from the just-because-it's-your-genome,-don't-think-you-own-it dept
One of the biggest victories on the patent front was when the US Supreme Court finally ruled that naturally-occurring DNA cannot be patented. The company involved in this case, Myriad Genetics, didn't give up at this point, but tried to claim that despite this ruling, its patents on genetic testing were still valid. Fortunately, the courts disagreed, and struck down those patents too.
However, as we noted at the time, there's another issue that remains unresolved, which concerns the huge database of DNA that Myriad Genetics has built up over years of sequencing the BRCA1 and BRCA2 genes that have variants linked to cancer. Because of Myriad's unwillingness to provide that important data to the people whose DNA was sequenced, the American Civil Liberties Union (ACLU) has decided to take action:
On May 19, 2016, the ACLU filed a complaint pursuant to the Health Insurance Portability and Accountability Act ("HIPAA") with the U.S. Department of Health & Human Services ("HHS") on behalf of four patients against Myriad Genetics, a genetic testing laboratory based in Utah. The complaint was filed by patients who have experienced cancer, including breast and bladder cancers, or who are members of families with substantial histories of cancer.
All of the patients received genetic testing from Myriad Genetics in order to determine their hereditary risk for various forms of cancer and to guide treatment decisions. They later asked for all of their genetic information, not just the results, but Myriad refused to provide it. As the ACLU explains:
The patients want full access to their genetic information because they know that the understanding of genes and their variants is constantly evolving, and they want to be able to proactively monitor their own cancer risk and that of their family members as scientific knowledge and clinical interpretation of genomic information advances. Most importantly, the patients, many of whom have uncommon genetic variants, are concerned that Myriad controls much of the data about BRCA1 and BRCA2 genetic variants in a proprietary database. This impedes the ability of researchers to better understand whether these variants are connected with various types of cancer. The patients want to have the option of sharing their data with the broader research community.
The last point is key. Myriad is sitting on a wealth of information that might well lead to new treatments and even cures for the many cancers involved. Instead, it is asserting its proprietorial right over DNA that comes from other people. That's particularly egregious since the scientists who first sequenced DNA on a large scale were pioneers in data sharing. As early as 1996, laboratories taking part in the Human Genome Project not only agreed to share their data, but to do so immediately, and with no restrictions. Myriad Genetics' action is totally at odds with the ethos of sharing that lies at the heart of genomics.
As a blog post on the ACLU site notes, on the eve of the HIPAA complaint being filed, Myriad suddenly agreed to provide the information requested, but only on a "voluntary" basis. That is, it refused to recognize the broader rights of patients to their own genetic information. However, the ACLU believes that the law is straightforward here:
Patients are guaranteed access to their health information -- including their genetic data -- under HIPAA. In 2014, the U.S. Department of Health and Human Services amended the HIPAA regulations to make clear that all laboratories, which were previously exempted, are subject to this obligation. And earlier this year, HHS released guidance stating that with respect to genetic testing, patients have a right to access "not only the laboratory test reports but also the underlying information generated as part of the test," including "the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test."
Let's hope this case leads to yet another defeat for Myriad, and establishes once and for all that DNA sequences belong to the people from whom they were obtained. That way they will be free to make data available to researchers for the benefit of everyone, not just for a few companies like Myriad Genetics.
Burned by negative reviews, some health providers are casting their patients' privacy aside and sharing intimate details online as they try to rebut criticism.
In the course of these arguments -- which have spilled out publicly on ratings sites like Yelp -- doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients' diagnoses, treatments and idiosyncrasies.
One Washington state dentist turned the tables on a patient who blamed him for the loss of a molar: "Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root," he wrote. "This tooth is no different."
In California, a chiropractor pushed back against a mother's claims that he misdiagnosed her daughter with scoliosis. "You brought your daughter in for the exam in early March 2014," he wrote. "The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you."
And a California dentist scolded a patient who accused him of misdiagnosing her. "I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked. ... You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision."
Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals and RateMDs much as they do restaurants, hotels and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA. The law forbids them from disclosing any patient health information without permission.
