I attended and presented at the June 5 to 6 3rd International Summit on the Future of Health Privacy (Summit).  The focus of this year’s Summit was “The Value of Health Data vs. Privacy —How Can the Conflict Be Resolved?”  The Summit was presented by the Patient Privacy Rights organization which is a non-profit founded in  2004 by Dr. Deborah Peel.

There were many interesting speakers and panels but I want to flag one, in particular, as the information presented came as astonishing news to many of the Summit attendees.

Dr. Latanya Sweeney, Director of the Data Privacy Lab at Harvard, has been working on a project titled “DataMap (TM)”.  This project helps consumers know where their health information is going and maps the flows of personal health data between and among organizations.  Her project is still underway so the results are still in the preliminary stages. Her co-presenter was Jordan Robertson, a technical reporter for Bloomberg News.  Mr. Robertson ran a series of articles in 2012 on health care security and privacy issues.  One of those articles was titled “As Health Records Go Digital, Where They End Up Might Surprise You.” (June 5, 2012).

Dr. Sweeney and Mr. Robertson began collaborating on further research and articles and here are their findings:

  • State health care agencies are exempt from the privacy and security rules formulated under the “Health Insurance Portability and Accountability Act”(HIPAA);
  • 33 State health care agencies sell or give away personal health data;
  • 26 States use privacy and security protections that are less strict than the HIPAA standards when selling or giving away patients’ health data.

Mr. Robertson wrote an article based on the June 5, 2013 presentation he and Dr. Sweeney gave at the Summit.  In that article, he explained that patients’ health information that’s shared usually has 18 key identifiers removed under the HIPAA standard known as “safe harbor.” When that “safe harbor” standard is used it makes it difficult to link a patient’s name with his or her health record.  But States that aren’t using this “safe harbor” method could be putting patients’ health information at risk. (www.businessweek.com; “States’ Hospital Data for Sale Puts Privacy in Jeopardy”; June 5, 2013).

I urge everyone to go to the website that Dr. Sweeney has created for this project (www.theDataMap.org).  Look to see if your State is among either of the above-described categories.  Again, Dr. Sweeney stressed that the DataMap project’s information is representative and not comprehensive.  But I can tell you that the Summit’s participants were surprised and grateful to gain her insights and those of Mr. Robertson.

This is a significant health privacy issue and one about which we all need to be aware.