Eaten Alive: A Patients’ Perspective on De-Identification of Personal Health Information

Grace Cordovano, PhD, BCPAThe Health Insurance Portability and Accountability Act (HIPAA) is outdated and enabling a gray area that’s damaging to patients, the healthcare ecosystem, and healthcare economy.

From a patients’ perspective, HIPAA does every person with a diagnosis a significant disservice by fostering a flawed economic model where anonymized health data can run rampant in the ecosystem at every 3rd vendor parties’ benefit and every patient’s expense. Individual health data needs to be publicly recognized as intrinsically valuable, acquired and utilized ethically, and compensated for access to, similar to manual labor needing to be paid for with wages.

De-identification is a process during which personal identifiers, such as social security numbers, dates of birth, and addresses, are removed from PHI to protect individual privacy and diminish privacy risks(2). The process of de-identification is not fool-proof and vulnerable to re-identification, as has been repeatedly demonstrated by experts such as Harvard professor, Latanya Sweeney(3).

In 2018, the majority of people do not know that their PHI, like their EHR data, prescription data, insurance claims, and genetic data via direct-to-consumer (DTC) tests, are de-identified and sold for research and commercial purposes at massive profits. Medical health data trading is a multi-billion dollar industry. The process of de-identification supplies data that may be aggregated for a variety of analyses, such as basic scientific discoveries, policy & legal reviews, process refinement, pharmaceutical marketing, and other efforts.

Data de-identification isn’t new but it is rampant. I’m gravely concerned about the free-for-all that is de-identification. You should be too.

The advent of electronic health record (EHR) systems have made patient data electronically available yet ironically bottlenecked. Patients wait for weeks, unable to get the medical records they need to coordinate their care while on the backend that same information is de-identified and sold electronically­. HIPAA does not restrict the use or disclosure of de-identified health information as it is no longer considered protected health information(2).

Consequently, we simultaneously see headlines like these:

Verma: Many Providers are Holding Patient Medical Records Hostage(4)”

Test results: Glaxo pays 23andMe $300M, will use 4 million customers’ genetic data(5)"

Without the patient and their health data, no other stakeholder in the healthcare ecosystem exists. There would be no need for doctors or any caregivers. There would be no need for hospitals, urgent care centers, imaging, rehabilitation, acute care, or long-term care facilities. There would be no need for many federal regulatory and policy-making bodies. There would be no need for pharmacies or private and government-based payers. There would be no need for the vast majority of tech startups and vendors that provide solutions to improve the patient experience. There would be no need for pharmaceutical or biotech companies. We are only scratching the surface here.

23andMe, a direct-to-consumer (DTC) genetic testing company, recently announced that GlaxoSmithKline was investing $300 million for exclusive access to its data bank of 4 million 23andMe customers. The 23andMe DTC genetic test was never intended solely for the end user’s benefit, determination of ancestry, or entertainment. It was strategically developed as an underground pipeline for building an exponential genetic repository or biobank.

In a brilliant business model, people paid to purchase a kit to submit their saliva for DNA sequencing. The sequenced data, from “consenting” customers, was then de-identified, aggregated, and repurposed for commercial sales. Customers of 23andMe were the golden ticket for the company to enter into lucrative partnerships with pharma.

Are you being prowled upon for your health data? Photo credit: Nashad Abdu (Unsplash)The problem lies in the privacy policy and what people “consented” to. The privacy policy emphasizes the use of data for research or scientific findings. It does not explicitly state that the company was striving to get enough participants to build a biobank database that could be sold for commercial profit. It did not explicitly state that participant data will be de-identified, aggregated, and sold to pharma for hundreds of millions of dollars. It also did not explicitly state that it would grant exclusive access to that data bank to one pharmaceutical company for 4 years.

Exclusive access creates another silo. Scientific advances and breakthroughs aren’t made in silos. Profits are.

As a patient and patient advocate, let me define the gray area that HIPAA currently supports and paint it black and white. I don’t want other stakeholders, companies, or 3rd party vendors defining what they will, may, could, should, and shouldn’t do with my health information, my genetic data, my medical records, and my wearables data. I want to be a partner in developing that strategy. I don’t want an opt-out option that has limitations which will ‘kinda sorta, but not really’ remove my information from a data repository and your bottom line. No one’s health information should be exploited for profit.

I demand transparency in business practices. I want to see an itemized record of every single entity that has accessed my health information. (Yes, blockchain and health record banking, I’m looking at you.) I’m not alone in this thinking. People have had enough.

If someone in the ecosystem wants access to my health information, my diagnoses, and the intricacies of my DNA, they will need to request access and clearly explain what their intent is with my information.