Yelp has given ProPublica unprecedented access to its trove of public reviews -- more than 1.7 million in all -- allowing us to search them by keyword. Using a tool developed by the Department of Computer Science and Engineering at the NYU Polytechnic School of Engineering, we identified more than 3,500 one-star reviews (the lowest) in which patients mention privacy or HIPAA. In dozens of instances, responses to complaints about medical care turned into disputes over patient privacy.
The patients affected say they've been doubly injured -- first by poor service or care and then by the disclosure of information they considered private.
The shock of exposure can be effective, prompting patients to back off.
"I posted a negative review" on Yelp, a client of a California dentist wrote in 2013. "After that, she posted a response with details that included my personal dental information. … I removed my review to protect my medical privacy."
The consumer complained to the Office for Civil Rights within the U.S. Department of Health and Human Services, which enforces HIPAA. The office warned the dentist about posting personal information in response to Yelp reviews. It is currently investigating a New York dentist for divulging personal information about a patient who complained about her care, according to a letter reviewed by ProPublica.
The office couldn't say how many complaints it has received in this area because it doesn't track complaints this way. ProPublica has previously reported about the agency's historic inability to analyze its complaints and identify repeat HIPAA violators.
Deven McGraw, the office's deputy director of health information privacy, said health professionals responding to online reviews can speak generally about the way they treat patients but must have permission to discuss individual cases. Just because patients have rated their health provider publicly doesn't give their health provider permission to rate them in return.
"If the complaint is about poor patient care, they can come back and say, 'I provide all of my patients with good patient care' and 'I've been reviewed in other contexts and have good reviews,' " McGraw said. But they can't "take those accusations on individually by the patient."
McGraw pointed to a 2013 case out of California in which a hospital was fined $275,000 for disclosing information about a patient to the media without permission, allegedly in retaliation for the patient complaining to the media about the hospital.
Yelp's senior director of litigation, Aaron Schur, said most reviews of doctors and dentists aren't about the actual health care delivered but rather their office wait, the front office staff, billing procedures or bedside manner. Many health providers are careful and appropriate in responding to online reviews, encouraging patients to contact them offline or apologizing for any perceived slights. Some don't respond at all.
"There's certainly ways to respond to reviews that don't implicate HIPAA," Schur said.
In 2012, University of Utah Health Care in Salt Lake City was the first hospital system in the country to post patient reviews and comments online. The system, which had to overcome doctors' resistance to being rated, found positive comments far outnumbered negative ones.
"If you whitewash comments, if you only put those that are highly positive, the public is very savvy and will consider that to be only advertising," said Thomas Miller, chief medical officer for the University of Utah Hospitals and Clinics.
Unlike Yelp, the University of Utah does not allow comments about a doctor's medical competency, and it does not allow physicians to respond to comments.
In discussing their battles over online reviews, patients said they'd turned to ratings sites for closure and in the hope that their experiences would help others seeking care. Their providers' responses, however, left them with a lingering sense of lost trust.
Angela Grijalva brought her then 12-year-old daughter to Maximize Chiropractic in Sacramento, Calif., a couple years ago for an exam. In a one-star review on Yelp, Grijalva alleged that chiropractor Tim Nicholl led her daughter to "believe she had scoliosis and urgently needed x-rays, which could be performed at her next appointment. … My daughter cried all night and had a tough time concentrating at school."
But it turned out her daughter did not have scoliosis, Grijalva wrote. She encouraged parents to stay away from the office.
Nicholl replied on Yelp, acknowledging that Grijalva's daughter was a patient (a disclosure that is not allowed under HIPAA) and discussing the procedures he performed on her and her condition, though he said he could not disclose specifics of the diagnosis "due to privacy and patient confidentiality."
"The next day you brought your daughter back in for a verbal review of the x-rays and I informed you that the x-rays had identified some issues, but the good news was that your daughter did not have scoliosis, great news!" he recounted. "I proceeded to adjust your daughter and the adjustment went very well, as did the entire appointment; you made no mention of a 'misdiagnosis' or any other concern."
In an interview, Grijalva said Nicholl's response "violated my daughter and her privacy."
"I wouldn't want another parent, another child to go through what my daughter went through: the panic, the stress, the fear," she added.
