Protected To Death: How Medical Privacy Laws Helped Kill 25,000 People

from the still-feeling-safe? dept

Privacy. Everybody talks about it. Grandstanding politicians make plenty of loud noises in the general direction of the internet, disparaging it for turning your perusal of Kim Kardashian-related articles into targeted ads for breast enhancement surgery and Kanye West tickets. Of course, while these politicians are making all this noise about your privacy, they're quietly signing off on efforts allowing them to sneak in the backdoor and raid your browser history.

Putting the government in charge of your privacy has never been a great idea. When HIPAA was enacted, its privacy requirements greatly affected the medical community. Like many regulatory acts, HIPAA both raised costs (additional paperwork and other compliance factors) and lowered quality (negatively affecting retrospective research and curtailing proactive follow up care).

The true cost of all this additional paperwork, regulation and privacy is now coming to light. Via The Volokh Conspiracy comes the news that HIPAA's privacy requirements may have hampered research efforts that could have prevented an estimated 90,000 unnecessary heart attacks and 25,000 deaths.

Vioxx, the non-steroidal anti-inflammatory drug once prescribed for arthritis, was on the market for over five years before it was withdrawn from the market in 2004. Though a group of small-scale studies had found a correlation between Vioxx and increased risk of heart attack, the FDA did not have convincing evidence until it completed its own analysis of 1.4 million Kaiser Permanente HMO members. By the time Vioxx was pulled, it had caused between 88,000 and 139,000 unnecessary heart attacks, and 27,000-55,000 avoidable deaths.
Even the government's own regulators were stymied by HIPAA's privacy requirements, as was pointed out by Dr. Richard Platt, a drug risk researcher for the FDA:
The Vioxx debacle is a haunting illustration of the importance of large-scale data research. If researchers had had access to 7 million longitudinal patient record, a statistically significant relationship between Vioxx and heart attack would have been revealed in under three years. If researchers had had access to 100 million longitudinal patient records, the relationship would have been discovered in just three months. Of course, if public health researchers did post-market studies that looked for everything all the time, many of the results that look significant would be the product of random noise. But even if it took six months or one year to become confident in the results from a nation-wide health research database, tens of thousands of deaths may have been averted.
At least as troubling as the fact that several thousand deaths could have been prevented if HIPAA's restrictions and terms had not been so limiting is the fact that the privacy stipulations were put into place based on a faulty premise and the Dept. of Health and Human Services' misplaced confidence in the erroneous results.

The premise, as demonstrated by Massachusetts graduate student Latayna Sweeney, was that patient reidentification was possible using only voter registration records and Massachusetts Group Insurance Commission's (GIC) anonymized records. Sweeney was able to reidentify Governor Weld using voter record information, including birth date, name, address, zip code and sex and cross-referencing it with GIC's data. But, as Info/Law points out, Sweeney made a couple of errors, not the least of which was conflating two different terms:
Latanya Sweeney used census data to estimate that 87% of the population has a unique combination of 5-digit zip code, birthdate, and gender, and implied that the same sort of attack, using voter registration records or other public files. Phillip Golle's replication corrected the figure to 63%, though that's hardly comforting. But these uniqueness statistics are rather misleading. There is an important difference between distinguishability and identifiability. Distinguishability is a necessary condition to conduct the sort of matching attack that Ohm describes, but it is not sufficient. Latanya Sweeney conflated the two when she suggested that a unique individual can be identified by linking the unique combination of attributes to public records-voter registration records, e.g.. But public records are never complete. We know, for example, that a significant portion of the population is not registered to vote. How was Sweeney so sure that there was not another man who shared Gov. Weld's birth date and zip code who was not registered to vote?
Not only was the data set incomplete, but it was overly simplistic and off by a large margin:
Daniel Barth-Jones has recently uploaded a fascinating new article that revisits the famous Gov. Weld reidentification. To start with, Sweeney's estimate of the Cambridge population is way off. There were nearly 100,000 people living in Cambridge at the time of the William Weld attack. This should have been the first hint that Sweeney's methodology was overly simple. She reported a population of 54,000 because that is the number of Cambridge residents who were registered to vote. Sweeney used these records as if they described the entire population.
By comparing Sweeney's count of Cambridge voter registrants with U.S. Census records, Barth-Jones confirmed that many voting-age adults in Cambridge (about 35%) were not registered to vote. In William Weld's case, the census data show that approximately 174 men living in Weld's zip code were Weld's age. We don't know their precise birth dates, but we can calculate that the chance another man living in Weld's zip code shared his birthdate was about 35%. This is quite important all on its own to illustrate the difference between identifiability and distinguishability. Most of those 174 men had a unique combination of birth date, gender, and zip code, but each one of them was quite likely-35% likely-to be non-unique.

