HIPAA laws evidently can’t protect against the selling of personal mental health information.
A new report from Duke University’s Sanford School of Public Policy found that there is a “willing and able” market for selling mental health records, and brokers are standing by to cash in on the game. The ability for third parties to gain access to personal health details is concerning, especially because patients aren’t often privy to the sources collecting their information or their purposes for doing so.
“The research is critical as more depressed and anxious individuals utilize personal devices and software-based health-tracking applications…often unknowingly putting their sensitive mental health data at risk,” the study found. “This report finds that the industry appears to lack a set of best practices for handling individuals’ mental health data, particularly in the areas of privacy and buyer vetting.”
Duke’s team reached out to 37 different data brokers asking for information about mental health data and received response from 26, along with 11 firms. Researchers found they “were ultimately willing and able to sell the requested mental health data.” Moreover, some of the businesses actually used the information collected for advertising, including making public sensitive information such as a person’s diagnosis, demographic data, and credit score.
The report “shines a light on the wide availability of Americans’ health data for sale on the open market,” said Justin Sherman, a senior fellow at Duke. “While some of this information appears to be at the aggregate level, some of this data is clearly linked to individuals. For just a few hundred dollars, you can purchase lists of Americans suffering from depression or anxiety, taking medication for trauma, or dealing with the aftermath of a stroke – possibly with their names, races, ethnicities, home addresses, and other information attached.”
The end game? To turn a profit, of course. Duke’s team found the price tag for selling sensitive data was somewhere between $275 for 5,000 aggregated accounts to $7,000-$100,000 for annual access to more individualized information. This means there’s a lot of money to be had, and brokers are eager to get their hands on it.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996, and was put into place to protect individuals’ health records. Since that time, service providers have been required to provide information to patients and their loved ones about the privacy act and give patients an opportunity to determine how their person personal data is used. They’re usually given a form to sign off confirming that they were provided a copy of this information, and this is kept in the patient’s file.
According to the Department of Health and Human Services (HHS), parties that must abide by HIPAA include health plans (i.e., insurance companies, HMOs, company plans and certain government programs) as well as what are considered to be their “business associates” (i.e., those who work directly with these plans).
The buying and selling of personal health information, and especially mental health data, is deplorable, and now something that anyone who’s ever received psychological care must worry about. Essentially, the new Duke report findings suggest that signing a form is simply not sufficient enough for ensuring that third parties aren’t able to gain access to health records.