An article in the Washington Post today reported on the use by health and life insurers of identifiable prescription drug records to make coverage decisions. This data is actually acquired by companies that act as data brokers or analysts on behalf of insurers, and individuals applying for insurance consent to having their prescription drug data gathered and used for this purpose.
The article further notes that the gathering of this data will be even easier when this information is stored in electronic health records. This article exposes the limits of relying on individual consent to protect sensitive health information. The companies mentioned in the article (Ingenix, Milliman) who mine this data all claim to have relied on consent to obtain sensitive prescription drug histories. It’s no surprise that these individuals consented to having this information gathered about them – they had no other choice. When you need health or life insurance, or if you are seeking medical care, you will sign whatever form is put in front of you.
The article also exposes the limits of the federal privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which gives the federal government no basis to go after Ingenix or Milliman or any other intermediary entity for any misuse of health information or data breaches. If the public doesn’t trust that electronic health record systems will protect their privacy, we will never make further progress toward achieving an interconnected health data system that improves care. This article demonstrates clearly that patient consent is not the answer. Instead, we need clear limits on uses of an individual’s health information that are applicable to “downstream” entities that use or hold this information, as well as aggressive monitoring and enforcement of the law.