Federal Trade Commissioner Warns Americans Need More Control Over Their Personal Health Data

FTC Commissioner Julie Brill (Credit: Columbia Law)

One of the dirty little secrets about health privacy is that the Health Insurance Portability and Accountability Act (HIPAA) doesn’t prohibit the collection or mining of health-related data for commercial purposes; it just outlaws the disclosure of that data.

Because of this, data brokers are able to use records of purchases and online browsing habits to create remarkably comprehensive profiles of health statuses. While the Fair Credit Reporting Act (FCRA) contains rules about how credit reporting agencies and their customers drawn from these type of databases, the data mining and brokering fields are less well defined — drawing concern and investigations from members of Congress.

The Federal Trade Commission (FTC) also appears to be worried about the impacts of this growing market. In a speech at the recent Computers, Freedom and Privacy Conference, FTC Commissioner Julie Brill noted that although “big data is not synonymous with the evil empire,” it could be dangerous to give this sort of power to private companies with little oversight. Brill said she worries about how this type of information might be used to make eligibility determinations not covered by FCRA, what happens if that sensitive information is subject to a data security breach, and how the availability of that data to analysts without consumer’s knowledge or consent means for the “individual sense of privacy and autonomy.”

And these aren’t theoretical concerns — not only are companies capable of collecting and selling this information, reporting from the Financial Times shows that they already are.

While there are various legislative options for solving this problem, Brill suggested a campaign to give consumers more control over their identities now:

I would suggest we need a comprehensive initiative — one I am calling “Reclaim Your Name.” Reclaim Your Name would give consumers the knowledge and the technological tools to reassert some control over their personal data — to be the ones to decide how much to share, with whom, and for what purpose — to reclaim their names.

Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if she learns a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions – like credit, insurance, employment, and other benefits. […]

In addition, data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive — relating to health conditions, sexual orientation, and financial condition — the data brokers would provide greater transparency and more robust notice and choice to consumers.

On Tuesday, Forbes reported that a major data broker, Acxiom, was “nearly ready to show consumers their intimate personal dossiers.” Acxiom has individual profiles on over 700 million people — containing data ranging from locations, phone numbers, and general financial status to race, occupation, religious and political affiliation, education, and some “health topics of interest to you such as diabetes or arthritis.” It’s unclear at this time if Axciom’s decision is related to Brill’s “Reclaim Your Name” initiative, but the timing does seem rather serendipitous.