Sweeney presumably used the voter registration records to rule out the possibility that some of these 174 Cambridge men shared Gov. Weld's birth date. But even if Sweeney did indeed confirm that no other registered voter shared Weld's gender, zip, and birth date, she could not have been sure about the 50 or so Cambridge residents who were Weld's age and were not registered to vote. Thus, at best, Weld's chance of having a unique birth date, zip code, and gender combination is 87%. Put differently, the chance that Latanya Sweeney's matching attack would have been wrong using these three variables alone was 13%- much worse than traditional 5% statistical confidence.
Despite these erroneous assumptions based on incomplete data, the Dept. of Health and Human Services stated the study had shown that "97 percent of the individuals in Cambridge whose data appeared in a database which contained only their nine digit ZIP code and birth date could be identified with certainty." This completely ignores the fact that over a third of the population wouldn't even show up on the list.

But bad data and faulty research have never stopped governmental "progress." The threat of reidentification is low and any attacks remain purely speculative. But while bad regulations have a tendency to be able to weather even the toughest criticism without making the slightest concessions, HIPAA has one thing most bad regulations don't, as Info/Law points out: "a body count."

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fda, hipaa, hmo, medicine


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 28 Jun 2012 @ 12:44pm

    Ah, data. It can tell you everything and anything as long as you torture it enough.

    I have mixed feelings on this article. But I do agree we have to avoid German-like privacy excesses.

    Meanwhile, avoid buying burger with your credit card or your health insurance will become more expensive ;)

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Jun 2012 @ 1:05pm

      Re:

      I would appreciate it if Volokh or Tim would elaborate on what IS allowed by HIPAA - for example, data with DOB/zipcode/gender might be enough to theoretically identify someone, but year of birth/zipcode/gender certainly wouldn't be - and the effectiveness of using whatever data can be gathered relative to the effectiveness of what data is not allowed.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Jun 2012 @ 1:11pm

        Re: Re:

        I used to have some experience in this.
        Zip code would not be allowed (at least zip+4), gender would, birthdate would have to be shifted by a small random number of days (or just the year).

        The real issue is these things make it impossible to merge two datasets from separate sources together. (because otherwise you would be able to pull the governor's health records and such things)

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 12:45pm

    Putting the government in charge of health care has never been a good idea either. But thanks to Congress, Coonskin, and the Court, the fat's in the fire now.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Jun 2012 @ 12:54pm

      Re:

      The government isn't in cahrge of healthcare. The government is in charge of paying for healthcare.

      link to this | view in chronology ]

      • icon
        Chuck Norris' Enemy (deceased) (profile), 28 Jun 2012 @ 12:58pm

        Re: Re:

        Government has been paying for healthcare for a long time. Now it is forcing everybody (well, tax-liable individuals) to pay for healthcare whether or not you want/need it.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Jun 2012 @ 1:07pm

          Re: Re: Re:

          like you pay for roads whether you use them or not, or schools or police or fire departments. In fact you may get through your entire life without using those, but sometime in your life you will use healthcare. Plus if government has been paying for healthcare for a long time we have all already been paying for it. Where do you think tax money comes from?

          link to this | view in chronology ]

          • identicon
            varagix, 28 Jun 2012 @ 1:35pm

            Re: Re: Re: Re:

            Yes, except that those roads are -available- to everyone too, whether they use them or not. Same for schools, police, fire dept, etc. US gov healthcare only covers about 80% of of the population, and only a fraction of the time.

