“I’ve Given Up on the Idea of Privacy”

data goes somewhere, and it's valuable to someone. Welcome to Prognosis, Bloomberg's podcast about the intersection of health and technology and the unexpected places it's taking us. I'm your host Michelle fay Cortes. The amount of health data is increasing fast, from medical records, to health apps and devices, to our shopping habits and online browsing. Every day we leave digital footprints revealing intimate aspects of our lives. That comes with

benefits and risks. But no one has sorted it all out yet and lost protect people haven't caught up with the advances in technology. Having all that data promises to help researchers come up with new treatments, and it can improve doctor's care. But the risk is that personal information you'd rather keep to yourself could be exposed. Here's Bloomberg's health reporter John Tazzi. Good afternoon, Thank you for calling Anthem Member services. My name is Kathy. How can I help? Hi, Kathy,

my name is John Tazzi. I'm a reporter with Bloomberg News and I'm recording this for a story about medical data and privacy. Um. I'm an ANTHEM member and I'd like to request a list of who Anthem has shared my personal information with. So you're a reporter with Bloomberg correct, Okay, and you are inquired. I recently learned that I have the right to ask my health insurance company what they're doing with my data. It's one of the rights given to me under a law called HIPPA. HIPPA stands for

the Health Insurance Portability and Accountability Act. It was passed and it's the main law in the United States that governs what medical providers and insurance companies can do with our healthcare data. HIPPA determines how medical data can be shared and what happens if it's shared improperly. It also gives people rights over their data, like the right to get a copy of your medical record or to find out how your data has been shared with other parties,

but HIPPA doesn't cover everything. There is the idea, and it is extremely widespread that health information is inherently going to be protected by some law somewhere, but it's not true, not at all. This is Pam Dixon. I am the executive director of the World Privacy Forum, we're a public interest research group, and has been a privacy advocate for twenty years. She told me that people often assume there's some kind of automatic protection for health data. That's not

the case. People universally believe that their health data, no matter where it is, has some form of legal protection and is somehow magically confidential. HIPPA applies to the records that your doctor, other medical providers, and your insurance plan hold, But more and more data about our health isn't just

in medical records. HIPPO covered data is a smaller and smaller percentage of all of the health data that's out there now, And it is so so important for folks to understand this because much of the health data that's that we're working with today is not covered under HIPPO protections. Here's one famous example. Journalist Charles J. Hig reported that target used detailed profiles of customers to predict when women became pregnant, and then the company sent them promotions for

baby cones or diapers. The result was creepy in the best case, and in the worst case, could have revealed information they may not have wanted public. Increasingly, health data is being collected by technology companies, data brokers, advertisers, and other entities that are not subject to hip hop, and it's being used and may be misused in ways that a lot of people don't understand. Think about the apps

on your phone. Maybe you have something to track your steps or to log what foods you eat or when you exercise. Unless those apps come from your medical provider or health plan, they're not covered by HIPPA, and that means that the company is collecting your data are far less restricted in how they use it, and how they use it may not always be transparent. A study published in the journal Drama Network Open in April looked at thirty six top apps to help people with depression and

quitting smoking. Of them, we're sending data to Google or Facebook for marketing, advertising, or analytics, But less than half of those apps disclosed that. The authors wrote most apps offered users no way to anticipate that data will be shared in this way. As a result, users are denied an informed choice about whether such sharing is acceptable to them. This is the kind of risk that has some people really worried. Even though some privacy advocates think hipp as

protections should be stronger, they're a good start. It's the world of data beyond hip as reach that we need to pay a lot more attention to. Because of the lack of UH sort of a uniform standard across the country with regard to data that it isn't protected by hippa UM, there are concerns about the privacy, particularly of health data. This is Aleana Peters. I'm currently a shareholder at Pulsonelli, which is a national law firm. Aliana worked

for the federal government for about twelve years. She wrote and enforced hippa regulations before she went to work for a private law firm in twenty bike PAM. She's concerned about the growing volume of health data that hippo doesn't cover. The information that your employer holds about you related to your health would not be protected by hippa UM. The information that you share with social media about your health or the groups that you participate in on social media

about health issues is not protected. There are applications that are direct to consumer. That means they are marketed directly to consumers and have everything to do with you know, weight loss, to disease management, UM to disease prevention, because they're marketed directly to a consumer and don't ever interact with a healthcare provider on their behalf or with a health plan that would not be covered by hippa UM.

