Health privacy experts are concerned that insurance companies will raise rates or deny patients coverage based on risk factors identified when insurers mine claims data with consumer data provided by commercial data brokers.
According to an investigation by National Public Radio and ProPublica, insurers are collaborating with data brokers to help track consumers’ data points, such as their race, education level, TV habits, marital status, net worth, social media posts, ZIP code, credit score, online shopping trends, child bearing decisions, and much more. These factors are then fed into complicated algorithms that predict healthcare costs based on these factors.
But privacy advocates warn that the use of this “lifestyle” data, which is sold by brokers such as LexisNexis, to make medical hypotheses “could lead insurers to improperly price plans — for instance raising rates based on false information — or discriminate against anyone tagged as high cost.”
For instance, data analysts say that a person who purchases plus-sized clothing is at risk for depression, or items purchased for an impending pregnancy can signal that person’s healthcare costs are going up. Or, people who downsize their homes and people whose parents didn’t finish high school tend to have higher healthcare costs, analysts told ProPublica.
However, the data brokers and insurance companies claim that commercial data is always deidentified and is only used to encourage policy holders to use wellness resources. ProPublica learned, though, that the health data firm Optum filed a patent application to gather what people share on platforms like Facebook and Twitter, and link this material to the person’s clinical and payment information. Optum contends the application didn’t go anywhere.
Part of the problem, critics of these practices say, is that national health privacy laws—including HIPAA—only protect information held by providers and other covered entities. The use of lifestyle data for healthcare estimates could be hindered by stricter American privacy laws down the road, like those enacted this year in the European Union. The EU’s General Data Protection Regulation law treats data protection as a constitutional right, privacy advocates said.
“We have a health privacy machine that’s in crisis,” Frank Pasquale, a professor at the University of Maryland Carey School of Law, told ProPublica. “We have a law that only covers one source of health information. They are rapidly developing another source.”