            US health care is a big freaking mess, and no one wants to address any of the real problems with it. Instead they just sort of bury them under lesser, newer problems. Thus why we have Obamacare: people are fighting over the few trillion in relatively recent costs it added, while ignoring the tens or hundreds of trillions of future unpaid costs in Medicare and Medicaid.

            link to this | view in chronology ]

          • icon
            Chuck Norris' Enemy (deceased) (profile), 29 Jun 2012 @ 6:57am

            Re: Re: Re: Re:

            If I die at 38 then I never get Medicare or Social Security...yet I paid (tax) into it the whole time I was employed. Thanks for trying, though.

            link to this | view in chronology ]

            • icon
              Niall (profile), 2 Jul 2012 @ 6:36am

              Re: Re: Re: Re: Re:

              If you die at 38 there's a lot of roads and schools you won't have to pay for, and poor starving arms manufacturers that may go out of business for the lack of your tax dollars ;)

              link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Jun 2012 @ 1:16pm

          Unless you just decide not to play the game

          ...because apparently the law (which will, no doubt get rescinded anyway before it takes effect in 2014) is completely optional; there is NO penalty for simply ignoring it.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 28 Jun 2012 @ 1:19pm

            Re: Unless you just decide not to play the game

            Uh, yes there is.

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 28 Jun 2012 @ 1:36pm

            Re: Unless you just decide not to play the game

            How did you come by this piece of information? Do you have proof of this?

            link to this | view in chronology ]

          • icon
            weneedhelp (profile), 28 Jun 2012 @ 1:50pm

            Re: Unless you just decide not to play the game

            Dont have healthcare and ignore getting it and the IRS will come a knocking:
            http://www.philly.com/philly/health/160672005.html?cmpid=138896494


            The court said the law's requirement that individual Americans purchase insurance or be subject to a penalty levied by the IRS was constitutional.

            NO MATTER HOW MANY CAPS YOU USE, YOU ARE WRONG.

            link to this | view in chronology ]

          • identicon
            Bengie, 28 Jun 2012 @ 1:52pm

            Re: Unless you just decide not to play the game

            I have never heard of an optional requirement before.

            link to this | view in chronology ]

    • icon
      Angry Puppy (profile), 28 Jun 2012 @ 1:49pm

      Re: Coonskin?

      WTA - White Trash Alert

      or

      IRW - Ignorant Redneck Warning

      You decide.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Jun 2012 @ 3:58am

        Re: Re: Coonskin?

        Could be a reference to the Ralph Bakshi animation/live-action movie.
        In any case, it's FOS- Freedom Of Speech.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Jun 2012 @ 3:08pm

      Re:

      "Putting the government in charge of health care has never been a good idea either."

      No, that's an idea that has never worked before IN EVERY NATION ON EARTH.

      link to this | view in chronology ]

      • icon
        Chargone (profile), 29 Jun 2012 @ 6:38am

        Re: Re:

        indeed.

        the results are variable depending on the nature of the government in question.

        the US's setup is a 'worst of both worlds' mess, i believe.

        NZ's system is brilliant for emergency stuff, and Generally works for everything else... but has serious resource issues (mostly due to every second government or so having some brilliant idea about how they can save money by spending hundreds of thousands or more to re-arange everything and put a few dozen people or so out of work...)

        though lately ACC (basically a compulsory accident/injury insurance plan) has been getting raked over the coals... but that's over the sort of stupid thing corporations pull off all the time too. fudging the numbers to make themselves look good, deliberately mis-classifying stuff (plausibly, so you couldn't prove it beyond reasonable doubt or anything, but it's wrong enough consistently enough that it's quite clear that it's happening. attributing new injuries to ongoing conditions the person in question doesn't have, for example, or claiming something is a part of aging when the person in question isn't old enough for that to be really valid and we Know it was a result of injury) so they don't have to pay out, that sort of stuff.

        actually, the biggest problem is keeping trained staff in country. we apparently have a fairly high turnover. though i can't remember if that's due to low pay or the same problem the school system has.

        (crazy long rant about school system which added at least half as much again to the length of this post redacted for the reader's sanity.)

        link to this | view in chronology ]

    • icon
      Ninja (profile), 29 Jun 2012 @ 10:32am

      Re:

      Actually it can work much better than leaving in the hands of the private sector. The issue is there's a lot of corruption so even the most perfect system will not be much better.

