HACKING HIPAA: "BEST PRACTICES" FOR AVOIDING OVERSIGHT IN THE SALE OF YOUR IDENTIFIABLE MEDICAL INFORMATION.

• Author: Omar, Riyad A.

1. INTRODUCTION 32 II. HIPAA'S HEARTBEAT: WHY HIPAA PROTECTS IDENTIFIABLE PATIENT 39 INFORMATION III. TAKING THE "I" OUT OF IDENTIFIABLE INFORMATION: HIPAA'S 42 REQUIREMENTS FOR DE-IDENTIFIED HEALTH INFORMATION A. Defining Information that Does Not Need to be 42 Protected by HIPAA B. The Inherent Dangers of Identification Codes and 44 HIPAA's Safeguards Against Them C. Removing Indirect Identifiers 48 D. When De-Identified Information is Unsuitable for a 62 Research Study IV. ANATOMY OF A HACK: METHODS FOR LABELING IDENTIFIABLE 67 INFORMATION "DE-IDENTIFIED" A. Overview of Permissive "De-Identification Guidelines" 67 B. Concepts and Methods for De-Identifying Clinical 71 Trial Data C. Step 2: Mask (Transform) Direct Identifiers 72 D. Step 3: Perform Threat-Modeling 76 E. Step 5: Determine the Re-Identification Risk Threshold 81 F. Step 7: Evaluate the Actual Re-Identification Risk 88 V. PROTECTING UN-PROTECTED HEALTH INFORMATION 93 A. Do Permissive "De-Identification Guidelines" 93 Adhere to HIPAA 's Requirements? B. Do Permissive "De-Identification Guidelines" Encourage 97 Healthcare Organizations to Disregard HIPAA's Requirements? C. Are Permissive "De-Identification Guidelines" 100 Being Utilized by Healthcare Organizations in Lieu of HIPAA 's Requirements? D. Do Permissive "De-Identification Guidelines" Provide 101 an Effective Data Protection Alternative to HIPAA's Definition of De-Identified Information? E. The Elephant in the Room 104 VI. CONCLUSION 105 I. INTRODUCTION

   "Your medical data is for sale - all of it." (1) This warning comes from Adam Tanner, of Harvard's Institute for Quantitative Social Science, who has published extensively on the topic of the business of selling medical records. (2) When you visit your doctor, you may think "I'm telling my doctor my most intimate medical secrets, and only my doctor knows about it." (3) Frequently, however, your medical records are being sold, (4) including your "[p]rescription records, blood tests, doctor notes, hospital visits and insurance records." (5)

   This is a big business. Three quarters of all retail pharmacies in the U.S. (6) sell their patients' prescription records and healthcare information, as do major health insurers, such as UnitedHealth, Anthem and Blue Cross Blue Shield. (7) Your medical records are often sold to data brokers who consolidate them into a comprehensive profile about you. One data broker, for example, boasts of having "500 million comprehensive, longitudinal anonymous patient records" sourced from "over 100,000 data suppliers." (8) Another advertises the ability to create "healthcare journeys" (9) about patients created from a "collection of claims data for 280 million patients." (10) A New York City-based start-up claims to possess, as of the date of this writing, 29 billion lab records of 250 million patients sourced from leading national clinical labs, such as LabCorp and Quest Diagnostics, as well as oncology and genetic testing labs. (11) A San Francisco-based start-up claims to have a "health map" that "links 150 complete real-time datasets for more than 320 million patients." (12)

   These profiles allow data brokers to track your diagnoses, prescriptions, lab tests and more, as you interact with the healthcare system. Brokers advertise their ability to create "patient journeys," (13) fine-tuned enough that if you visit a CVS in Cleveland one day, and a Walgreens in Miami the next, or visit different doctors in those cities, the broker will know. (14) Data brokers seeking to downplay the risks to patient privacy may refer to a patient's medical records as a "byproduct," "exhaust," or an "asset" of the healthcare organization to be sold. (15) But this "exhaust" is the medical records of millions of patients containing the categories of sensitive information one reasonably expects in medical records. Brokers can not only track a patient's use of prescription drugs, they can also glean "insights" about that patient based on sensitive portions of his medical history, such as his psychiatric history, substance dependency, STDs or history of physical or sexual abuse.

