Whether people realize it or not, their every move online, and sometimes offline as well, is being captured by data brokers. These brokers feed a $50 billion market research industry with information that is primarily used to sell us things. Like those awesome wireless headphones you recently searched for and now seem to see everywhere you go online!
Data brokers capture individuals’ every move online and off to build profiles used to market goods and services – Source
This same data gathering and brokering is now being applied to patient data. Personal health information, genetic data, and even human cells themselves are being freely traded for commercial gain —often without the consumer being aware.
While there are some consumer protections in place, technological developments have outstripped their effectiveness.
The implications for individual privacy and property rights are significant, and consumers are beginning to look for better ways to protect and manage their personal health data.
Brokering patient data feeds big business
To get a sense of just how much personal health data is being collected, look at the 2017 10K filing for IQVIA, the leading healthcare research and data firm. IQVIA reports having “the largest and most comprehensive collection of healthcare information in the world.” With more than 530 million patient records, IQVIA says the data set they hold is more than 30 petabytes (a single petabyte is a million gigabytes) of proprietary data gathered from more than 120,000 data suppliers. IQVIA also boasts that it can provide information and insights about 85% of pharmaceuticals worldwide (measured against worldwide pharmaceutical sales in 2016).
Perhaps the largest broker of healthcare data in the world, IQVIA, boasts having over half a billion comprehensive, anonymized patient records in its database – Source
All kinds of health data are being scooped up, archived, and sold. Anything found in an electronic health record, from a diagnosis to your doctor’s notes, is being anonymized and then collected. Every sales transaction at a pharmacy is archived. Your steps, heart rate, and location data are being sent to the cloud. Even human cells and genetic material from biopsies are being captured and resold.
The many ways patient data is used may surprise you.
Some of it is used to develop new drugs, medical devices, and therapies. Some to market healthcare services and insurance coverage. Still other data finds its way to law enforcement agencies.
Human cells take on a life of their own
In 1951, a woman named Henrietta Lacks died of cervical cancer. Before she died, and without her or her family’s knowledge, scientists at Johns Hopkins gathered her cells to be used in research. Her cells were the first that were successfully grown in the lab, making them useful as a basis for ongoing scientific research.
Over the next 60 years, HeLa cells, as they became known, were grown in research labs and sold to pharmaceutical companies worldwide. HeLa cells were instrumental in the development of the polio vaccine, AIDS treatments, gene-mapping, cloning, in-vitro fertilization, and much more.
This portrait of Henrietta Lacks hangs in the Smithsonian National Portrait Gallery acknowledging her as “one of the most powerful symbols for informed consent.” – Source
HeLa cells, the first human biological materials ever bought and sold, launched a biomedical industry that today is worth hundreds of billions of dollars.
In her bestselling book, The Immortal Life of Henrietta Lacks, Rebecca Skloot explains that neither Henrietta Lacks nor her family received any compensation for the use of her cells.
Henrietta’s story launched a robust debate about issues around informed consent, patient privacy, and biological property rights. It’s a debate that shows no signs of slowing down. On the contrary, recent developments like the partnership between the consumer genomic company 23andMe and pharmaceutical giant GSK have only served to keep these debates going.
Genetic data tells more than your ancestry
The 23andMe announcement that it would share genetic data with GSK for the purpose of developing new drugs and therapies once again pushed the issue of biological property rights to the forefront. Through this agreement, both companies share the rights to profits and royalties that result from the use of their shared genetic data. The consumers who supplied the raw genetic data are not entitled to any compensation.
Several companies sell home genealogical DNA kits. Their ads promise that anyone can find out where their ancestors come from just by submitting a sample of saliva and paying around $100.
One company offers a way to fill out your family tree by matching your DNA to living relatives who have matching DNA samples in their database.
For a slightly higher fee some of these companies also report certain genetic predispositions to illness the consumer may have, such as breast cancer or psoriasis.
Some home DNA kits include reporting on genetic predisposition for certain illnesses – Source
What the ads don’t make clear is how this genetic data may be sold to third parties, including pharmaceutical or medical device companies, and nonprofit research organizations.
While all genealogical genetic data shared or sold by these companies is “anonymized” or “de-identified” privacy advocates, researchers, and the DNA kit companies themselves point out that this is not a guarantee of anonymity.