So there's a there's a huge amount of healthcare data UM out there that isn't actually covered by a standard set of legal requirements. Here are some of the ways you might be revealing data without knowing it. You use a credit card to buy a pregnancy test at a retail drug store. You order new pants online, revealing your waist size. You search Google for symptoms of anxiety. You subscribe to a magazine about diabetes. You use an app

to track your morning runs. You take a direct to consumer DNA test, You take an uber to your therapist's office at the same time each week. Just because information about your health could be gleaned from these activities doesn't mean it will be the problem is. We often don't have a very good idea of where this data ends up after it's collected. Some of it could end up in the hands of data brokers. Data brokers are a multibillion dollar industry made up of thousands of companies that

you've probably never heard of. They compile information about people and sell it to marketers. They collect information from public records and even that data that you might not realize you're making, like your retail purchases, what groups you belong to, online magazines and services you subscribe to, and information you fill out in surveys or online registrations. They take all of this information and make lists of people for marketers

to target. In testimony before the Senate Commerce Committee, in Pam the Privacy Advocate described how the data broker industry tracks people by the diseases they have and the medicines they take. There are lists of millions of people that are categorized by the diseases that they have, ranging from cancer to bed wedding, Alzheimer's terrible diseases, some of them benign,

some of them relating to mental illness. There are lists of millions of people and what prescription drugs that they take, and these lists exist entirely outside of hip hop, outside of what hip hop o the any kind of federal health protection. Pam told Congress about some lists that the darker sides of this business model. They included lists of

rape victims and people with genetic diseases. She found lists for sale of people who had HIV and aids, of people with dementia, and of people with alcohol or drug addiction. There were lists of domestic violence victims and police officers home addresses. The list of rape victims cost less than

eight cents per name. Pam said that some of these lists were taken down within an hour or two of her testimony, but most of them have reappeared at some point, and six years after her testimony, she says not much has changed. The data. Broker dossiers are often described as marketing lists, but Pam said that doesn't necessarily mean the buyers or marketers, and it also doesn't mean that the

lists are used as they're intended. For example, employers or insurance companies could also be buying and using this data. There's no law against this, So all of this points to a knee for more protection. The laws we have just don't reach far enough. But despite its limits, HIPPA does provide a good framework for where to start. Here's the good news. When data is covered by HIPPA, the

law gives people important protections. Healthcare providers and insurance plans are barred from disclosing individually identifiable data under HIPPOP and it goes further. As you might remember, the law also grounds people rights over their data. It gives people seven different rights, and the rights are really important because before HIPPA there were huge problems. Pam says, it was really difficult to get a copy of your own medical records

before HIPPA. Before HIPPA, good luck getting a consistent copy of your health file. It wasn't a legal requirement anywhere, so you you can predict what was happening prior to HIPPO. It was a disaster trying to get your health information. It also gives you the right to know if someone has subpoenaed your medical records, which might happen in a

nasty divorce case, for example. And it gives you the right to request an accounting of disclosures that's the list of who your doctor or health plan has shared your medical records with. The list that I'm trying to get from Anthem. HIPPA also sets the rules for what those entities can do with your data. They can't just make it public. They can't tell a reporter or your employer or a family member about your diagnosis, your treatment, or

any other private information without your permission. HIPPA does allow medical providers and health plans to release data if it's de identified. That means removing information like your name, address, precise zip code, and other details. This d identified data can be used for research. It can also be sold. For example, when drug companies want to know which doctors are writing the most prescriptions for their medications, they pay

data brokers who collect that information. Then pharmaceutical companies can send their salespeople to doctors who are the highest volume prescribers. The data they're buying doesn't have your name on it, but it does represent you aggregated with other people, and once it's de identified, it's no longer bound by hippa's protections. Some privacy advocates I talked to described this as a

violation of privacy. The fact that you can't control de identified versions of your data is really troubling to some people. It's especially concerning because of the risk that some de identified data could be re identified that it could be matched back to you as an individual. Most experts I talked to said that this risk is real, but small. Still, the odds of being reidentified have increased since HIPPA was first passed in the Here's PAM. The world has changed.

So back then, I mean, the statistic chance of reidentifying records was enormously low. Now the chance of reidentifying records is a little bit easier because computing power has advanced so much and there's so many more data sets that allow for more identifiability. But there are also benefits to

making de identified data available. Medical researchers rely on it to learn about how to improve care, public health officials use it to track epidemics and trends in population health, and as a journalist, I often cite research or findings based on this kind of data, from how common certain medical procedures are to how often a new drug is prescribed. I work in privacy and I definitely have an opinion

on privacy. I'm I'm for privacy and something that was very hard for me to learn and it took years. UM was the value of releasing data. Pam said she's come to realize that trade offs between keeping data totally private and using some d identified pieces of it. If you want to cure diseases, you're going to have to study the disease, and you can't do that without information about the disease. Information about that disease resides in people's

experience with that disease as patients. We might also benefit directly from having more of our healthcare data digitized to learn about these benefits. I paid a visit to the Commonwealth Fund. Welcome, Thank you. I was there to see a man named David Blumenthal. I'm president of the Commal Fund, which is a national health careful anthropy based in New York City, and our goal is create hard for regal

system in the United States. David's office is in a landmarked hundred and eleven year old mansion on Manhattan's Upper east Side, overlooking Central Park. It used to belong to the Harkness family, which endowed the Commonwealth Fund ascend the three ago with money they made as investors in John D. Rockefeller's Standard Oil Company. David Blumenthal is a big name in healthcare. He worked as a primary care doctor at