      See Brazil as an example. the public health care (SUS) is one of the most advanced and elaborate ones in the world. In theory. However, PMDB (political party like Reps and Democrats) managed to grab enough influence (via huge representation in municipal governments) and got itself sort of rooted in the health ministry for years now diverting shitloads of money. The result is a very problematic system that will work to you if you are lucky enough.

      I think neither private nor public is a real solution when you weight human corruption in. Socialism is there to prove it. The idea is actually good but the execution (Communism) proved to be disastrous. Animal Farm is a good book that illustrates this.

      link to this | view in chronology ]

      • icon
        Niall (profile), 2 Jul 2012 @ 6:42am

        Re: Re:

        Yes, I have yet to see a good capitalistic explanation of why private industry would actually care to support most people (i.e. the ones that need it) without a large government or social stick around. Sure, socialising it too much cna be bad, and the execution regardless can suck - but seriously, the American system really resembles two wolves and a sheep voting for lunch.

        Where 'communism' falls down (at least in the health sphere) is that it tends to get overly corrupt (only a few benefit, controling most of the resources) and leaving the masses with the dregs. Hmm, sounds just like the capitalistic version, now I think about it.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 12:56pm

    since when has any company or politician worried about the number of deaths in their related areas? what they concentrate on is how many were copyright infringement related and, but for the rebuttal of SOPA, how many less there would have been. bottom line being, had the public kept quiet instead of sticking up for themselves, there would have been more potential victims for the entertainment industries to prosecute

    link to this | view in chronology ]

    • identicon
      DogBreath, 28 Jun 2012 @ 1:24pm

      Re:

      since when has any company or politician worried about the number of deaths in their related areas?


      For companies, simply tell them: "Dead people don't pay", as in: "Sell cigarettes and/or alcohol to get them addicted, and they'll be making you a pretty penny for decades, until they die of lung cancer or liver failure. Sell them extremely deadly products, and you've lost a customer... for life (because they're dead)."

      For the politicians, you also have to talk to them in a language they can understand.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 1:07pm

    Pharma scares me.

    link to this | view in chronology ]

  • identicon
    Lord Binky, 28 Jun 2012 @ 1:14pm

    If this is surprising, your jaw would drop at what they're allowed to throw out of medical studies as standard practice. Statistics - never having to say you're certain.

    link to this | view in chronology ]

  • identicon
    (A), 28 Jun 2012 @ 1:29pm

    To hell with the government. I will do what I want, and if that includes downloading and possessing CP, so be it. There's more than one way to strike a blow against the empire.

    link to this | view in chronology ]

  • icon
    Nigel (profile), 28 Jun 2012 @ 1:43pm

    Maybe someone can ping Jan Brewer and see what she has to say lol...

    actually, that is not at all funny...

    Nigel

    link to this | view in chronology ]

  • identicon
    Anonymous Howard, 28 Jun 2012 @ 1:45pm

    I think DavidHilbert, a commenter at VC, said it best:

    I think pharma's hiding the ball probably contributed more to those deaths. "Hey, this kills people." "So?" "Just saying. Maybe we should not market it?" "You're fired."

    I'm a chemical engineer, and there's a reason I didn't consider working for Big Oil or Big Pharma.

    link to this | view in chronology ]

    • identicon
      Anonymous Howard, 28 Jun 2012 @ 2:09pm

      Additionally, I've never really liked Stewart Baker's take on privacy to begin with - his viewpoints are frequently misguided if not outright laughable.

      Relevant to this community, there was this gem from a while back, penned by Baker...

      link to this | view in chronology ]

  • icon
    Angry Puppy (profile), 28 Jun 2012 @ 1:59pm

    Anonymous Treatment of Personal data

    I've work with HIPAA and private medical data for years. Creating a large database for statistical analysis that can not be traced back to any individuals is a trivial exercise.

