Patient Healthcare Privacy Invasion Promoted by the Federal Government – Part V – Privacy Invasion by Health Information Exchanges – Addendum added 12/20/2017

Some Background on Health Information Exchanges

Private, federal and state Health Information Exchanges (HIEs) have been evolving for over 20 years. Initially there were not many of them, and they were often given seed money by the federal government  and they often failed, but now, most are holding on if not thriving. There are usually two basic HIE types. One type is like a telephone book, which will tell you where you can find information about a patient, and the other type is a  data repository that contain the healthcare information about a patient in a database.

The National Health Information Network

There is a federal health information exchange network called the NHIN (National Health Information Network) that generally connects those seeking information about patients to resources both types of exchanges, hospital systems and even some physicians offices. The NHIN itself currently does not store patient health information other than what providers they have seen where their data may be found if the patient provides permission for that information to be revealed.  Also, the entities that have gone through the arduous process of joining the NHIN are generally large organizations like the Department of Veterans Affairs and Kaiser Permanente.

How are Health Information Exchanges Funded

Many exchanges that have been set up by states are at least partially funded by states and both state HIEs and others have developed creative ways to fund themselves. This includes at least one state with an HIE that is partially funded by insurance companies. Although health insurers generally do not have access to the results of tests, only the claims data, the Kansas state HIE, called a “Patient Portal”, grants access to everything stored on a patient, justifying it by saying “Because payers have access to the health information of their members, they also pay to support it”.  (http://www.medscape.com/viewarticle/876077 ) Also in Kansas, “Blue Cross Blue Shield provides a 6% incentive payment to any doctor or hospital on any claim they make if they are contributing data to the health-information exchange”.  Kansas also charges a subscription fee.   (http://www.medscape.com/viewarticle/876077 ) Many HIEs sell “de-identified” data to researchers and commercial entities. Maryland does not sell patient data but does charge a fee for evaluating requests.

Why HIEs are a threat to Privacy

As previously discussed, there are standards for de-identification of data that are controlled by HIPAA specified in the early 2000s. There were protests that the de-identification was not sufficient, most notably by Latanya Sweeney from Harvard, that resulted in the de-identification being made a little better, but there is still sufficient data in this era of big data to re-identify most information.

At least one state makes the de-identified data available for anyone to see online. Harvard students Becina Ganther, Harshita Gupta and Alexandra Thaler, working with research assisteant Ji Su Yoo, recently demonstrated that by using just newspaper articles and an open Vermont database, they were able to re-identify patients. Compared to what data is available to insurers and data aggregators, there had very little information to work with yet they were able to re-identify patients. There is a video of their talk given at the 2017 Patient Privacy Rights summit here: https://pprmedia.streaming.mediaservices.windows.net/c952ce64-f78f-4cc1-a847-034c94eba096/07-2017HPS-Session3a-StateHealth_480x272_500.mp4

Can patients Opt-Out of having their data in an HIE?

This varies from HIE to HIE.  Maryland is proud that it allows patients to opt out of giving physicians access to review their data. However, patients have no control over whether their data is uploaded by their physicians to the HIE. If Maryland physicians wish to view data on any patient, as requested by their patients, in the state HIE, they can only get permission to view any data at all if they agree to upload the data on ALL of their patients to the state HIE. All hospitals are required to upload their patients’ data to the HIE by state law. In addition, to the best of my knowledge, patients who exclude their data from being reviewed by physicians cannot exclude their data from that released for research purposes.  Correction: I spoke to someone at a recent Maryland state medical society meeting (MedChi)  I attended and was told that if a patient opts-out of making their data available to physicians on the HIE, that their data becomes invisible, even for release for research.

In short …

In short, most HIEs are a significant threat to the privacy of those who do not wish to share their health information as the data will be shared “de-identified” with a very high probability it can be re-identified.

Nancy Anthracite, MD

ADDENDUM:

12/20/2017

Here is a link where the Aussies figured out how big data was being used to re-identify de-identified data that was released by the government and they decided to do something about it.  Here in the US, for the most part, there are very few people talking about it or doing anything about it even though it is going on behind closed doors and making companies and undoubtedly the politicians coffers lots of money.   The so called “promise of big data” is so attractive that nobody wants to take a chance the public will get up in arms about this and stop the flow.  Health Information Exchanges and Health & Human Services release of data is essentially the same.  So is all of the release of data mentioned in all of the posts.

https://pursuit.unimelb.edu.au/articles/the-simple-process-of-re-identifying-patients-in-public-health-records