While it might be assumed that HIPAA, the main federal privacy law for healthcare information, ensures the privacy of individual health records, it does not cover “health information held by gyms, websites, banks, credit care companies, many health researchers, cosmetic medicine services, transit companies, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alterative medicine practitioners, disease advocacy groups or marketers of non-prescription health products and foods,” according to the report.
And some personal health records systems maintained by organizations that are not HIPAA-covered entities “may also become a source of unregulated health information for scoring,” it said.
One of the newer health scores, the Individual Health Risk Score, was developed pursuant to the Patient Protection and Affordable Care Act “to create a relative measure of predicted healthcare costs” for ACA enrollees to mitigate the effects of adverse selection and stabilize payments for plans insuring individuals and small groups.
So far, the 2012 federal rule creating the score limited its life to four years but “is silent about individuals seeing their health risk score,” the report said.
“The HHS rule took some care to protect the privacy and security of an individual's risk score,” the authors wrote. “Nevertheless, each individual in plans subject to risk adjustment will have his or her own health risk score. It is possible to foresee that an employer or lender or someone else with power over an individual might coerce the individual into obtaining his or her score and disclosing it.”
Fair Isaac Corp., developer of the FICO score for credit reporting, launched in June 2011 a medication adherence score, which aims to enable a health plan or pharmacy to predict “a patient's propensity to adhere to a medication prescription plan” in the coming 12 months.
“By the end of 2011, FICO scored 2 (million) to 3 million patients” using factors that include employment, home ownership, living situations, age, gender, family size and asset information, such as auto ownership, the authors said. The report quotes a FICO statement that the score “will use a patient's prescription claims history when available and pull on other publicly available third-part data sources when no other information is present.”
Likely customers of these reports are drugmakers, who pay covered entities to send prescription refill reminders for drugs it sells. “If the manufacturer can identify those patients who are likely to refill prescriptions anyway, it can tell the intermediaries to send reminders only to those who have a low adherence score,” they said.
Several “frailty scores” are also in common use, including ones developed by the CMS and Johns Hopkins University. “The concern with any predictive score, particularly a frailty score, is that it can escape into the hands of third parties where it can be used outside of the original intent,” they said.