    The people at the Dept. of Health and Human Services were simply protecting their future appointments to well paid positions at Merck Pharmaceuticals or complete idiots.

    link to this | view in chronology ]

  • identicon
    WS, 28 Jun 2012 @ 2:05pm

    Flame

    This article flames the graduate student as much as the government. I find this irresponsible. The graduate student is paying to learn how to do research. Shouldn't the advisory committee, been at least partially responsible for ensuring that the student's thesis calculations were accurate?

    Making mistakes is part of learning, and if you are paying to learn, shouldn't those being paid to teach help you find the mistakes you can learn from?

    Finally, her research faulty or not (which is why all research is suppose to be peer reviewed) did recognize a significant issue with government policy.

    Thank you,

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 2:20pm

    The fallacy with this article is that it assumes that if HIPAA never existed the government would have acted more quickly.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 4:07pm

    Privacy vs the betterment of mankind.

    I give my health records away for free to be correlated and used somehow, I try to anonymize it knowing full well that at some point I could have made some mistake that could allow it to be correlated to near certainty.

    The thing is, people need to make a choice, if you want total privacy that will have costs, it comes to down to higher operational costs, less openness and usefulness of the data and it can be alleviated by people choosing what to release or not for better or for worse, or having everybody see your records and make decisions upon them that could have negative effects on your life.

    Or we could build a society where that data is not relevant to anyone except researchers, what are the forces that are driving people to hide that information?

    Insurance companies? Make it so that they can't discriminate against people, one way to do that is by legislation, a better way is to create and support competing insurance alternatives. If you have to pay for healthcare anyways why not do it voluntarily but give all you can to community based clinics? Donate money, time, food, clothes, learn to sew something so you can make those hospital garments and give it to them, volunteer to help, don't wait for others to do your job for you it is not going to happen, Fight against Obamacare in the point the it forces you to be insured, fight Obamacare if it doesn't allow you to bui8ld your own options, else it is irrelevant.

    A great initiative was born on Patientslikeme, it does exactly what the government was unable to, it doesn't have any legislation yet forbing it from existence and it works, nothing is stopping people from doing something about it, only ourselves at the moment.

    We know the government is slow, what can we do about it ourselves?
    Pay attention to research done and see which drugs raise red flags and start building our own databases to where we can point doctors to our own collection data about them?

    Are companies using that information to not hire people?
    That may need legislation, although people can point and shame companies that do and others that don't work for that company can pressure it to change its ways or even force it out of business the first company that goes down because of crap like that will scare the others hopefully.

    How can we correct not fight, but correct the factors that are making "privacy" so important?

    I post anonymously online all of my medical records for researchers or people interested in knowing what to expect from the same problems I have, I don't do it for myself, I do it because somebody else did it and it helped me greatly, it is comforting to know what could happen to you even if it is horrible, some people may not want to know of course that is their choice and I can respect that, but I do it to those who like me find comfort in knowing what to expect on the road ahead of them, my health problems are a map, the collection of maps can show the probabilities of success, can be used to show what worked, why it worked and how it worked or didn't, even if it doesn't help me directly at the moment and I can't see any immediate benefits, I have let go of my fear of being exposed, and it is hard for me, I am almost pathological about privacy, that is why I always be an anonymous coward.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Jun 2012 @ 6:39pm

      Re:

      Remember another thing.

      Are there laws that make creating alternatives to the government database more risky?
      Like defamation laws?

      I just want the government to stay out of it, I believe people will find their own ways to deal with such problems if they have the freedom to do so.

      Even if the fall a thousand times eventually they find a way that works.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 4:16pm

    big freaking deal, why do you care???? we kill over 30K EACH YEAR in car wrecks, we could MAYBE save those 25K by giving up more of your rights to privacy...


    Number of deaths for leading causes of death:

    Heart disease: 599,413
    Cancer: 567,628
    Chronic lower respiratory diseases: 137,353
    Stroke (cerebrovascular diseases): 128,842
    Accidents (unintentional injuries): 118,021
    Alzheimer's disease: 79,003
    Diabetes: 68,705
    Influenza and Pneumonia: 53,692
    Nephritis, nephrotic syndrome, and nephrosis: 48,935
    Intentional self-harm (suicide): 36,909

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jun 2012 @ 4:38pm

    Putting the government in charge of health care has never been a good idea either."

