How do we know who’s marketing us and who sells data? Consumer need a place on the web to look this up and so far all we get are the privacy statements that are written by attorneys that hardly anyone can understand and they done that way on purpose. We can reference all kind of other information on the web but can we find a nice drill down query to see what company, bank or other entity sells data and what kind..nope. Keep the the consumer in the dark here as transparency here would make patients more aware of what’s going on. You want patients to be involved, give them the information and especially as relates to privacy.
I know this is not an easy project the HIPAA rules are better than what we had but still a lot lacking as the rules seem to still be living in their own silo and just take a look around you, you see healthcare everywhere, in places it’s never been before, same applies for healthcare data, it is in places where it has not existed before and some of those were not around until the last couple of years. If HIPAA is going to ensure any ability to be honored then it needs a path of regulation and consumers need to be able to look up some of the basic simple information, like who is selling data and are they profiting.
There’s tons of profits out there when you look at Walgreen in 2020 making short of $800 million selling data only, so did that perk any ears on how much money data selling makes, billions, HIPAA data and financial. There’s a good video at the link below about a former quant who worked for a Hedge Fund and she’ll tell you how “intelligence” is used against the “dumb” investors and thus so the same happens with “dumb” patients. Let me clarify “dumb” as this is not an attack of any means but “dumb” traders are those who have a 401k who are not actively trading in the market but own some stock and the same thing with patients, they are not actively tracking their own health data but have some of it and like stock it gets sold for profit.
Some companies get away with not even letting you know they sell data and this example is in the financial area. How does that work? It goes by loopholes in the law on how they describe their business and so thus if the description is stretched a little or just false, then they do not fall under any laws that require them to even tell the people who’s data they have and sell that they have it to begin with. Read the link below about the guy making millions selling you and I, we have no access have no clue and he get by doing this due to how he classifies his business with not claiming his business as a credit bureau.
Medical bills, one more area to where items cross and let’s take a look back to Accretive..they didn’t care about HIPAA until they lost a notebook with patient records on them that they were sharing with a Wall Street investor, see what I mean about having an overall conclusive privacy law. I had some Congressional assistant ask me my opinion about that and he thought they did it on purpose to get out of some current contracts with insurers and what could be farther from the truth.
We also have GINA in the privacy laws, one more good reason to bring HIPAA and full on privacy laws together as it relates to someone not being able to discriminate against you, like insurance companies who use the MIB to create studies already about your mortality and when you will die, to use anything genetic as a way to not pay claims or underwrite you. They tell you they are out to market you so anyone spending any money on your care knows how long they have projected you will live. Nothing like feeling like an old used car when they get done with you. These folks now are collecting other insurance data too as I had my case when I sold my home and my car insurer made a bad data match and out of the blue put the new owners on my car insurance policy on there as secondary drivers, and I had been moved and out the house for 6 months, so how flawed this gets. Someone though I didn’t give complete enough information and added the flawed data. Read what the MIB pitches as that’s one of their areas where the sell, to find information omitted, but they screw up with their flawed data on a simple address match.
Are these new HIPAA laws in place for them and is anyone going to check, probably not as nobody looks at business models and we don’t have anywhere to look to see who sells data and what kind…CONSUMERS NEED THIS ON A FEDERAL WEBSITE AND EVERY ENTITIY SHOULD HAVE TO PAY FOR A LICENSE TO SELL.
I understand data going for research to non profits and that’s what this is not about but they still should be required to have a license to distribute data, again so we know who they are. Insurance companies make huge profits selling data and I think United almost invented it, they sell tons of data with Optima, which used to be the old Ingenix prescription profiling under a new name. I hear about the NIH and FDA going to lose fund, excise those billions being made on selling data and fund them. We don’t want to lose science by all means.
Again if you really only understood this invisible world of data selling your mouth would hit the floor on the billions companies and banks make. Read this link below as it makes sense and I sent the idea of to Francis Collins so I do try. Device companies with such a huge tax revenue pool this would create could get out from under their excise tax too as they are just passing it along to us or the hospital, or yet selling their data. The Wall Street Journal asked Medtronic if they were going to start selling data with the tax and they were not sure, yet.