Nicholl declined a request for comment. "It just doesn't seem like this is worth my time," he said. His practice has mixed reviews on Yelp, but more positive than negative.
A few years ago, Marisa Speed posted a review of North Valley Plastic Surgery in Phoenix after her then–3-year-old son received stitches there for a gash on his chin. "Half-way through the procedure, the doctor seemed flustered with my crying child. ...," she wrote. "At this point the doctor was more upset and he ended up throwing the instruments to the floor. I understand that dealing with kids requires extra effort, but if you don't like to do it, don't even welcome them."
An employee named Chase replied on the business's behalf: "This patient presented in an agitated and uncontrollable state. Despite our best efforts, this patient was screaming, crying, inconsolable, and a danger to both himself and to our staff. As any parent that has raised a young boy knows, they have the strength to cause harm."
Speed and her husband complained to the Office for Civil Rights. "You may wish to remove any specific information about current or former patients from your Web-blog," the Office for Civil Rights wrote in an October 2013 letter to the surgery center.
In an email, a representative of the surgery center declined to comment. "Everyone that was directly involved in the incident no longer works here. The nurse on this case left a year ago, the surgeon in the case retired last month, and the administrator left a few years ago," he wrote.
Reviews of North Valley Plastic Surgery are mixed on Yelp.
Health providers have tried a host of ways to try to combat negative reviews. Some have sued their patients, attracting a torrent of attention but scoring few, if any, legal successes. Others have begged patients to remove their complaints.
Jeffrey Segal, a one-time critic of review sites, now says doctors need to embrace them. Beginning in 2007, Segal's company, Medical Justice, crafted contracts that health providers could give to patients asking them to sign over the copyright to any reviews, which allowed providers to demand that negative ones be removed. But after a lawsuit, Medical Justice stopped recommending the contracts in 2011.
Segal said he has come to believe reviews are valuable and that providers should encourage patients who are satisfied to post positive reviews and should respond -- carefully -- to negative ones.
"For doctors who get bent out of shape to get rid of negative reviews, it's a denominator problem," he said. "If they only have three reviews and two are negative, the denominator is the problem. ... If you can figure out a way to cultivate reviews from hundreds of patients rather than a few patients, the problem is solved."
from the the-constant-hassle-of-minimal-paperwork-thwarted-yet-again! dept
Medical records have long been given an increased expectation of privacy, something that dates back to before the passage of HIPAA. (See also: Hippocratic Oath.) Consultations with doctors -- and the written records resulting from them -- have generally been treated as confidential, seeing as they contain potentially embarrassing/damaging information. Personal health information can be reported to law enforcement for many reasons: suspicion of criminal activity on the health entity's property, suspicion of criminal activity related to an off-site emergency, reporting a death, patients with stabbing/gunshot wounds, or in the case of a serious/immediate threat. Otherwise, HIPAA's rules for law enforcement say personal information can only be released under the following conditions:
To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used).
The Drug Enforcement Administration has been sifting through hundreds of supposedly private medical files, looking for Texas doctors and patients to prosecute without the use of warrants.
What the DEA is using instead is a blend of impersonation and administrative permission slips sporting the agency's own signature.
Instead, the agents are tricking doctors and nurses into thinking they’re with the Texas Medical Board. When that doesn’t work, they’re sending doctors subpoenas demanding medical records without court approval.
“It’s not like there’s ten of them. There’s probably thousands — I know there are thousands,” Matt Barden, spokesman for the DEA, told the Daily Caller News Foundation about the DEA’s use of administrative subpoenas.
Early last year, a federal court in Oregon ruled the DEA could not access the state's prescription database without a warrant. Unfortunately, this was due to Oregon's state laws being more restrictive than federal law. A federal judge in Texas reached the opposite conclusion, finding that the DEA's use of administrative subpoenas complied with both HIPAA and state law. This decision is now headed for the Fifth Circuit Court of Appeals, where it is hoped a finding similar to the decision in Oregon will be the end result. But judging from the laws in place, that outcome is doubtful.
