Even in 1996, the threat to privacy of the brand-new digital age was being recognized. This was the year that the US instituted the Health Insurance Portability and Accountability Act (HIPAA), which established standards for the handling of healthcare data, including security measures for personally identifiable information (PII).
Since that time, the consequences of digitized PII have been far ranging, as other entities have implemented similar programs, such as the GDPR in Europe. Abuses of access to personal data have led to an entire industry devoted to its protection, but the societal benefits of these measures also have a price.
The Business of Black Market PII
Protecting the privacy of PII is more than a way of appeasing the sensitive or avoiding frivolous malpractice lawsuits that take advantage of HIPAA and GDPR regulations.
There is a concrete threat in cyberspace devoted to stealing PII, and it has devastated numerous individuals and organizations. 2019 saw the greatest increase in history of healthcare PII exposure, with more than 41 million breached patient records translating to a 49% escalation over 2018. 58% of these records were hacked, leading to ransomware attacks and the sale of stolen information on the dark web.
Hacked PII is exploited in a number of ways. Information such as Medicare account numbers can be used to rip off insurance companies, while any data that contains a name and a social security number is valuable as an identity theft tool. In addition, HIPAA/GDPR have led to the creation of a new criminal industry as organizations that suffer a breach are blackmailed by using their exposure, and hence regulation-based fines, as leverage.
Such fines are significant. In 2019, for example, Anthem Inc., a health benefits company, paid $48.2 million in fines after hackers penetrated the organization, which was found not to be compliant with HIPAA regulations.
In short, it looks like current privacy restrictions still leave gaps that can be ingeniously exploited. So is the answer to make privacy laws even stricter?
The Flipside of Strict Regulations
Dozens of diseases have been cured due to access to large amounts of medical data and tremendous health benefits have been gained based on related epidemiological research.
Without access to the “big data” of the medical industry, it is doubtful that progress in treating many infectious diseases or the identification of carcinogens and other hazardous substances could have occurred so rapidly. Similarly, the understanding of risk factors related to cardiovascular diseases, respiratory problems, and cancer depend on the collection of millions of personal medical information histories.
The results of restricting access to this information have been disastrous. According to the National Center for Biotechnology Information website, for example, HIPAA has caused a 95% drop in the completion of long-term follow-up patient surveys; the number of patients completing cancer studies has decreased by more than 70%; and the time and money spent recruiting patients has tripled.
The consequences of violation have also led to excessive caution on the part of physicians and medical centers, causing them to withhold information from those who may have a right to it. For instance, according to the US Government Accountability Office, various healthcare providers do not completely understand their obligations under HIPAA and so refuse to divulge patient records, even when warranted.
Finally, implementing privacy regulations is an expensive process. Many healthcare firms, particularly smaller ones, need to hire high-priced consultants who are familiar with the intricacies of HIPAA/GDPR. In light of the potential fines that violations can lead to, the expense of the people and technical resources involved seem necessary. However, these costs are an additional pressure on many healthcare operations that are suffering as government payments to physicians decline.
The Coronavirus Paradigm
The advent of COVID 19 is a perfect illustration of how a balance between privacy and the needs of health institutions is tough to find. Governments across the world have temporarily waived certain privacy restrictions due to COVID 19, and in certain countries, the names of infected individuals are released, while tracking of mobile phones is commonplace. There are even instances whereby authorities are alerted when a person exits a certain area as they are traced by their mobile signal.
But the reduction in regulatory adherence is by no means without responsibility. For example, in California, contact tracing is allowed, but so are individual and class action lawsuits based on improper use or hacking of contract tracing information. This regulation, named the CCPA, has already led to numerous legal proceedings.
The Private Sector and Privacy
Perhaps the solution is, in light of the failure of government policy, to reduce their interference in regulations dealing with privacy. On such a massive scale, it is not possible for government to educate the entire society about what is to be deemed private or to enforce their vision of it. Instead, there should be clear separation between government, businesses, and people, with communities and individuals developing more effective ways to treat privacy issues based on morality and ethics. If the rules from 1996 don’t work anymore, it might be time for a new approach.