee of $50,000,” Anderson wrote.
Just how important such “data monetization” is to the company was described in an ad that Practice Fusion placed this July on the Bay Area craigslist seeking a “Data Sales Manager.” The ad makes clear that Practice Fusion believes it owns the patient data it stores and is eager to “monetize” it.
Here are excerpts from that ad, with boldface added:
“The monetization of de-identified patient data contained in our EHR (electronic health records) is essential to our company’s success. Our patient data has exceptional potential in this regard because of the size and scope of the data we have, our large and geographically widespread user group, a well designed relational database from which it is easy to run queries, and most importantly, an EHR that users like.”
“The Data Sales Director will be responsible for developing and executing a plan to leverage this opportunity. To do this effectively, the candidate will need to be familiar with existing uses of such data and the entities who value the kinds of information and reports we can generate from the EHR. The candidate would have prior experience in this field, resulting in a deep understanding of the competitive landscape, pricing strategies and distribution channels for the data. Preferably, the candidate will have a proven ability to create and execute an aggressive data monetization strategy.”
Some of the customers are also described in the ad. The new manager will “work closely with the business development, marketing and account management teams to develop and implement a monetization strategy for de-identified patient data from our EHR; identify, approach, pitch and negotiate with prospective buyers of de-identified patient data, including pharmaceutical companies, medical device companies, insurance carriers, government entities, policy analysts and academic researchers; develop partnerships with analytics firms and data resellers as necessary to monetize the value of data in our electronic health record….”
And here’s what Practice Fusion expects the candidate to have done:
“At least 3-5 years of direct experience in health care data sales to either pharmaceutical companies, device companies, payers, government entities or other major purchasers of de-identified patient data (companies in this field include IMS Health, SDI Health, MedAssurant, Verisk and Cegedim Dendrite). Must be able to match market demands for de-identified data with our in-house data capabilities. Must be able to establish a fair market price for EHR data and negotiate effectively with buyers….”
Patient-records software companies donated to UT-Austin program
The collection, use, and storage of electronic patient information, from hospitals to doctors’ offices, is a fast-growing industry that needs a continuing stream of employees who know how to use new medical-records and practice-management software.
Six medical-record software manufacturers donated their products to a University of Texas “healthcare IT teaching lab” based at Austin’s University Medical Center Brackenridge. This UT Health Information Technology Summer Certificate Program graduated its first class of 54 this summer.
“The students were particularly effective because they had gained skills using six different electronic health record systems donated by industry partners, including Allscripts, eClinicalWorks, e-MDs Inc., GE Healthcare, NextGen Healthcare and Sage,” an August 27 UT press release stated.
“Our first graduates are really impressive,” Leanne Field, Ph.D., the program director, said in the press release. “They are entering a field that is rapidly growing and will only continue to gain importance as we move toward electronic health records across the country. The industry demand is very high.”
Employee medical info shared with employers?
Deborah Peel, the Austin psychiatrist and privacy advocate, said medical records can be used by employers to deny jobs and lay off employees. “There’s no law that prohibits an employer from looking at the health information of their employees if they are self-insured. And most corporations are self-insured.”
Further, “health insurers share information about you with the Medical Information Bureau (MIB Group Inc.), a private company.” MIB Group consists of about 470 U.S. and Canadian insurance companies. The MIB Group was formed originally to prevent fraud and abuse, Peel said, but now sells data as well.
But what about my consent?
But, wait, you say, don’t I have to give my consent to share my medical information with DSHS and these companies and researchers? Wasn’t that why I signed that HIPAA form in the doctor’s office a few years ago?
Yes, HIPAA originally did require your consent to share your medical information. But Bush administration officials quietly removed the original consent requirement from HIPAA in 2003. Since then, no one needs your consent to see or even sell your records, Peel said.
Fortunately, data experts say we do have the ability to secure the confidentiality of electronic forms of personal health information. Two steps must be taken, they advise: encryption of the data, and tight control over who has access to it.
Privacy advocates like Peel promote adoption of an “opt-in, opt-out” alternative in which people decide who gets their medical information and for what purposes.
One step toward regaining control of your medical information, Peel said, is a new consumer tool created with the passage of the federal stimulus bill. Using the new “accounting of disclosures” form, consumers can now get a list of where their medical information went for three years past.
The new tool is a result, Peel said, of efforts by a Congressional coalition in which her group participated, the bipartisan Coalition for Patient Privacy, which claims to represent about 10 million Americans.
That free consumer Patient Privacy Toolkit is available at www.patientprivacyrights.org. While you’re there, Peel urges, please consider signing the group’s “Do Not Disclose” petition, a step toward regaining control of personal medical data.
Attorney Jim Harrington of the Texas Civil Rights Project believes the DSHS should never have released the patient-data files and that the department’s data sales and giveaways violate Texans’ Constitutional rights. Harrington called for the DSHS to give control of medical information back to Texans.
“No government agency should ever have such total control over a person’s DNA or genetic or medical information, even if it is de-identified, without their consent or a court order,” Harrington said in an e-mail.
“That’s the premise underlying many of the protections under the Bill of Rights. De-identification isn’t fail-safe, by any means. And using that process is not an exception to the Fourth Amendment or a justification for TSDHS to violate people’s privacy,” Harrington said. “The choice to participate is an individual’s not the department’s.”
This Investigative Report was made possible by contributions to The Austin Bulldog, which operates as a 501(c)(3) nonprofit. The Austin Bulldog has many other investigative projects waiting to be funded. You can bring these investigations to life by making a tax-deductible contribution.