While the DEA's use of administrative subpoenas appears to comply with HIPAA's restrictions, its repeated attempts (many of them successful) to access medical records with no paperwork whatsoever seem less likely to stand up to legal scrutiny.
The Dallas-area doctors bringing the lawsuit against the DEA have uncovered plenty of DEA subterfuge. In their case, three DEA agents showed up at their offices with a state medical board investigator. Only the investigator identified herself. The agents remained silent, allowing the nurse to believe they, too, were with the state medical board.
The state medical board may have every right to view medical records without any accompanying paperwork, but that's because this information falls directly under its purview. The DEA, however, is looking to build criminal cases. This brings with it additional Fourth Amendment considerations and, at the very least, should bind it to the minimal restrictions of HIPAA. Apparently, issuing its own permission slips is still too much work and the delivered paperwork might accidentally restrict it to only certain medical records pertaining to certain people. By impersonating medical board members, agents have unrestricted access to whatever they ask for.
As Watchdog's Jon Cassidy points out, patients who'd like their privacy respected may want to seek their prescriptions and refills… elsewhere.
The DEA’s practice of avoiding warrant requirements has produced this absurdity: If you have a prescription for Adderall or OxyContin, you might be safer getting your drugs on the street than through your own doctor.
Street dealers, after all, don’t keep patient records, and they’re afforded more constitutional protections than medical practitioners. That is, cops still need a warrant to search them.
While the latter isn't strictly true in all cases, it's true enough to show how limited the protections of HIPAA actually are. The more disturbing aspect is that the DEA isn't even satisfied with near-instant access to a wealth of medical records provided by administrative subpoenas. It apparently only uses the correct paperwork as Plan B, preferring to mislead medical practitioners by allowing them to believe its agents are investigators working for the state medical board.
Earlier this week, the Ninth Circuit heard oral arguments in a challenge to the NSA's phone metadata program. While watching, I noticed some quite misleading legal claims by the government's counsel. I then reviewed last month's oral arguments in the D.C. Circuit, and I spotted a similar assertion.
In both cases, the government attorney waved away constitutional concerns about medical and financial records. Congress, he suggested, has already stepped in to protect those files.
With respect to ordinary law enforcement investigations, that's only slightly true. And with respect to national security investigations, that's really not right.
During Smith, the Ninth Circuit case, there was an extended line of questioning about various sorts of business records. Judge Hawkins kicked it off:
Suppose the National Security Agency wanted access to all utility records. Nationwide. Would that rationale apply?
Subsequent discussion touched on hotel and financial records. Then Judge McKeown asked:
What about medical records?
The Department of Justice attorney responded:
Well medical records, Judge McKeown I'm so glad you asked that because this is really an important point, medical records would be subject to HIPAA, among other protections.
A similar question in Klayman, the D.C. Circuit case, drew a similar response.
HIPAA, in your example Judge Brown, would govern the restrictions, would impose restrictions on the proper use of medical information.
Later in the Smith argument, counsel reemphasized the importance of HIPAA, including:
But I think the significance of HIPAA can't be discounted.
Here's the catch: the HIPAA privacy rules have special exceptions for law enforcement and national security investigations.
The law enforcement provision is very broad. It covers all the usual police procedures, including subpoenas. Those don't require a judge's advance permission, and they also require much less basis than probable cause.
A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333).
In non-legalese: HIPAA just doesn't apply to the NSA.1 And yet, in two separate NSA appeals, the government has emphasized HIPAA.2
In the Smith argument, government counsel twice noted that Congress has enacted privacy protections for financial records.
Following Miller, Congress enacted the financial privacy protections by statute.
In response to Miller, that Congress enacted a bank records protection of privacy . . .
Similarly, in Klayman:
For example, following the Miller case, Congress passed a statute governing the secrecy of bank records.
As background, United States v. Miller held that routine financial records are not protected by the Fourth Amendment. Two years later, Congress passed the Right to Financial Privacy Act… which largely codified Miller. Law enforcement agencies can still access financial records with just a subpoena.3
What's more, RFPA includes a special set of national security procedures. Federal grand jury subpoenas and warrants aren't covered by RFPA, so long as the investigating agency self-certifies “there may result a danger to the national security of the United States.”
