Tuesday, December 1, 2009

Interactive Health Solutions guts a hippo HIPAA

From terms and conditions that are only revealed (and must be agreed to) after a patient has provided their name, address, phone number, e-mail address, birth date, and employer:

"I understand that the information attained through this Health Profile will be held confidentially. However, I give permission to Interactive Health Solutions to share my medical data with a third party for the purpose of my disease management and health improvement."

I'm confused: will the information be shared or not?

IHS says that the information will not be shared, but that they will only screen patients who agree to give permission for the information to be shared.

If IHS shares my medical data with a third party, are there any limits on what the third party does with my medical data?

There's no substantive limit on the reasons why IHS would be allowed to share my medical data. If IHS decides that the purpose of my health improvement would be best served by making my medical data public (to obtain as broad support as possible for my health improvement goals), or by giving my medical data to a drug company (so the drug company can contact me about wonderful new targeted drugs), or by giving my medical data to my employer (so my employer can revise their health insurance plan to better accommodate people with my health condition), or by giving my medical data to Geraldo Rivera (so Geraldo can focus an expose on getting me treatment), I've given permission for any or all of those disclosures.

Why is the first sentence there at all? As I understand it, my medical data won't be held confidentially at all. Employees are offered $300 to do this health screening if and only if they are willing to give Interactive Health Solutions permission to share their medical data with third parties.

This is making a mockery of HIPAA. And it's underpaying me for my medical data, which is currently getting bids of $500 and up on ebay.


irilyth said...

You could sort of argue that there's a difference between "your data will be kept confidential until we decide to give it to someone else" and "we will post your data on our web site immediately, without even bothering to make up a good reason for doing so, so that anyone who wants it can download it and use it, for whatever they want, without even checking with us".

But yeah.

Michael said...

Among other differences, in the second case they'll have a much harder time monetizing the medical data. Because as much as information wants to be free, this sort of company wants it to be expensive.