   Under the Health Insurance Portability and Accountability Act of 1996 and its data protection regulations (collectively referred to hereinafter as HIPAA), (16) it is illegal for a healthcare organization (17) to sell a patient's (18) medical information without first obtaining the patient's written authorization. (19) Healthcare organizations and their data brokers may be seeking to bypass HIPAA's prohibition by describing the patient medical information they transact in as "anonymized" or "de-identified." Such assertions, however, are rarely - if ever - verified by regulators or independent standards-setting bodies.

   This lack of oversight may be coming at a price being paid by patients who lose their privacy in the process. "Data scientists," Tanner notes, can link these patient profiles with consumer profiles "with a surprising degree of accuracy." (20) This is a natural consequence of the fact that when enough information is added to any patient's profile, a broker will eventually obtain the ability to identify that patient. Prominent security researcher, Ross Anderson, noted this phenomenon when evaluating a proposal for creating a database of Iceland's medical, genealogy and genetic data. (21) In examining the proposal, Anderson noted that "it is effectively impossible to de-identify... records... which link together all (or even many) of the health care encounters in a patient's life." (22) "For this reason," Anderson concluded, "a database of [such] medical records must be considered to be personal health information." (23)

   Despite the red flags, observers often acquiesce to the notion that these large volumes of sensitive medical information are "de-identified" in accordance with HIPAA's requirements. Tanner, for example, summarizes his belief that "IMS and other data brokers are not restricted by medical privacy rules in the U.S., because their records are designed to be anonymous:" (24)

   "On the surface, it might seem impossible for a data miner to link anonymized information about a patient from separate sources--CVS at home in Cleveland today, but at Walgreens while on vacation in Miami Beach next month--or from different doctors in these cities. Yet data miners are able to match these files by getting pharmacies, insurers, testing labs, electronic health record systems, and other suppliers to all install the same de-identification software (for which they compensate the data suppliers). This software removes the personal details for each individual--such as name, address, telephone number, and Social Security number--but assigns that person the same anonymous patient identification key across all locations using that de-identification system. 'If they install that de-ID engine at every source and it has the same algorithm, that means everyone with the same PHI (personal health information) will get the same IMS patient key,' says Mark Degatano, who has advised IMS Health and worked at rival data miner Symphony Health. The 'De-ID engine' allows data miners to assemble a patient dossier with thousands of data points spanning back years. The file does not include a name, but lists age and gender, as well as what section of Cleveland she lives in." (25) This process, Tanner concludes, complies with HIPAA because "[HIPAA] governs only the transfer of medical information that is tied directly to an individual's identity." (26)

   Tanner synopsis of HIPAA, however, is incorrect. HIPAA's protections have never been limited to information that is "tied directly to an individual's identity." On the contrary, HIPAA's protections have always applied to "any information... [with respect to which there is a reasonable basis to believe]... can be used to identify a patient. (27) Simply removing your direct identifiers (such as your name, telephone number, address or social security number) from your medical records has never been viewed of as sufficient to allow your doctor to sell your medical records. As noted by Judge Posner when considering whether the medical records of forty-five women who had received abortions where adequately protected because their direct identifiers had been "redacted:"

   "Some of these women will be afraid that... persons of their acquaintance, or skillful 'Googlers,' sifting the information contained in the medical records concerning each patient's medical and sex history, will put two and two together, 'out' the 45 women, and thereby expose them to threats, humiliation, and obloquy. As the court pointed out in Parkson v. Central DuPage Hospital... 'whether the patients' identities would remain confidential by the exclusion of their names and identifying numbers is questionable at best. The patients' admit and discharge summaries arguably contain histories of the patients' prior and present medical conditions, information that in the cumulative can make the possibility of recognition very high." (28) In addition to including much of a patient's medical history, such as a patient's medical appointments, care plans, medical claims, medications, lab and radiology tests and results, history of psychiatric care, pregnancy care and dietary services, (29) medical records also often include a lot of demographic information that "in the cumulative can make the possibility of recognition very high," such as the patient's date of birth, gender, geography of residence, languages spoken and marital status, (30) as well as the patient's birth place, adoption information, citizenship, nationality, disabilities, religion and places of religious congregation. (31) They may also include demographic information and medical histories of the patient's family members, including family members' ages, locations and medical conditions. (32)

   HIPAA recognizes this reality by protecting medical records that describe aspects of your life that can be used...