    No, that's an idea that has never worked before IN EVERY NATION ON EARTH.


    Tell that to my uncle Trevor in the UK who had open heart surgery FOR FREE. I am not trying to create a windbaggy argument about socialism but feel free to read on....

    So, less the cost of petrol(of course) I fail to see the issue with psuedo socialized medicine. If it saves lives, is it not spiritually fit for others to consume?

    I admit I am not fully up to speed as to why gas is so expensive in the UK and I certainly am not espousing Michael Moore per say, just asking what is wrong with everyone having health care.

    We the people, at the end of the day, have to pay for that shit anyway, why not make sure it actually saves some lives?

    Nigel

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Jun 2012 @ 4:06am

      Re:

      Open heart surgery FOR FREE? Wow, that's one altruistic doctor, doing surgery and not getting paid for it. Are you sure Trevor didn't pay for it with a crapload of taxes that would choke a mule?

      link to this | view in chronology ]

      • icon
        Nigel (profile), 29 Jun 2012 @ 6:36am

        Re: Re:

        I am not equipped to speak on the state of UK taxes sorry. I live the the US.

        Nigel

        link to this | view in chronology ]

        • icon
          Chargone (profile), 29 Jun 2012 @ 6:48am

          Re: Re: Re:

          the NZ public health system is similar.

          our taxes are apparently surprisingly low, all things considered.

          (which didn't stop our current moronic government lowering income taxes on the top bracket (more the '10%' than the '1%', but still) and raising the Consumer tax (which is a Regressive tax: the less you have the more of it that tax eats, unlike the Income tax, where the more you have the more of it the tax eats, but the tax rate goes up slower than your income does and has a maximum, unlike your income. this was supposedly going to leave the 'average New Zealander' better off... nevermind that their 'average' assumes an income higher than 2/3rds or so of the population actually has. and of the people who Were it was mostly by less than ten dollars a year or something equally pathetic. on the upside, they apparently DID cut down on the number of loopholes available for dodging taxes.)

          link to this | view in chronology ]

      • icon
        Ninja (profile), 29 Jun 2012 @ 10:39am

        Re: Re:

        Public health care!

        link to this | view in chronology ]

      • icon
        Niall (profile), 2 Jul 2012 @ 6:45am

        Re: Re:

        Only if it was an American mule to whom 10% taxes are an 'undue burden' - unlike us Europeans who happily pay higher taxes so we - and everyone else - can get that surgery (or whatever) for as close to free as possible. Because we are humane and civilised.

        link to this | view in chronology ]

  • identicon
    Coyne Tibbets, 28 Jun 2012 @ 10:32pm

    Obtuse refusal to understand?

    I work for a healthcare organization. Our data is routinely used in research. Of course, HIPAA prevents identifying data from being included in records used for research, which means that research is simply done on anonymized records.

    The government could have had all the records it wanted for looking at Viox except for two things: (1) Healthcare wants paid for research data, profit motive, and the government researchers couldn't get the money; and (2) Merck actively interfered with research in the Vioxx arena, because Merck knew the drug could not stand the scrutiny...profit motive again.

    And as for the line about 100 million healthcare records? That is pure fantasy land: One in 60 people world-wide? One in 3 in the United States? Be serious. Even the concept is just as outrageous as as the record companies that claim billions lost to piracy.

    link to this | view in chronology ]

  • identicon
    Pete Austin, 29 Jun 2012 @ 1:23am

    What about voters who just moved house?

    Does the 35% of adults who are not registered to vote include people who, like me, are registered but not at their current address? I suspect not, so the error rate will be even higher.

    link to this | view in chronology ]

  • identicon
    Pete Austin, 29 Jun 2012 @ 1:41am

    It's more complicated than that

    However, the overall percentage of people not registered to vote is not what matters here. Researchers should match against the part of the overall population that are similar to the target group. (in the case of the governer, men of the same age who live in the same kind of neighborhood - presumably upscale). This matters because many reports show that the percentage of non-voters is not even, but varies with e.g age, race and social class. Anyone know a report which puts a lot of work into analysing this issue fully?

    link to this | view in chronology ]

  • identicon
    Pete Austin, 29 Jun 2012 @ 2:00am

    And Finally...

