Unsafe data in Texas

Last month, a Texas online news site, the Austin Bulldog, published a lengthy investigative report on the sale and gifting of patient-level hospital data by the Texas Department of State Health Services.

Reporter Suzanne Batchelor's remarkable story found that if you're a Texan, your healthcare data can be given away or sold without your consent. And the Health Insurance Portability and Accountability Act, the main federal health information privacy law, won't—or can't—protect you.

In Texas, the health services department gathers claims data from hospitals by law—providers can be fined as much as $10,000 if they don't hand it over. But the department isn't a so-called “covered entity” as defined by HIPAA. So, the state isn't covered under the HIPAA privacy rule if it does anything that would be a violation if performed by a data-providing hospital.

Texas requires researchers to sign data-use agreements, analogous to business associate agreements under HIPAA, which bar re-identification of individual records and ban allowing "others to release any information that identifies persons, directly or indirectly."

Enforcement is tasked to the Texas Health Care Information Council and to the Texas attorney general's office. Abusers who "knowingly or negligently" release patient records face civil penalties of not more than $10,000. There have been no enforcement actions requested or taken against Texas data buyers, according to Texas agency spokesman Chris Van Deusen.

The Texas data sets come in two flavors. Both can include patients' diagnostic codes.

One set runs to 268 data fields and is called the public-use data file and is somewhat de-identified. A year's worth of data costs $5,000, or half that for participating hospitals and the media and out-of-state universities, and a $100 processing fee. Public-use data from 1999 and earlier is provided free of charge.

The state knows the public-use data file is vulnerable. A user's manual (PDF) contains this caveat: "It may be possible in rare instances, through complex analysis and with outside information, to ascertain from the PUDF the identity of individual patients. Considerable harm could result if this were done."

The other data set Texas sells is called the research-use data file. At more than 300 data fields, it also contains more potential patient identifiers than the public-use data file, including a patient's date of birth, gender and ZIP code. Research-use data file buyers must present their research project to a scientific review panel before the information is released, Van Deusen says. For a year’s worth of these files, Texas charges $200 per data field and $200 to $500 in processing fees.

Batchelor submitted an open-records request for the names of Texas' data customers and obtained a list of 29 buyers between Jan. 1, 2009, and April 1, 2010. She graciously shared the list with me. Buyers include payer and provider organizations, health IT consultants and several data analytics firms that provide services to the pharmaceutical industry for prescription drug marketing and to the insurance industry for medical underwriting.

Van Deusen provided me with a list of 13 other organizations, mostly Texas providers that purchased research-use data files in the past 12 months. America's Health Insurance Plans, the industry trade association, bought data from both lists.

One of those Texas public-use data buyers is Ingenix, the data analytics unit of health insurer UnitedHealth Group.

Ingenix acquires that data "from a number of states including Texas," says Ingenix spokesman Kyle Christensen. "The company is doing analysis of the data to develop quality measure reports. And it is also used in ad hoc research, for example, for healthcare utilization. We do not sell the data and the data is eventually destroyed," he said.