Massachusetts General Hospital. He advised Senator Ted Kennedy on healthcare and later worked for President Barack Obama as the country's top health I T official. He helped implement a lot called the High Tech Act, which updated some HIPPA rules. It also gave medical providers billions of dollars in federal subsidies to digitize paper records. The High Tech Act was intended to modernize America's paper based healthcare system. As recently as ten years ago, a majority of doctor's offices in

the United States still used paper records. David's a big believer in how the accumulation of digital healthcare data can help people. As it grows, it begins to represent the healthcare experience of millions, are even billions of people, and that is incredibly valuable. He says. Apps that draw on patients data could help them take better care of themselves. They could prompt people to get flu shots or alert

diabetics when their bud sugar gets out of whack. David says he sees the benefits of greater access to medical data as a physician and as a patient. Though he works in New York, he lives in Boston, and he still sees doctors at Mass General where he used to work, and it's affiliated hospitals in the Partners health care system. He finds it comforting that he can walk into any of the dozens of clinics or hospitals in the system

and they'll still have his records. I have seen and use that that connectiveness with my own care, and it's enormously reassure um that you don't have to be you know, your medicines will be known, your results of all your tests will be known, and all that saving That could solve some big problems in the US health care system. There's a lot of evidence that patients are harmed all the time because their care is fragmented and not coordinated.

A specialist who doesn't know all the medications you're on might prescribe a new drug that has a bad interaction with one you're already taking. One study of more than half a million patients with chronic illnesses like diabetes or heart disease found that people who had more fragmented care had higher costs, lower quality care, and more preventable hospital visits. This is a real problem that a lot of people

in healthcare would like to solve. Policymakers are trying to make the whole country's health care system work better together. They're trying to encourage different electronic medical record systems to talk to each other. They're also making it easier for patients on government health insurance like medicare to get access to their health data. The goal is a health care system that seamlessly relays important information that could save your life.

David gave me a classic example. You live in Austin, but you get into a car accident in Chicago. Once you get to the emergency room, maybe you're dazed or unconscious, or you forget to tell the physician about analergy. But if digital records were more widely accessible, that might not

be an issue. The merger room physician finds your Apple phone and everything is on the Apple phone, or it can access your record in a cloud because there's an agreement to share those informations, and so that increases the reliability of your ka, reduces the chance of an error, reduces the chance of a of a bad outcome. That's the benefit. The risk is most promised, and the sicker people are the less concerned they are about price. But there are also downsides. Just as with app collected data,

more traditional medical data sharing has its drawbacks. The risk is that nothing is ever truly private. As soon as your information is available electron reform, either in a server or in the cloud, it is potentially David has experienced this firsthand as a federal employee. His data was breached in a hack of the government's employee database. I've given up on the idea of privacy. It's just not feasible anymore. It hasn't that I know, have happened to my health,

but it could um and I expected mine. Once data is digitized and stored, there's a risk it might end up somewhere you don't want it to. HIPPA requires medical providers and health plans to tell you when your data has been breached, and under the High Tech Act, if a breach affects more than five people, the companies have to report it to the federal government, which publishes a list.

Since two tho nine, when the reporting requirement into effect, HIPPO covered entities have reported more than two thousand, five hundred breaches that affected almost two hundred million individuals health records. Health data breaches happen so frequently now that they rarely make the news their routine. On average, there's a breach of HIPPO protected health data every thirty one hours, and that's only the data breaches that companies have detected and

that we know about. We know about them because the law requires entities covered by HIPPA to tell us, but under federal law, entities not covered by HIPPA generally don't have to tell us when a data breach happens. The state laws may require them to report breaches. They also aren't bound by any of the other requirements of HIPPA.