RFPA also includes a National Security Letter provision. In counter-intelligence and counter-terrorism investigations, the FBI (and, by proxy, the NSA) doesn't even need a grand jury subpoena. It can demand financial records with a mere self-certification.
So, once again: in a national security appeal, why emphasize privacy protections that don't extend to national security investigations?
Section 215 of the USA PATRIOT Act
The precise statutory provision at issue in Smith and Klayman is Section 215 of the USA PATRIOT Act. It allows FBI (and NSA) access to any business records when conducting a counter-intelligence or counter-terrorism investigation.4 A FISA judge's approval is required, though the standard for issuance is very low.
In sum: not only are national security investigations generally outside HIPAA and RFPA, but the very same authority at issue in Smith and Klayman allows access to medical and financial records.
Reasonable minds can disagree on whether the government's representations in Smith and Klayman were literally false. At minimum, they were highly misleading.
United States privacy law is notoriously convoluted. But this much is certain: medical and financial records are, by statute and rule, readily available to the intelligence community. The executive branch shouldn't even hint otherwise.
Thanks to the colleagues who provided feedback on the legal analysis in this post. All views are solely my own.
1. In most instances of domestic surveillance, NSA requests are passed through the FBI. Since the National Security Act designates the FBI as a member of the intelligence community, its national security investigations are also unregulated by HIPAA.
2. In a charitable interpretation, the attorney misspoke while attempting to note that Congress can craft more nuanced privacy rules than the courts, and that Congress can provide privacy protections beyond the Fourth Amendment. Those points are undoubtedly true, though undoubtedly known to the judges.
3. A plain reading of RFPA suggests some privacy protection: targets receive advance notice of a subpoena and have an opportunity to contest the subpoena. In everyday practice, however, RFPA's delayed notice provisions have swallowed the rule. Law enforcement agencies routinely obtain court orders that both eliminate the advance notice requirement and temporarily gag financial institutions from disclosure.
4. Where U.S. persons aren't involved, any foreign intelligence purpose is sufficient.
from the the-War-on-Drugs-has-no-time-for-your-outdated-'rights' dept
Early last year, the news surfaced that the DEA was bypassing Oregon state law by using administrative subpoenas to get around the state's warrant requirement for drug prescription database access. "Administrative subpoenas" are yet another government tool that allows agencies to seek information that would normally require a warrant, but without the hassle of running it past a judge or even showing probable cause.
For the first time, a federal judge has ruled that patients have a reasonable expectation of privacy in their drug prescription records, and that law enforcement must obtain a warrant in order to search such information…
“This is a victory for privacy and for the constitutional rights of anyone who ever gets drug prescriptions,” said ACLU Staff Attorney Nathan Freed Wessler, who argued the case last month. “The ruling recognizes that confidential medical records are entitled to the full protection of the Fourth Amendment. The court rightly rejected the federal government’s extreme argument that patients give up their privacy rights by receiving medical treatment from doctors and pharmacists.”
As the ruling points out, citizens have long associated privacy with medical treatment, something that has gone hand-in-hand dating back to the 4th century B.C.E. and the origin of the Hippocratic Oath. It also points out the obvious: federal law itself (HIPAA) contains built-in privacy protections. (Hence the form you have to sign, the privacy info sheet you're handed on every visit, and signs everywhere telling you to stand behind them for the privacy of the patient in front of you.)
The judge's decision also notes that stripping away this expectation of privacy will have a chilling effect on those seeking medical care, something that could have very adverse effects on the health of people who might avoid seeking treatment because they fear their medical records will be exposed.
As the ACLU notes in its press release, it's not exactly happy the state of Oregon has chosen to create a centralized database of drug prescriptions, but, if it is going to do so, it has at least chosen to take the privacy of those contained in the database very seriously.
This decision strikes a small blow against the government's routine abuse of "exceptions" to warrant requirements as well as against its even more routine abuse of the "third party doctrine," which the DEA actually used to claim that talking to a doctor is no different than dialing a phone. The DEA knows there's a huge difference between these two "third parties" but applying that knowledge means showing probable cause and getting a judge to sign off on the warrant, two aspects it apparently feels only hampers its War on Drugs.
