The use of healthcare-specific consumer scores detailing people's health have proliferated in the past seven years and more are on the way, according to a report by the World Privacy Forum, a San Diego-based not-for-profit.
“Health scores are now in full circulation with little consumer awareness” and with little oversight or regulation, wrote report co-authors Pam Dixon, the organization's founder, and Robert Gellman, a Washington lawyer and privacy expert who has written previously for the Forum about the threat to healthcare privacy from cloud-based computer systems
“It is also possible to foresee the development of family and neighborhood health scores based (on) either a combination of traditional medical histories, genetic data, census data, data broker lists, environmental data, or histories of actual health treatments that may fall outside of HIPAA
,” according to the report. Increasing health score availability raises privacy issues for the authors.
“Consumer scoring has substantial potential to become a major policy issue as scores with unknown factors and unknown uses and unknown validity and unknown legal constraints move into broader use,” the authors said. “The protections consumers receive with respect to credit scores need to be expanded to all consumer scoring, and the rules for credit scores may warrant some re-examination as well.”
While it might be assumed that HIPAA, the main federal privacy law for healthcare information, ensures the privacy of individual health records, it does not cover “health information held by gyms, websites, banks, credit care companies, many health researchers, cosmetic medicine services, transit companies, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alterative medicine practitioners, disease advocacy groups or marketers of non-prescription health products and foods,” according to the report.
And some personal health records systems maintained by organizations that are not HIPAA-covered entities “may also become a source of unregulated health information for scoring,” it said.
One of the newer health scores, the Individual Health Risk Score, was developed pursuant to the Patient Protection and Affordable Care Act “to create a relative measure of predicted healthcare costs” for ACA enrollees to mitigate the effects of adverse selection and stabilize payments for plans insuring individuals and small groups.
So far, the 2012 federal rule creating the score limited its life to four years but “is silent about individuals seeing their health risk score,” the report said.
“The HHS rule took some care to protect the privacy and security of an individual's risk score,” the authors wrote. “Nevertheless, each individual in plans subject to risk adjustment will have his or her own health risk score. It is possible to foresee that an employer or lender or someone else with power over an individual might coerce the individual into obtaining his or her score and disclosing it.”
Fair Isaac Corp., developer of the FICO score for credit reporting, launched in June 2011 a medication adherence score, which aims to enable a health plan or pharmacy to predict “a patient's propensity to adhere to a medication prescription plan” in the coming 12 months.
“By the end of 2011, FICO scored 2 (million) to 3 million patients” using factors that include employment, home ownership, living situations, age, gender, family size and asset information, such as auto ownership, the authors said. The report quotes a FICO statement that the score “will use a patient's prescription claims history when available and pull on other publicly available third-part data sources when no other information is present.”
Likely customers of these reports are drugmakers, who pay covered entities to send prescription refill reminders for drugs it sells. “If the manufacturer can identify those patients who are likely to refill prescriptions anyway, it can tell the intermediaries to send reminders only to those who have a low adherence score,” they said.
Several “frailty scores” are also in common use, including ones developed by the CMS and Johns Hopkins University. “The concern with any predictive score, particularly a frailty score, is that it can escape into the hands of third parties where it can be used outside of the original intent,” they said.
The use of frailty and other scores without patient knowledge by the Chicago-based healthcare collections agency Accretive Health
became a factor in a complaint against the company filed by the state of Minnesota following a data breach involving patient records.
WebMD, the report notes, offers its users a tool to create a “One Health Score” based on their physical activity. “How the use of these health scores will evolve and whether they will 'escape' into the hands of marketers and data brokers is not known,” Dixon and Gellman wrote.
“I'm concerned about the ACA health score,” Dixon said in an interview. “I understand that they're trying to spread the risk around, but the truth is, it wasn't designed to tell how sick a person is, but that's what it does. Will it be used in the calculation of other underwriting, if the person leaves the ACA and shifts to an employer health insurance policy? I'm very keen to ensure the risk score goes away in 2018 like it's supposed to. And I want to make sure that number doesn't appear outside of a very specific ACA healthcare context.”
In their 90-page report, “The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Your Future
,” the authors don't focus exclusively on healthcare privacy threats—various other consumer scoring systems are included. Indeed, the authors point to a blurring of distinctions between report types since the feed stock for the analysis they contain come from a variety of sources—geographical, financial, health, dietary and other social information—that blend with healthcare data that leak from various databases. Follow Joseph Conn on Twitter: @MHJConn