Here's how the investigation worked: State public health departments, eager to expand medical research, collect de-identified discharge data from hospitals. HIPAA permits this disclosure, in part because the privacy advocates who helped write HIPAA made it easy for states to pass tougher versions of the federal HIPAA law. The problem is, however, that most never did. So in 33 states, this discharge data gets sold for little or no money to all takers.
Through a Freedom of Information Act request process, the story's author, Bloomberg BusinessWeek writer Jordan Robertson discovered that the primary buyers of this data turn out to be public and private corporations not primarily known as public health researchers: Truven Health Analytics, Optuminsight/Ingenix, and WedMD, among others.
"Hospital records are very useful in enriching prescription data databases, because a prescription record will only show you what medication you're on," Robertson told an audience at the 3rd Annual Summit on the Future of Health Privacy in Washington D.C., which I attended.
"If you can link that with a hospital record, you can also learn what your original diagnosis was, which physician recommended you that particular drug, as well as all these ancillary conditions, so it turns out, and I had no idea about this, but hospital discharge data is one of the most valuable pieces of data in the medical data ecosystem," Robertson says.
No one is yet saying that these companies are the ones re-identifying patient data, but Robertson's investigation shows how easily it can be done.