I think one important lesson from the recent big corporate health data hackings is that most of us don’t actually value health information privacy.
On the one hand, we would much rather be able to e-mail an ordinary e-mail to our doctor or health insurance company and get an ordinary, unencrypted e-mail back than to have to sign up for a secure service with an excellent, highly random password that we won’t actually remember.
We have no health information that’s really worth protecting. Maybe we had strep throat last year, or maybe we have high blood pressure and aren’t especially compliant about managing it. Big whoop-de-do.
Spending a lot of time and money protecting our health data privacy is pointless.
On the other hand, there are some people who really do need help protecting their health data privacy, because they’re celebrities who’ve had hair transplants, or people with well-controlled but potentially severe behavioral health problems that could conflict with the infamous weakness of the laws that allegedly protect workers with disabilities against discrimination.
On the third hand, the health care and health finance system are unable to devote much energy to protecting those people’s genuinely sensitive health information because they’re wasting so much time protecting the information about our strep throats.
Katie Benner is reporting in Bloomberg, for example, that one health care company has about 15,000 suppliers with access to its network and enough of a network security budget to audit 12 of those suppliers each year.
When Harry Houdini was working as an escape artist, he encouraged the people who were supposed to tie him up to maximize use of rope. Using lots of rope made it look as if he was tied up especially well. In reality, in most cases, the more rope the knotmakers used in their knots, the looser the knots probably were.
In the case of the Health Insurance Portability and Accountability Act (HIPAA) health information privacy and date security requirements, intelligent, well-meaning policymakers have devoted so much rope to protecting health information that the knots are too loose. People with routine information are inconvenienced, and may end up taking actions (such as writing passwords on notes taped by their work computers) that expose their data to anyone who puts any effort into getting their data.
Meanwhile, the people with genuinely sensitive information may end up with little or no protection coming from measures such as encryption and data security audits, because the need for general audits for everyone is too vast for anyone to have time to focus security resources on the people who really need privacy.
Maybe one solution would be to let people choose whether to ask for extra privacy protection or extra convenience. Maybe saving money on the extra-convenience consumers would expand the resources available to help the extra-privacy consumers.