HIPAA provides guidelines to establish the permissible use of an individual’s personal health information (PHI). Seems pretty straightforward for the most part. And it was – for the most part. Until we start to dig a little deeper and look at the resources that are now in play (which were not 20+ years ago when HIPAA was created) when it comes to healthcare, artificial intelligence, and big data.
Artificial intelligence (AI) is providing the health care industry with a fast-paced growth market and opportunities that cannot even be fathomed. These products and relationships come in many forms but often have the same objective, and that is to align the goals of the healthcare industry investors and reduce medical costs for the patient. To do that, they gather records from big data companies that have been collecting the information across endless platforms that we as consumers use. You might be thinking that you “opt-out” and aren’t going to be a candidate. But what about the diet app that you use, the frequent shopper card, or the online surveys that you take? These are all collecting separate pieces of information on you, which perhaps at first consideration might seem irrelevant. That data can’t link to you specifically in any detrimental or valuable way. But – when this data is assembled and combined in the right way, it can be invaluable. And if it ends up in the wrong hands, it can paint a clear picture of you, your habits, your medical conditions, etc.
The question from here is, when do those individual components become HIPAA protected? If they stand alone, they are possibly not identifying any one individual, and therefore not in need of protection, but when put together with the other information, they can target you specifically without much doubt. And the insight they can provide is incredibly detailed.
For example, if Google is selling the analytics from your phone in regard to your location, which shows you at the doctor’s office on a specific day, combined with your grocery or pharmacy frequent shopper card transaction of your prescription purchase of that same day, and then further combined with your smartwatch heart rate and exercise pattern…well, one could consider that not only identifiable but also quite valuable. This collective insight can be used to learn the habits of individuals with certain health ailments – that are pulled from the doctor visit, combined with the prescription pickup. And how those individuals are identifying risk factors with diet and exercise habits – data pulled from different sources with your frequent shopper card and your smartwatch health app. It isn’t that this data is dangerous to your identity as a single record, it is the fact that could be considered identifiable when combined. So, at which point does it merit HIPAA protection?
There are not straightforward answers today. But with opportunity will come exploitation and unfortunately, it’s no secret that many HIPAA regulations are outdated and do not coincide with today’s technology or threat landscape. While we hope to see some new regulations or clarifications regarding the protection of data that could be combined to identify an individual, we’ll have to wait and see how this plays out.