I just got a COVID-19 test — who now knows I got it?
Labs and other companies make millions selling bundles of medical data—and it’s not as anonymized as you might think
Isn’t health information private?
That health information is supposed to be impossible to trace back to the patients involved—but thingsdon’t always end up working out that way.
Despite requirements to remove identifiable data, canny researchers have shown that it’s possible to mine the remaining data to identify patients. In 2013, researchers compared de-identified data with news reports on hospitalizations in Washington State and wereable to tie health data to names for 35 of 81 news reports. Similar results have beenreproduced in other states.
Michelle Mello, a professor of law and medicine at Stanford University who studies health policy, said that HIPAA, written in the 1990s to ensure patient privacy, didn’t fully account for how powerful computers could be used to deanonymize data.
“De-identified ain’t what it used to be,” she said.
Occasionally, data collected during testing has also been illegally accessed. Last year, two large testing companies, Quest Diagnostics and LabCorp,disclosedthat a hacker had accessed the personal, medical, and financial information of millions of patients from a medical bill collection agency.
Who’s buying my COVID-19 test information?
Quest and LabCorp have now become the two major providers of private COVID-19 testing and will also be a source for de-identified data on results.Quest advertisesthat it processed more than nine million COVID-19 tests from March through July, whileLabCorp saysit processed 11 million as of August.
Quest Diagnostics spokesperson Wendy Bost said that the company generally offers de-identified data through a licensing process and that the company will only provide a data license to buyers for a single, specific, limited purpose. The process, she said, is always compliant with HIPAA. The company has itself analyzed its own data for insights into issueslike illicit drug use.
Bost said the company was providing data on COVID-19 testing directly to public health officials to help track the spread of the pandemic, and that any health information gathered as part of COVID-19 testing would be licensed only for purposes related to fighting the virus.
LabCorp did not respond to a request for comment but has made clear that it’s collecting data through coronavirus testing and in turn making that data available to others. In April,the company announcedan agreement with a health analytics company to build “a comprehensive U.S.-based COVID-19 patient data registry.” (LabCorp did not respond to The Markup’s questions about who may access the data or whether the company would charge for access.)
The company noted that, in a period of only about a month, it had already conducted 500,000 COVID-19 tests that could be added to the database. “This registry will house curated, HIPAA-compliant de-identified data sets to expedite clinical research and analyses related to COVID-19,” the announcement read.
Mello said that, in some ways, the de-identified data is a boon to American researchers, who can access it for important health trends, including about the coronavirus. “People tend to have a pretty strong knee-jerk reaction to the idea of their health data being sold, for very good reasons,” she said. But the data could be legitimately valuable to researchers.
“To me, it’s not necessarily always bad that de-identified data are being transferred or shared or analyzed by private companies,” she said. “The question to me is really how you do that responsibly.”
What about what the patient wants?
Whatever the potential societal benefits of sharing the data may be, Tanner, the author of “Our Bodies, Our Data,” questions whether patients are being properly informed about what happens to their information—whether after COVID-19 testing or a simple doctor’s visit. A doctor’s office may give you a notice about HIPAA regulations, but declining to sign itdoesn’t stop a companyfrom selling health data, so long as it complies with HIPAA.
“Imagine if a blood test lab said to you, ‘Would you mind if we shared information about your blood test with scientists and university researchers to help solve the COVID crisis?’ ” Tanner said. “One imagines there’d be huge participation. Many people would be very happy to share their data, if it could even in a small way solve this worldwide crisis. But you don’t have that choice.”
In other places, like Europe, patients aregiven more controlover their health data. In Estonia, for instance, which operatesa centralized, national systemof health care records, patients are more explicitly the owners of their data.
But in the U.S., patients can’t easily profit from the information about them that’s bought and sold. Some upstart companies have begun looking at ways for patients to profit in this way—pushing for state lawsthat would help patients to sell their own data. But those effortsraise other questionsabout financial inequality and whether the government should incentivize people to sell their privacy.
This article wasoriginally published on The Markupby Colin Lecher and was republished under theCreative Commons Attribution-NonCommercial-NoDerivativeslicense.