At some point, some national group is going to have to get the memo out to local law enforcement agencies within the United States that it is perfectly legal to record them while they operate in public. We've seen case after case after case of citizens having their property taken away or being charged with trumped up crimes all because they pointed a recording device at the police. Hell, some states have tried to enact unconstitutional laws to back up their ill-conceived and unwarranted positions.
All that being said, you just have to hand it to a police force up in Minnesota for the sheer cajones it took to do what they did. It started as other stories have, with a citizen, Andrew Henderson, recording police as they frisked a bloodied man before he was loaded into an ambulance and then having an officer take his recording device away.
The deputy, Jacqueline Muellner, approached him and snatched the camera from his hand, Henderson said.
"We'll just take this for evidence," Muellner said. Their voices were recorded on Henderson's cellphone as they spoke, and Henderson provided a copy of the audio file to the Pioneer Press. "If I end up on YouTube, I'm gonna be upset."
We've seen this kind of thing before, of course. Police use the excuse of evidence collecting to take away recording devices, which is really the only thing they're interested in. It's wrong. We get that. Usually some kind of internal review of the incident is triggered, asses are officially covered, and then the recording device is returned, sometimes after having been wiped. It's a bad enough story as it stands.
And that scenario is almost exactly what happened here, as the spokesman for Ramsey County acknowledged in a quote that citizens have the right to record police. But everyday abusive practices aren't enough for Ramsey County officers, apparently. The only thing that will satisfy them appears to be a new level of bullshit hitherto unseen, because a week later, when Henderson went to retrieve the camera, the police charged him with disorderly conduct and obstruction, with the citation noting that this was due to a "Data privacy HIPAA violation." In case you aren't clear on this, in the blogging industry, we refer to this as a massive amount of bullshit (piles and piles of it).
The allegation that his recording of the incident violated HIPAA, or the federal Health Insurance Portability and Accountability Act, is nonsense, said Jennifer Granick, a specialist on privacy issues at Stanford University Law School. The rule deals with how health care providers handle consumers' health information.
"There's nothing in HIPAA that prevents someone who's not subject to HIPAA from taking photographs on the public streets," Granick said. "HIPAA has absolutely nothing to say about that."
The kicker? The deputy who had taken the camera for "evidence" purposes erased all the footage. The exchange in which she took that camera was audio recorded by Henderson separately on his cell phone, a recording which he still has. I would suggest that if the police do not immediately rescind their trumped up charges against him, Henderson should insist that we take the deputy at her word, assume she collected the camera and its footage as evidence, and then we can all begin discussing how much prison time the deputy should be doing for destruction of evidence and obstruction of justice.
That's no more crazy than anything the police have done in this story.
Privacy. Everybody talks about it. Grandstanding politicians make plenty of loud noises in the general direction of the internet, disparaging it for turning your perusal of Kim Kardashian-related articles into targeted ads for breast enhancement surgery and Kanye West tickets. Of course, while these politicians are making all this noise about your privacy, they're quietly signing off on efforts allowing them to sneak in the backdoor and raid your browser history.
Putting the government in charge of your privacy has never been a great idea. When HIPAA was enacted, its privacy requirements greatly affected the medical community. Like many regulatory acts, HIPAA both raised costs (additional paperwork and other compliance factors) and lowered quality (negatively affecting retrospective research and curtailing proactive follow up care).
Vioxx, the non-steroidal anti-inflammatory drug once prescribed for arthritis, was on the market for over five years before it was withdrawn from the market in 2004. Though a group of small-scale studies had found a correlation between Vioxx and increased risk of heart attack, the FDA did not have convincing evidence until it completed its own analysis of 1.4 million Kaiser Permanente HMO members. By the time Vioxx was pulled, it had caused between 88,000 and 139,000 unnecessary heart attacks, and 27,000-55,000 avoidable deaths.