In the digital, AI, and machine learning era, our health information is the super fuel that powers technologies, algorithms, and analyses. Many retort saying individual data is worthless, that it’s the aggregation and analyses that merit value. This is a closed minded, discriminatory ideology that needs an international data equality reform that guarantees a minimum wage for access to and use of personal health data. People are entitled to be proactively educated and transparently informed about the power of their personal health information, not just from a health and well being sense, but from a business and financial standpoint, in order to have a just opportunity to be a proactive member of the healthcare ecosystem.

Being compensated for granting access to one’s health information could revolutionize the health economy. Incentivizing that access will enlighten people to the power of their health data, engaging them into paying more attention to their records. What an incredible opportunity to educate patients about the power of their health information! There won’t be a better patient engagement educational opportunity than this!

We invest billions of dollars into the holy grail of improving patient engagement and the patient experience but skirt the main issue: transparent, ethical, collaborative partnership. If patients are compensated for access to their records, those funds could be applied to co-pays at their local hospital or urgent care center, utilized for paying for lab work or imaging, paying for prescription medications, covering costs of transportation to appointments, applied to annual insurance fees.

Imagine if the $300 million that GlaxoSmithKline invested in 23andMe was invested directly into universally partnering with patients of all ethnicities, ages, genders, socioeconomic backgrounds, and abilities? That’s the power move that would revolutionize the treatment landscape.

Increasing diversity and real world representation of populations is an ongoing struggle. Word of advice. If people need to pay $200 for a 23andMe kit to have their DNA sequenced, only the people who have the luxury of affording that price will go out and purchase the kit.
Here are examples of people who will most likely not purchase the kit and may therefore not be represented in the data pool:

  • the single, disabled parent on Medicaid with multiple co-morbidities.
  • those living in rural, low income, and immigrant communities.
  • those with language barriers.
  • those with low health literacy and educational backgrounds.
  • patients being treated for cancer suffering from financial toxicity.
  • people living paycheck to paycheck.

The exclusionary list goes on and on. It was noted in a 23andMe blog post that “Most of our participants have at least some college education and have a household income of at least $100,000 per year, the vast majority of which are of European descent(6)”.

It is clear that the $300 million data set is not representative of real world people and patients, but rather skewed by those who could afford the kit. Even with some representation of ethnicities, they are within a similar niche financial and educational bracket that isn’t even remotely representative of the general US population.

This is the data that’s going to be used to generate personalized, life-saving medications?

Imagine if companies invested in partnerships with patients and compensated them for a­­­ccess to their data in the context of a trusting, transparent relationship! Theoretically, a pharma company could enter a partnership with a patient and have an open dialogue about their data, and compensate the patient for access to the data as well as compensate them for their lived experiences and insights. The quality of self-reported data should theoretically be stronger in the context of a trusting partnership rather than a voluntary, non-incentivized, one-way avenue. In a transparent, trusting relationship, perhaps not all information would need to be de-identified, immediately enriching the data.

The next big thing to transform healthcare isn’t going to be a technology, an app, or a wearable. It isn’t going to be AI, VR, voice, or robotics. It isn’t going to be the implementation of value-based care or whatever Amazon is hatching. It’s going to be the changing the way things have always been done. It’s going to be removing middlemen and partnering directly with patients. To partner with patients, we need the opportunity to make choices and privacy policies that are real-world transparent.

The most successful research is collaborative. How are you spelling research: Scientific or $cientific? Please update your privacy policies accordingly.

Follow Grace at her blog, on Twitter @GraceCordovano), and on LinkedIn


1) Summary of the HIPAA Privacy Rule. May 2003. Accessed 7/26/18.
2) Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. 26 Nov 2003. Accessed 7/26/18.
3) Adam Tanner. Harvard Professor Re-Identifies Anonymous Volunteers In DNA Study. 25 Apr 2013. Forbes. Accessed 7/26/18.
4) Greg Slabodikin. Verma: May Providers are Holding Patient Medical Records Hostage. Health Data Management. 26 July 2018. Accessed 7/26/18.
5) Joseph DiStefano. Test results: Glaxo pays 23andMe $300M, will use 4 million customers’ genetic data. Philly Inquirer. 25 July 2018. Accessed 7/26/18.
6) JY Tung, et al. Characteristics of an Online Consumer Genetic Research Cohort. 2011. 23andMe Blog. Accessed 7/26/18.

Eaten Alive: A Patients’ Perspective on De-Identification of Personal Health Information was authored by Grace Cordovano, PhD and first published in, Tincture. It is reprinted by Open Health News with permission from the author. The original post can be found here.