My father practiced medicine for 45 years, from 1941 when he graduated from medical school until his retirement in 1986.
Shortly after his retirement, I received a package from him in the mail. It contained a slender green file folder with my medical records. The contents themselves weren’t especially interesting; what was noteworthy is that they weren’t shared with anyone else. If I wanted someone else to see them – my physician, for instance – I needed to provide the physical records.
But in the last four decades, there’s been a seismic shift in how medical records are maintained and distributed in the US. Today, at least 85% of physicians practicing in offices maintain electronic health records (EHRs). And more than 90% of hospitals use them.
As well, there’s been an explosion in technology that facilitates the sharing of your health care records. Wearable devices such as WHOOP, Catapult, and Fitbit monitor your heart rate and sleep and track your food intake. Some wearables even track when you have sex and provide recommendations on how to please your partner. Others alert you when you’ve consumed too much alcohol.
Artificial intelligence (AI) has also revolutionized health care. One of the ways it’s done that is by predicting health care outcomes. For instance, an AI algorithm like those that Netflix and Spotify use to recommend content was recently found to predict heart attacks and death with 90% accuracy.
EHRs, wearables, and AI all provide significant benefits in health care. If your doctor or hospital uses EHRs, you can view and download your own health care data anytime. What’s more, any new health care provider you visit has near-instant access to those records. Wearables give you real-time feedback on your heart rate, diet, and lifestyle choices that could affect your health. And AI gives health care providers the tools to target the most vulnerable patients for potentially lifesaving treatment.
But who owns the records associated with these technologies? And can they be used against you? The answers to those questions are more complicated than you might think.
No federal law specifies who owns your medical records. A 1996 law, the Health Insurance Portability and Accountability Act (HIPAA), prohibits health care providers from disclosing these records except under certain circumstances. But neither HIPAA itself nor the regulations issued to interpret it to specify who owns the data.
Copyright laws protect the intellectual property of the individual or company who creates an “original work of authorship.” For instance, the content I create on Nestmann.com is protected by copyright. In the same manner, doctors and hospitals who “create” medical records may own the intellectual property they represent.
Only one state – New Hampshire – has legislation in effect which assigns patients the ownership of their own medical records. Twenty other states stipulate that your doctor or other medical provider owns them. In the remaining 29 states, no legislation assigns ownership of your medical records, so it’s up to health care providers to make that determination.
HIPAA gives patients privacy, security, and accuracy rights related to the information that doctors and hospitals maintain. As the legal custodian of the records, health care providers have a duty of care and protection. When you visit a doctor or hospital, you will be asked to sign a HIPAA disclosure document, which specifies the conditions under which these records may be released. For instance, if you pay for treatment with health insurance, the disclosure statement makes it clear that the provider can share your health care data with the insurance company.
But HIPAA has significant privacy loopholes. One of the most worrisome loopholes is that health care providers can “de-identify” your data. At that point, it’s no longer protected under HIPAA. And a multi-billion-dollar industry has developed that analyzes de-identified data. Pharmaceutical companies routinely purchase data to obtain information about patient history and outcomes. You don’t own this data; it’s owned by the companies that purchase or store it. Indeed, many companies that process EHR data require health care providers to share de-identified data for whatever purpose the processor deems appropriate.
What’s more, AI can re-identify de-identified data with astonishing accuracy. A recent study of more than 14,000 de-identified patient records found that at least 94% of these records could be re-identified using machine learning algorithms. As the lead researcher in the study put it,
Imagine Facebook gathering step data from the [healthcare] app on your smartphone, then buying healthcare data from another company and matching the two … Now they would have healthcare data that's matched to names, and they could either start selling advertising based on that or they could sell the data to others.
Who else might be interested in this data – re-identified or otherwise?
Your employer would be, especially if it pays for your health insurance. A growing number of employers offer or even require employees to use sports wearables both on and off the job to spur them into a healthier lifestyle. That can help bring down skyrocketing health insurance premiums. The data these wearables gather isn’t protected by HIPAA unless it is specifically part of a group health plan. So if your employer – and not your group health insurance plan – requires you to use a sports wearable, the data it gathers can be used for any purpose the employer sees fit.
For instance, your employer might pay a data aggregator to combine your Fitbit data with your credit scores to decide whether to offer you a promotion – or fire you. If you have a low credit score, are overweight, don’t get enough sleep, and drink too much, you’ll stand out as especially high-risk. But even if you don’t fit this profile, employers can require that you consent to health monitoring 24 hours a day if you want to keep your job.
Life insurance companies want access to this data as well. When I purchased a life insurance policy in 1984, I had to undergo a medical checkup. After reviewing the results, the insurance company issued the policy. Other than paying the annual premium, I’ve had zero interaction with the company that issued the policy for nearly four decades.
But if you purchase a life insurance policy today, you’ll likely need to consent to ongoing monitoring to get the best rate. For instance, if you buy a life insurance policy from John Hancock, you’ll need to use a sports wearable to get the best rates. You have two choices: consent to 24/7 tracking or pay a higher premium.
There are no easy ways to deal with the growing demand for continuous access to your health data. Here are a few suggestions:
- Find a health-care provider that allows you to pay for care directly without submitting claims to your insurance provider. There’s a list at this link.
- Consider seeking medical treatment outside the US. Health care costs tend to be much lower in other countries, especially if you don’t have health insurance. “Medical tourism” is a multi-billion-dollar business; one source for more information on your options is here.
- If you want a sports wearable that doesn’t broadcast your data to all comers, look at this article for some ideas on what to buy.
- Try to avoid health risk assessments or allowing your employer or insurance company to put you under 24/7 lifestyle surveillance.
The threats to the privacy of your health data aren’t going away. Indeed, it’s likely they’ll get worse as the relentless rise in the cost of medical care forces employers and insurance companies to develop new tools to control expenses. But by taking these precautions, you can reduce the likelihood that this data will be used against you.
