Anytime a person gets tested for COVID-19, it creates a data point public health officials can use to track the spread and prevalence of the virus—but it also creates a financial opportunity for a private company administering the test.
There is a multibillion-dollar market for health data in the United States, and those same companies that are now scaling up coronavirus testing, like LabCorp and Quest Diagnostics, have been making money from patients’ medical data for years.
When a patient gets tested at a private lab, that lab often removes the patient’s name, then feeds the test information to third parties like pharmaceutical companies, advertisers, researchers, and other companies with an interest in analyzing large quantities of health data.
“When you go to have your blood tested, or your urine tested, or tissue sampled, you sort of think that’s a very private thing, it’s coming from inside of you,” said Adam Tanner, author of “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records.” But provided companies meet some anonymization requirements, that information can quickly be packaged and resold. “That’s a big surprise to a lot of people,” Tanner said.
Under the United States’ health privacy law, the Health Insurance Portability and Accountability Act (HIPAA), data must be “de-identified,” which means excluding easily identifiable information, like the name of a patient. But experts say an astonishing amount of detail can still appear in a patient’s file.
What’s sold can go well beyond the results of a test and might include a doctor’s name, the date of a visit, the general location of a patient’s home, the patient’s gender, and more. And labs don’t have to disclose that practice directly to patients.
LabCorp, one major testing company, told investors in 2018 that its database of patients covers about half of the U.S. population, with about 115 million patient “encounters” annually.
And it’s not just testing companies. Tanner has also chronicled how health insurance companies such as Blue Cross Blue Shield and corporations like GE, through its health care software arm, operate in the medical data industry, selling portions of their clients’ medical records.
Even small businesses, whether labs or other health care providers, can get paid for the information. In the case of prescription data, CVS Health’s executive vice president said in 2014 that “pretty much everyone” sells the information.
With more than 70 million Americans having already been tested for COVID-19, there’s a trove of valuable health data out there. So far, it’s not so clear who’s buying it and what exactly they can see—but if past practice is any indication, it could be quite a bit.
Isn’t health information private?
Despite requirements to remove identifiable data, canny researchers have shown that it’s possible to mine the remaining data to identify patients. In 2013, researchers compared de-identified data with news reports on hospitalizations in Washington State and were able to tie health data to names for 35 of 81 news reports. Similar results have been reproduced in other states.
Michelle Mello, a professor of law and medicine at Stanford University who studies health policy, said that HIPAA, written in the 1990s to ensure patient privacy, didn’t fully account for how powerful computers could be used to deanonymize data.
“De-identified ain’t what it used to be,” she said.
Occasionally, data collected during testing has also been illegally accessed. Last year, two large testing companies, Quest Diagnostics and LabCorp, disclosed that a hacker had accessed the personal, medical, and financial information of millions of patients from a medical bill collection agency.
Who’s buying my COVID-19 test information?
Quest and LabCorp have now become the two major providers of private COVID-19 testing and will also be a source for de-identified data on results. Quest advertises that it processed more than nine million COVID-19 tests from March through July, while LabCorp says it processed 11 million as of August.
Quest Diagnostics spokesperson Wendy Bost said that the company generally offers de-identified data through a licensing process and that the company will only provide a data license to buyers for a single, specific, limited purpose. The process, she said, is always compliant with HIPAA. The company has itself analyzed its own data for insights into issues like illicit drug use.
Bost said the company was providing data on COVID-19 testing directly to public health officials to help track the spread of the pandemic, and that any health information gathered as part of COVID-19 testing would be licensed only for purposes related to fighting the virus.
LabCorp did not respond to a request for comment but has made clear that it’s collecting data through coronavirus testing and in turn making that data available to others. In April, the company announced an agreement with a health analytics company to build “a comprehensive U.S.-based COVID-19 patient data registry.” (LabCorp did not respond to The Markup’s questions about who may access the data or whether the company would charge for access.)
The company noted that, in a period of only about a month, it had already conducted 500,000 COVID-19 tests that could be added to the database. “This registry will house curated, HIPAA-compliant de-identified data sets to expedite clinical research and analyses related to COVID-19,” the announcement read.
Mello said that, in some ways, the de-identified data is a boon to American researchers, who can access it for important health trends, including about the coronavirus. “People tend to have a pretty strong knee-jerk reaction to the idea of their health data being sold, for very good reasons,” she said. But the data could be legitimately valuable to researchers.
“To me, it’s not necessarily always bad that de-identified data are being transferred or shared or analyzed by private companies,” she said. “The question to me is really how you do that responsibly.”
What about what the patient wants?
Whatever the potential societal benefits of sharing the data may be, Tanner, the author of “Our Bodies, Our Data,” questions whether patients are being properly informed about what happens to their information—whether after COVID-19 testing or a simple doctor’s visit. A doctor’s office may give you a notice about HIPAA regulations, but declining to sign it doesn’t stop a company from selling health data, so long as it complies with HIPAA.
“Imagine if a blood test lab said to you, ‘Would you mind if we shared information about your blood test with scientists and university researchers to help solve the COVID crisis?’ ” Tanner said. “One imagines there’d be huge participation. Many people would be very happy to share their data, if it could even in a small way solve this worldwide crisis. But you don’t have that choice.”
In other places, like Europe, patients are given more control over their health data. In Estonia, for instance, which operates a centralized, national system of health care records, patients are more explicitly the owners of their data.
But in the U.S., patients can’t easily profit from the information about them that’s bought and sold. Some upstart companies have begun looking at ways for patients to profit in this way—pushing for state laws that would help patients to sell their own data. But those efforts raise other questions about financial inequality and whether the government should incentivize people to sell their privacy.