Even the government's own regulators were stymied by HIPAA's privacy requirements, as was pointed out by Dr. Richard Platt, a drug risk researcher for the FDA:
The Vioxx debacle is a haunting illustration of the importance of large-scale data research. If researchers had had access to 7 million longitudinal patient record, a statistically significant relationship between Vioxx and heart attack would have been revealed in under three years. If researchers had had access to 100 million longitudinal patient records, the relationship would have been discovered in just three months. Of course, if public health researchers did post-market studies that looked for everything all the time, many of the results that look significant would be the product of random noise. But even if it took six months or one year to become confident in the results from a nation-wide health research database, tens of thousands of deaths may have been averted.
At least as troubling as the fact that several thousand deaths could have been prevented if HIPAA's restrictions and terms had not been so limiting is the fact that the privacy stipulations were put into place based on a faulty premise and the Dept. of Health and Human Services' misplaced confidence in the erroneous results.
The premise, as demonstrated by Massachusetts graduate student Latayna Sweeney, was that patient reidentification was possible using only voter registration records and Massachusetts Group Insurance Commission's (GIC) anonymized records. Sweeney was able to reidentify Governor Weld using voter record information, including birth date, name, address, zip code and sex and cross-referencing it with GIC's data. But, as Info/Law points out, Sweeney made a couple of errors, not the least of which was conflating two different terms:
Latanya Sweeney used census data to estimate that 87% of the population has a unique combination of 5-digit zip code, birthdate, and gender, and implied that the same sort of attack, using voter registration records or other public files. Phillip Golle's replication corrected the figure to 63%, though that's hardly comforting. But these uniqueness statistics are rather misleading. There is an important difference between distinguishability and identifiability. Distinguishability is a necessary condition to conduct the sort of matching attack that Ohm describes, but it is not sufficient. Latanya Sweeney conflated the two when she suggested that a unique individual can be identified by linking the unique combination of attributes to public records-voter registration records, e.g.. But public records are never complete. We know, for example, that a significant portion of the population is not registered to vote. How was Sweeney so sure that there was not another man who shared Gov. Weld's birth date and zip code who was not registered to vote?
Not only was the data set incomplete, but it was overly simplistic and off by a large margin:
Daniel Barth-Jones has recently uploaded a fascinating new article that revisits the famous Gov. Weld reidentification. To start with, Sweeney's estimate of the Cambridge population is way off. There were nearly 100,000 people living in Cambridge at the time of the William Weld attack. This should have been the first hint that Sweeney's methodology was overly simple. She reported a population of 54,000 because that is the number of Cambridge residents who were registered to vote. Sweeney used these records as if they described the entire population.
By comparing Sweeney's count of Cambridge voter registrants with U.S. Census records, Barth-Jones confirmed that many voting-age adults in Cambridge (about 35%) were not registered to vote. In William Weld's case, the census data show that approximately 174 men living in Weld's zip code were Weld's age. We don't know their precise birth dates, but we can calculate that the chance another man living in Weld's zip code shared his birthdate was about 35%. This is quite important all on its own to illustrate the difference between identifiability and distinguishability. Most of those 174 men had a unique combination of birth date, gender, and zip code, but each one of them was quite likely-35% likely-to be non-unique.
Sweeney presumably used the voter registration records to rule out the possibility that some of these 174 Cambridge men shared Gov. Weld's birth date. But even if Sweeney did indeed confirm that no other registered voter shared Weld's gender, zip, and birth date, she could not have been sure about the 50 or so Cambridge residents who were Weld's age and were not registered to vote. Thus, at best, Weld's chance of having a unique birth date, zip code, and gender combination is 87%. Put differently, the chance that Latanya Sweeney's matching attack would have been wrong using these three variables alone was 13%- much worse than traditional 5% statistical confidence.
Despite these erroneous assumptions based on incomplete data, the Dept. of Health and Human Services stated the study had shown that "97 percent of the individuals in Cambridge whose data appeared in a database which contained only their nine digit ZIP code and birth date could be identified with certainty." This completely ignores the fact that over a third of the population wouldn't even show up on the list.
But bad data and faulty research have never stopped governmental "progress." The threat of reidentification is low and any attacks remain purely speculative. But while bad regulations have a tendency to be able to weather even the toughest criticism without making the slightest concessions, HIPAA has one thing most bad regulations don't, as Info/Law points out: "a body count."