Just recently genetic material was used to identify and arrest a suspect in the case of the Golden State Killer from the 1970s. Investigators linked DNA found at a crime scene to a person who had a relative in the GEDmatch open source genealogical DNA database.
Commercial DNA companies have policies in place requiring a subpoena before surrendering genetic information to law enforcement. But, in this case, no subpoena was needed because the records searched by law enforcement were voluntarily submitted to an open source database.
Investigators found a DNA match to a distant relative (who lived in the 1800s) with their suspect, and from there created dozens of family trees made up of several thousand people. Based on their data model, police set up surveillance and collected a matching DNA sample from a 72-year-old retiree, who was eventually arrested and charged.
Home DNA kit companies offer people a way to opt out of having their data shared. However, more than 80% of 23andMe’s two million customers have consented to their genetic data being used for research. As the Golden State Killer case illustrates, since a person can be identified based on the DNA of a biological relative, opting out may not be sufficient to protect privacy.
Digital footprints leave health-related tracks everywhere
In our everyday lives we generate an incredible amount of data that can be linked to our health, often in surprising ways.
Take digital activity trackers. Much has been made of how these devices can improve health and healthcare. And their use continues to grow. In its annual consumer digital health survey, Rock Health found that use of digital health wearables grew from 13% in 2015 to 24% in 2017. These trackers collect and store data, often in the cloud, and typically include tools to enable data-sharing.
But trackers are just one of countless sources.
Loyalty card purchases are tracked as well. Our jobs and hobbies are used as data points for statistical profiling. Our zip code is used as a source of socio-demographic data. All of these data sources are being used to piece together our digital footprints.
Most of us don’t think about how our shopping habits, hobbies, or zip code could be compiled and interpreted in the context of our health.
In a recent article entitled Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates, Propublica reported that health insurers are joining forces with data brokers to collect personal information about hundreds of millions of Americans with little oversight or regulatory scrutiny. Much like a credit score, insurers and actuaries are working on a scoring algorithms that could impact both access to and the cost of health insurance.
Use of fitness trackers while on deployment has raised security concerns – Source
Do those of us using trackers know where all our data is going? Or how it’s being used? Probably not. Turns out, the U.S. military didn’t either.
Not until it was discovered that some fitness trackers were enabling the enemy to use heat maps on the internet to see the location of service personnel who were running or cycling. The heat maps revealed both the location and traffic patterns within military bases around the world—including some classified locations. As a result U.S. military personnel are now prohibited from using trackers while on deployment.
Legal protections are limited
There are few legal protections when it comes to the privacy and ownership of our health identity data. Laws governing the use of personal health data were enacted before the widespread use of wearables, activity trackers and the rise of big data. Laws affording us greater protection need to be updated or enacted to address the reality of today’s hyper-connected digital landscape.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, protects only the privacy of patient information held by healthcare providers, insurers, data clearinghouses, and their partners. HIPAA doesn’t apply to any health information that can be collected from wearables, at-home health tests, social media, or other online repositories.
GINA, the Genetic Information Nondiscrimination Act of 2008, bans employers and health insurance companies from accessing DNA information. However, GINA does not apply to life insurance, disability insurance, or long-term care policies. Which means that insurance companies selling these policies can access genetic data and use it to make decisions about price and coverage. Individuals who’ve gone through any genetic testing must disclose that information when asked by one of these insurers.
Questions remain as to just how far an individual’s biological property rights go. It’s commonly accepted that health records belong to the healthcare provider. Individuals often give up their ownership rights, without even realizing it, when they agree to the terms and conditions on social media platforms or some apps. And court cases like Moore v. Regents of University of California (1990) have ruled that an individual does not actually own their own biological cells.
The path ahead for biological privacy and property rights
Few people expect legislation anytime soon that will strengthen individual biological property or privacy rights.
In June 2016, the U.S. Department of Health and Human Services issued a report to Congress on the information not covered by HIPAA. The report was six years late and did not include any recommended policy changes.
In the face of legislative gridlock in Washington and strong financial incentives at work, consumers can’t necessarily count on policy or industry solutions. A new approach is needed.
There is a group of entrepreneurs and healthcare companies are working to bring new thinking and approaches to to collecting, securing, and trading the data that makes up our health identities.
In my next article I’ll explore these new solutions in more detail.