    Where you live correlates strongly with your age. We are all familiar with student areas around universities, and retirement villages, and the fact that families with young children like to live near good schools. This means that a lot more people than expected will share the same birth date as other(s) in their zip code.

    So identification by birthday and zip code is likely to be far less accurate than the simplistic figures suggest. And, as diseases tend to favor people of specific age groups, the chance of several victims sharing a birthdate and zip code is *even* more likely than that.

    I would expect a lot of cases where multiple disease victims are recorded as the same person.

    link to this | view in chronology ]

  • identicon
    Steve, 29 Jun 2012 @ 4:53am

    Not so sure the Vioxx case is about personal privacy

    Just as a note, the case cited could have been completely avoided had the company resposible not buried unfavourable results during the trial period. It has been shown that the efficacy and safety of the drug was over hyped to say the least. Perhaps we should be focusing on the 'privacy' given to drug companies rather than ourselves......... just a thought.

    link to this | view in chronology ]

  • identicon
    Robotic Advice, 29 Jun 2012 @ 10:06am

    Three thoughts

    1) Government regulation of health privacy is bad, but providing the government with the fully identifiable longitudinal records of thousands of patients is okay?

    2) You can still compile longitudinal records of patients for research purposes and stay within privacy restrictions. Sweeney's errors are pretty well known and are irrelevant here. You can use a one-way hash to de-identify longitudinal patient info (as many health analytics companies do) and you can also go through the IRB process. And don't public health researchers operate under looser privacy restrictions anyway? I think they do.

    3) You is totally ignoring consistent research showing many patients refuse treatment for health conditions or lie to their health care providers when they feel that their privacy will be violated. No one has put together a "body count" for this behavior, but clearly a problem that weakens a health care system that relies on accurate information to provide good treatment.

    link to this | view in chronology ]

  • icon
    ArkieGuy (profile), 29 Jun 2012 @ 1:23pm

    97% is wrong (but it's LOW not HIGH)

    97 percent of the individuals in Cambridge whose data appeared in a database which contained only their nine digit ZIP code and birth date could be identified with certainty.

    I suspect the 97% number is actually LOW considering the fact that a nine digit zip code (Zip + 4) points to a SPECIFIC ADDRESS, not a neighborhood (or more accurately region).

    With Zip+4, the correlation would be "how many people in YOUR house are the same sex as you and have the same birthday" - I'm guessing >99% unless you have a twin that lives with you.

    With 5 digit zip, the correlation would be "how many people in your NEIGHBORHOOD are the same sex as you and have the same birthday. For this, 97% might be high... or it might be right.

    link to this | view in chronology ]

  • identicon
    Jim Pyles, 29 Jun 2012 @ 3:13pm

    Privacy Kills

    Yes, I remember when those supporting the use of electronic health records told Congress that enacting the HITECH Act would save 100,000 American lives and $77 billion annually. We are still waiting for the first life and the the first dollar to be saved. Early studies out of Harvard Medical School and other researchers are showing that health IT is ADDING new medical errors and has added at least $6 billion to hospital costs annually, and that number is climbing every year. We now employ thousands of new people in the health care industry, not to look after patients, but to look after and care for the computers.

    link to this | view in chronology ]

  • icon
    Seegras (profile), 2 Jul 2012 @ 4:28am

    Don't blame privacy laws for bad methodology

    Just because some government-agency provided bad data to researchers doesn't mean the privacy-provisions are a bad thing. Probably the agency just had no experience to apply it correctly.

    Because, on the other hand, there is a BIG reason for better privacy-laws. Can you guess why Europe has a MUCH lower rate of identity-thefts than the USA? Precisely. Better privacy protection. Because if you have them, law-abiding companies will actually avoid having too much of data about you -- and if their databases get compromised, you will be hurt much less.

    Of course, these laws don't help against criminals and nefarious government agencies, but the 90% of the people and companies which try to follow them make a big difference in reducing fraud.

    The first people to profit from data-retention are always criminals. Even if the government does it, even if it's meant to combat crime -- first, it will create new crime.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.