Companies are making billions off your medical data — and you won't get a cent of it

Companies are making billions off your medical data — and you won't get a cent of it
A doctor holds medical files thodonal88/Shutterstock
A doctor holds medical files thodonal88/Shutterstock

Doctor-patient confidentiality: This central tenet of health care in the United States may make you think your private medical details — from that weird mole to that laxative prescription to that test result — are just that. Private. 

But you would be wrong. 

Americans' medical data are regularly sold — often without the knowledge of patients. It's part of a trade worth billions of dollars.

And even though your details are supposed to be anonymous, businesses actually have easy ways of finding more identifying information of yours.

Why are companies gathering piles of your information? To fast-track medical research and improve marketing for drugs and other health-related products, explains Harvard University fellow Adam Tanner in a Century Foundation report published Tuesday.

In theory, patients should be protected by HIPAA — government rules that ostensibly ensure privacy of patient information — but it's a law so convoluted that even many doctors don't know how it works, the report notes.

HIPAA requires that patient medical information be sold anonymously, eliminating identifying characteristics like people's names and birth dates. 

But that's not always much of a protection because "HIPAA only governs named data," Tanner told Mic. "It's as though I had a picture of you naked and cut off the head and then sold the picture of your body to someone else."

Medical records Maksym Dykha/Shutterstock

Because while the medical data technically remain anonymous, companies can use other sources of information (think pharmacies and medical claims) to figure out what kind of patient information matches up with your profile. 

Throw in publically available sources, like social media or health apps on your Apple watch, and companies can glean a full picture of an individual. 

"There's a commercial file — the sports you play, your income, what kind of holidays you take — and there's a way to legally match that file with an anonymous file, using a third party firm, to understand what kind of people have a certain kind of ailment," Tanner said.

"It's called propensity modeling: predicting how likely you are to be in a certain group," he added.

Re-identification of anonymous files is not illegal: It is legal to use all the data available to figure out which patient file belongs to whom. 

Businesses like health insurance companies and advertisers have therefore created a sort of backdoor to gathering and selling medical information — bypassing HIPAA, in a sense.

"After a person gets medical care," Tanner writes, "pharmacies, insurers, labs, electronic record systems and the middlemen connecting all these entities automatically transmit patient data directly to what is, in effect, a big health data bazaar."

Patient data sources available to third parties The Century Foundation

"The result is a blizzard of transactions hidden to the public in which companies — called 'data miners' — buy, sell and barter anonymized but intimate profiles of hundreds of millions of Americans," Tanner wrote.

Advertisers can use this to target likely customers.

All of the data, when examined in aggregate, also allows for something termed "predictive analytics," as the Guardian reports, which can predict consumer behavior, further enabling marketers to manipulate you.

You may have heard of this in one context back in 2012, when a father in Minneapolis reportedly discovered his high school daughter was pregnant after Target started sending his daughter individualized coupons to baby-related products.

Target essentially figured out she was pregnant first thanks to data on her consumer behavior. 

Patients are not given the chance to opt in or out on sharing their information, and the buying and selling of medical data is poorly regulated. When the state of Vermont, with its patient privacy laws, challenged IMS Heath Inc. — which acquires and sells medical data — the Supreme Court of the United States ruled in favor of the company in 2011. 

Vermont's patient privacy laws, SCOTUS argued, interfered with IMS Health's right to free speech. 

"Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment," the Opinion of the Court stated. "As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard."

The network of the "big health data bazaar" The Century Foundation

Even the government is also starting to get involved in the big medical data party. In January 2015, President Barack Obama announced an initiative to create a vast medical database, including people's genomes, in order to enhance research and better treat diseases.

Unlike the aforementioned medical data being sold to private companies, people must opt in to be a part of this initiative, spearheaded by the National Institutes of Health.

That means you get the chance to consent to your personal, health and genetic information being used.

A shelf full of medical files Live2Create/Shutterstock

Notwithstanding, any medical database presents serious security risks. 

"An upsurge in hacking and medical data breaches is a parallel threat that can have potentially devastating impact," Tanner wrote in his report. "Unlike other hacks, such as credit card theft, the embarrassment and damage of a medical privacy breach cannot be undone: Once intimate secrets are spread on the internet, they do not disappear."

Indeed, in 2014, Chinese hackers stole 4.5 million patients' information after attacking the Community Health Systems network, which runs more than 200 hospitals around the U.S. 

Such data is especialy valuable, incentivizing hackers: stolen medical info can be sold on the black market for about 10 times more than financial data can. 

A faceless, hooded person works at their laptop Billion Photos/Shutterstock

As time passes, companies are only expanding their dossiers on individuals — information that is then vulnerable to cybersecurity breaches.

"The bigger danger is that people lose confidence in the [medical] system," Tanner warns. "You might be more reluctant to discuss your information if you know it's part of this commercial trade."

Unless lawmakers and public policy advocates start to lobby for stricter regulations protecting patients and their information, public trust in medical confidentiality could erode. That could potentially hurt people who need to be treated, but who won't disclose intimate details, Tanner said.

Sign up for The Payoff — your weekly crash course on how to live your best financial life.