Scholar argues that the poor and elderly are most vulnerable to health data security breaches.
The health of more than 130 million Americans depends on Medicaid and Medicare. Owing to these public health insurance programs, the poor and elderly can go to the doctor’s office and seek quality health care at low cost. Unfortunately, in exchange for cheap health care, the poor and elderly bear many of the costs of health data breaches.
In his paper, Craig Konnoth, a professor at the University of Colorado Law School, observes that some regulations under Medicaid and Medicare disproportionately expose the poor and elderly to widespread health data collection. Because these regulations increase the risk of serious security violations, Konnoth argues that the federal government must revisit them to achieve “health information equity.”
According to Konnoth, the federal government’s Center for Medicare and Medicaid Services (CMS) mandates the use and circulation of electronic health records. CMS has also given medical researchers the keys to more than 2,100 health datasets on publicly insured patients, more than a hundredfold increase since 2009. This high-volume data collection process, in turn, enables researchers to study and remedy pressing health care issues.
Federal law—namely the Health Insurance Portability and Accountability Act—affords health data some protection against security threats, Konnoth recognizes. Still, despite these protections, the poor and elderly remain at risk for a series of privacy breaches to which the privately insured and wealthy are more immune.
A U.S. Government Accountability Office report reveals 113 million electronic health records breached in 2015. Almost 90 percent of U.S. health care organizations admitted to data breaches between 2014 and 2016. According to Konnoth, data breaches have led to cases of identity theft, medical and financial fraud, and insurance discrimination. These harms, Konnoth warns, “can wipe out one’s life savings or lead to delays in receiving medical services.”
Furthermore, Konnoth asserts that data vulnerabilities can even lead to serious medical harms. More than half a million Americans did not seek early cancer treatment because of privacy concerns, and millions more have avoided mental health treatment for the same reason.
Fear of privacy invasion has also resulted in underreporting of sexually-transmitted diseases, which impacts the ability of health organizations to solve reproductive health issues, Konnoth adds.
The privately insured and out-of-pocket payers, by contrast, are less vulnerable to health data breaches.
The U.S. Supreme Court held in Gobeille v. Liberty Mutual Insurance Company that state law may not require the collection of health data from self-funded plans—that is, a private insurance plan in which an employer provides health benefits to employees with its own funds. Konnoth claims that the U.S. Department of Labor, which has authority over the reporting of health data, has “primarily sought information about plan financing” from private health insurers as opposed to patient population health data.
In addition, when a patient has enough money to pay for health services out-of-pocket, federal regulation requires medical providers to respect patients’ decisions not to have their health data collected.
To “alleviate the inequitable distribution of information burdens and risks” Konnoth proposes that CMS require private insurers to report electronic health record data on the same level as public insurers.
Under federal law, CMS has broad discretion to impose penalties on medical providers who fail to disclose patient health data. According to Konnoth, CMS should collect data from doctors who accept both public and private health insurance. If these doctors fail to disclose their patients’ data, CMS would then penalize them for not complying with data disclosure requirements.
Because “90% of primary care providers accept Medicare or Medicaid,” publicly available health data from the privately insured would increase, Konnoth adds. This increase in data volume would, in turn, distribute the risks of data violations across broader patient populations.
Konnoth also argues that states and employers should introduce regulatory programs “to encourage checkups that would both improve preventative medicine and allow for systematic health information collection.” If a state were to collect health data through such a scheme, Konnoth says that cost-effective and early disease detection could be possible. These regulatory programs could take the form of tax deductions or benefits, among other possibilities.
Alternatively, Konnoth suggests, rather than states implementing such benefits, employers could provide health insurance discounts or gift cards to employees who sign up for preventive care. These employer-based programs could have benefits “tied to certain biometric outcomes that require employees to be tested for cholesterol, blood pressure, or body mass index.”
Konnoth recognizes that, even if states and employers implemented these proposals, the poor and elderly would remain vulnerable to data violations. Still, Konnoth stresses that the burdens of health data collection should not rest on the country’s most vulnerable populations. The role of public health insurance programs, Konnoth concludes, is to ensure quality health care for the poor and elderly, not exacerbate their vulnerabilities.