What happens to when the cloud goes down, read this one about a home monitoring service and yes everyone learned from this event including Amazon. Clouds have to be secure under HIPAA and again we have privacy crossing here as you have genomic information (under GINA) on clouds too
The practice of no transparency with consumers not knowing who has and sells their data contributes to the big inequality problem we have. The video below end with a great key point, who’s in control of the data and gets to create the algorithms that make life impacting decisions about all of us, and will there be any privacy or any chance to stop inequality from growing. If you don’t license, what leg does a consumer or law enforcement agency of any kind have to help you…answer….none. Please watch “Are Algorithms Taking Over the World” and we better get some good ones to help with privacy issues. He says exactly what I have been writing about for a few years not, algorithms are not only able to do harm on Wall Street, they are all over and are dangerous when used out of proper context.
When you think about all of this it comes back to “Laws With No Balls”…it’s all math folks you need algorithms to protect your privacy and thus so HIPAA should be able to move outside of it’s silo where it is stuck and work to protect in all areas, new and old, where healthcare information is concerned. If HIPAA does not protect all the health data then the other data should be protected under an over all umbrella privacy law. BD
New Rule Highlights
Over the coming weeks, CDT will be publishing in-depth analyses of selected topics in the regulations, but here are highlights of the more noteworthy changes:
- Under the old rules, if your medical records were lost or stolen or somehow compromised, those responsible for the security of your records didn't have to notify you unless there was a “significant risk” you would be “harmed” by the incident. Under the new rule, individuals will have the right to be notified of security breaches of unencrypted health information unless there is a low probability that the information was “compromised.” Subjective judgments are no longer part of the calculation when deciding whether or not to notify patients.
- Under existing HIPAA regulations, health data can be used without patient consent for marketing communications urging them to use a particular product or service. Under the new regulations, patients must first approve the use of their data for marketing communications if the maker of the product or service pays for that sales pitch. This is an important privacy protection, aimed specifically at addressing patient concerns about their personal health information being used for marketing without their consent.1 However, information gleaned from health records about any medication a patient is using can be used for subsidized marketing purposes as long as the payment for the communication is reasonable and does not generate a profit for the sender. In addition, face-to-face communications to patients about products and services are not considered marketing under long-standing HIPAA provisions.
- HIPAA doesn’t protect all health data, but its scope of coverage was expanded by HITECH – and the final rules put that expansion into effect. Individuals or persons who handle patient health information in order to perform services for an entity covered by HIPAA (doctors, hospitals, health plans) are also now accountable for complying with the HIPAA Privacy and Security Rules – and this accountability extends to any subcontractors that access data to help perform those services.
- The final rule clarified patients’ rights to receive an electronic copy of their health data, and to have that copy sent, at their request, somewhere else, for example, to a doctor, a caregiver, or a personal health record or mobile health app. The rule also clarified that patients have the right to receive electronic copies by insecure e-mail. Unfortunately, the final rule still allows entities covered by HIPAA to take up to 60 days to provide patients with requested records; however, the rule does encourage faster response when feasible.
The final rules are effective March 26, 2013; entities covered by the rule have another 180 days to comply with most provisions.
This final rule implements most of the HITECH provisions related to privacy and security; however, there are further rulemakings on the horizon. The final rule to implement changes to rules giving patients greater transparency about disclosures from electronic medical records is still in process.
In addition, HHS has yet to propose rules to implement the HITECH requirement that patients have the ability to receive a percentage of penalties or monetary settlements due to violations of HIPAA rules.
HHS has two other important privacy reports in the pipeline.
One looks at the privacy protections for personal health records not covered by HIPAA. The second report mandates guidance on how medical record holders can ensure they are collecting, using, and disclosing only the minimum necessary amount of health data appropriate to the task at hand.
https://www.cdt.org/blogs/deven-mcgraw/2501feds-boost-privacy-protections-medical-records