They're mostly bound by the promises they make to you in their terms of service, those long passages of legal ease that you click through after you download an app or sign up for a new service, and that's where a lot of the privacy concerns about health data are growing. There's not only the risk that your data might get breached in an illegal hacking operation or stolen by a crooked employee. There's also the risk that it might get shared or sold in a way that's not necessarily illegal

but isn't completely transparent. Either. Facebook and Amazon can do anything they want with your data or any other any company that's not a covered can do anything they want unless they have assured you in that fine print that they won't. But since none of us need that fine print,

will never get around suing. So under HIPPA, we have certain rights, the right to get a copy of our data, the right to know how it's being shared and when it is shared improperly, and it requires healthcare providers to keep our identifying data close to not disclose it without our permission. We don't have those rights over the data we give to some app we download, or a new fitness device or a social media service. We don't have those rights over what with our credit card purchasing data

or our online searches. Partly because we don't have those rights, sometimes our names and contact details wind up for sale on data brokers lists labeling us as diabetics or dementia sufferers or victims of domestic violence. Right now, the law doesn't do a very good job of making companies be really clear about what they're doing with our data and making sure customers are okay with it. So what should we do? I think it's a really good question, and

it's a tough question. Here's Ileana Peters the attorney and former HIPPO official. Trying to decide what's best for all industries with regard to the privacy and security of data is extremely difficult. I think, certainly there are some things we can all agree on, and maybe that's where we need to start. Certainly, I think individual rights is one

of those things, you know. I think everybody should have rights to their own data and should be able to be at least participatory and how they're data maybe um used or disclosed, why it should be deleted, how that should happen? Um, you know, when they can get copies of it, how that should happen. One possible model for people looking to improve privacy policy in the United States is a new law that recently took effect in the

European Union. It's called the General Data Protection Regulation, and its strengthens privacy protections for consumers. It covers all sorts of personal data, not just healthcare. The law mix companies get more explicit consent from people about the data they want to collect. It also gives people a right to get a copy of their data, and it's supposed to

give them more control over what happens to it. The United States doesn't have anything like it yet, and there's no clear path to passing a new umbrella privacy law in the US anytime soon. That means that even companies trying to do the right thing don't have good standards to follow. Pam Dixon, the privacy advocate, said, we've start by creating a set of standards that companies adhere to voluntarily that would give consumers more trust and how their

data is being used. So ideally, what I'd like to see at a minimum, is some kind of structure that allows for um privacy standards to be built. Is there a privacy standard we could write for health data outside of HIPPA. I think there is, and I think we could find a lot of agreement amongst the stakeholders. As I said, I think there's a lot of people who want to do the right thing. It's just there's not a standard yet. In the meantime, what can we do

as individuals to have more control over our data? First, you can exercise the rights you already have under HIPPA. Pam recommends everyone get a copy of their medical records from their providers. If someone tries to steal your identity later on, it will be important to have your original files. If you have kids, get copies for your kids too. You can also pay attention to what you're agreeing to when you start using a new app or service. Here's Alana.

I read everything before I click I accept, but I realized that I may not be the typical user. PAM also recommends simply asking companies what data they're collecting and what they're doing with it. You know, sending an email to um an app developer and asking what happens is always a great idea. I do that all the time. If they don't email me back, I delete the app.

I'm a reporter, so maybe I'm biased about this, but I think asking questions is a good way to show the people were trusting with our data, that we're paying attention, that we care about what happens to it, and that we want some control. I spent about twenty minutes on the phone with my insurance company. Most of the time I was on hold, Hello, Yes, thank you so much

for patiently waiting. I can clearly apoll eventually. I just wanted to make sure that she was really friendly, and eventually she gave me the address of the privacy office where I could send an email to request an accounting of disclosures, one of my rights under HIPPA. I wrote to them in April. At the end of May, they sent me a letter that described how my health information was released. Anthem said they're required by law to send my claims records to a database run by the state

Health Department. The letter also said that my name, date of birth, and contact information were exposed in a cyber attack in t Anthem was hacked in a breach that compromised data on seventy nine million people. It was the largest recorded health data theft in US history. Anthem paid a sixteen million dollars settlement last year over potential HIPPO violations related to the breach. The company did not admit liability as part of the settlement, and justin May, two

Chinese nationals were indicted in the crime. The Justice Department called them part of an extremely sophisticated hacking group operating in China that targeted US businesses. We got in touch with Anthem about this. A spokeswoman there said the company is committed to safeguarding customer data and there's no evidence that the information stolen in the cyber attack resulted in fraud against customers. So I know my data is out there, along with millions of other people's. I don't feel great

about it, but at least I know. I'm more worried about what I don't know. And that's it for this week's prognosis. Thanks for listening. Do you have a story about healthcare in the US or around the world we want to hear from you. Find me on Twitter at the Cortes or email m Cortes at bloomberg dot net. If you were a fan of this episode, please take a moment to rate and review us and really helps new listeners find the show and don't forget to subscribe.

This episode was produced by Lindsay Cratterwell. Our story editor was Rick Shine. Special thanks to Drew Armstrong. Francesco Levie is head of Bloomberg Podcasts. We'll be back on June with our next episode. See you then,