Skip to main content

Data Breaches Not Protected Under HIPAA

The author maintains that digital platforms enable data breaches of huge magnitude in this concluding article.
July 1, 2014
OPINION -- In 1973, Secretary of the Department of Health, Education and Welfare Elliot Richardson established a committee to protect the privacy of personal data in record-keeping systems.  Fair information Practices were a response to the growing use of automated data systems in both public and private sectors. One original principle stated: There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.

Q-Corp's “fair information practices” make no pretense to be fair to the health care consumer.

Many think that HIPAA was created to respond to a patient’s need for privacy. The “P” in HIPAA is not for privacy. With 2002 amendments to HIPAA (Health Insurance Portability and Accountability Act), covered entities don’t need to seek patient consent when protected health information is disclosed for treatment, payment, and health care operations. The Privacy Rule, as Dr. Deb Peel of Patient Privacy Rights explains, effectively eliminated patients’ rights to control the use of their personal health information.

There’s no opting out of the OHA database, which gleans data to score Oregon’s Coordinated Care Organizations (CCOs) on outcome and quality measures. The OHA rewards providers with financial incentives who reach benchmark measures. For example, one state benchmark for Oregon’s CCOs used administrative billing claims to measure the “percentage of children (ages 6-12) who remained on ADHD medication for 210 days after receiving a new prescription.”

In 2012, the OHA agreed to share 111 data items “that pertain to services being provided in the community mental health system with serious and persistent mental illness” with the U.S. Department of Justice. CCOs must identify adults with schizophrenia and other psychotic disorders; major depression and bipolar disorder; anxiety disorders; and personality disorders. The Special Litigation Unit claims this information is required to comply with a Supreme Court decision that “institutional isolation of a person with a disability is a form of discrimination under Title II of the ADA.”

Data Breaches

Digital platforms are infrastructure, much like dams are. HIPAA amendments enable data breaches of huge magnitude.

The Office of Civil Rights maintains a database of health information breaches affecting 500 individuals or more. The largest breach affected nearly 5,000,000 individuals who receive benefits from Tricare. Not far behind, the theft of an Advocate Medical Group laptop computer was implicated in a 2013 data breach in Illinois.

Government agencies have also been involved in massive data breaches. 780,000 individuals were affected when the network server of the Utah Department of Health was hacked. In response, Utah spent about $9 million on security audits, upgrades and credit monitoring for victims. Because social security numbers were breached, the incident could eventually result in 122,000 cases of fraud, with a total impact as high as $406 million expected to hit retailers and the financial industry. Affected individuals have little recourse but to monitor their credit reports.

Conclusion
Information asymmetry rigs insurance markets to the profit of this sector. 

Joseph Stiglitz says competition does not work in the health insurance market. Rather than provide better healthcare at lower costs, insurance companies innovate at better ways to discriminate, trying to figure out how to insure people who don't need the coverage and prevent people who need insurance from using it. They waste money on marketing and advertising; and the incentives wrongly reward high transaction costs. Profit incentives compete with disparate health and social and incentives. He says America’s private health insurance companies have been proven inefficient and expensive.

Stiglitz says a single-payer financing system is "the only alternative." I agree.

Oregon’s All Payer All Claims databases were purposefully constructed to obfuscate and spin data, all with the guise of “transparency.” Patients had no stake in formulating “value-added” metrics claimed to measure healthcare quality. 

I am concerned the Department of Justice's request for mental health data from Oregon's CCOs may violate patients' Fourth Amendment Rights "against unreasonable searches and seizures;" I hope the ACLU will investigate further.

Oregonians should prevail on the All-Payer, All Claims Technical Advisory Group to demand the following:

·      Removal of trade secret protections that prevent disclosure of price variations

·      Prohibition of gag clauses prohibit physicians from frankly discussing all treatment options, covered or uncovered, expensive or inexpensive, that could be of benefit to the patient

·      Investigate whether contracts with Milliman Inc. violate federal statutes

·      The right to opt out data collected in All-Payer, All-Claims databases

·      Inclusion of more patient advocates who determine value and quality metrics

·      A Constitutional amendment to declare privacy as a right—similar to what California and Washington residents already enjoy.

Comments