Regulatory Disruption and Arbitrage in Healthcare Data Protection

@nicolasterry

Hall Render Professor of Law& Executive Director of the Hall Center for Law and Health

Indiana University Robert H. McKinney School of Law

• Increasingly large amounts of sensitive healthcare data exist in lightly regulated space outside reach of traditional healthcare data protection

• Results:

• Regulatory disruption as stakeholders struggle with under-regulation and indeterminacy

• For data brokers, successful regulatory arbitrage enabled; doing in lightly-protected space what they are prohibited from doing in HIPAA-space

• Deprecation of traditionally high levels of health data protection and challenges to ACA principles

• Proposals for legislative reform generally have failed to gain traction

• Specific and general powers of FTC remain the primary defenses against big data abuses.

Clinical:Point of Care

Clinical:Operations

Research:Outcomes

Research:Intramural/Corporate

Research:Population

Health

Caveats

Sectoral Data ProtectionHealth Care Financial Services Genetic Privacy Internet Other

HIPAA GLBA GINALaw

Agency HHS-OCR FTC/SEC/Banking

EEOC FTC

General (but limited)Broadband

FCC

Anonymization: Identity not Associated with Data

Inalienablility; Designed to Disincent Collection

Privacy; Limits on Collection

Right to Erasure; Selective Removal

Regulation at Point of Use; e.g., anti-discrimination

Security; Repelling Outsiders (Identity Thieves)

Confidentiality; Limits on Disclosure

Breach Notification; “The Horse Has Left the Barn”

Upstream

Downstream

Disclosers

“Paymentor  Healthcare  Operations”

Business Associates

Care  Team

Traditional  Health  Data  

Space

http://thedatamap.org/

“We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records. We standardize, organize, structure and integrate this data by applying our sophisticated analytics and leveraging our global technology infrastructure to help our clients run their organizations more efficiently and make better decisions to improve their operational and financial performance.”

IMS  Health   Holdings,   Inc.,  Form  S-­‐‑1,  Registration  Statement   under  The  Securities  Act  Of  1933,

Scoring personal health.…In 2014, there were at least a dozen health scores available in the marketplace, including the Affordable Care Act (ACA) Individual Health Risk Score, FICO Medication Adherence Score, several frailty scores, personal health scores (e.g., WebMD, One Health Score), and medical complexity scores (e.g., Aristotle for scoring of surgery for congenital health conditions). Consumers are largely unaware of the existence and use of these scores and the algorithms that create them.

[A] “body score” may someday be even more important than your credit score. Mobile medical apps and social networks offer powerful opportunities to find support, form communities, and address health issues. But they also offer unprecedented surveillance of health data, largely ungoverned by traditional health privacy laws (which focus on doctors, hospitals, and insurers). Furthermore, they open the door to frightening and manipulative uses of that data by ranking intermediaries— data scorers and brokers— and the businesses, employers, and government agencies they inform.

• The ACA prohibits pre-existing condition exclusions, discriminatory premium rates, and generally requires guaranteed issue

• Guaranteed issue and related regulations generally do not apply to life insurers who are customers for big data proxies

• Health insurers who use data-mined prescription drug data to continue their discrimination against high cost patients

• There is evidence that insurers move drugs associated with patients with expensive chronic conditions to high cost-sharing tiers in the hope of discouraging those patients from applying for coverage

• Unregulated big data has the potential to frustrate some of the mainstay policies of our healthcare system.

Reform Incoherence1. The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting

Privacy and Promoting Innovation in the Global Digital Economy (2012)

2. Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (2012)

3. The White House, The Big Data and Privacy Review (2014)

4. Fed. Trade Comm’n, Data Brokers: A Call for Transparency and Accountability (2014)

5. PCAST, Big Data and Privacy: A Technological Perspective (2014)

6. Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015

7. Health IT Policy Committee, Privacy and Security Workgroup, Recommendations on Health Big Data (2015)

8. The White House, Big Data: Seizing Opportunities, Preserving Values (2015)

9. FTC, Big Data: A Tool for Inclusion or Exclusion? (2016)

10.The White House, Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights (2016)

• FCRA

• ECOA

• FTC § 5(a)(1)

• Deceptive Prong/Unfair Prong

• LabMD

• Wyndham

https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf

Q & AMail: npterry@iupui.eduTwitter: @nicolasterryPodcast: TWIHL.com

Nicolas TerryHall Render Professor of Law

& Executive Director of the Hall Center for Law and Health

Indiana University Robert H. McKinney School of Law