States   Risks  | Buyers

Maps   Who?  | 1997

Reports   History

News   About

Contact   Sponsors

June 2013 Scott Mace reports on the how Professor Sweeney matched names to patient records in Washington State's health data and how Jordan Robertson confirmed the matches by contacting patients whose names had been matched. Probe Uncovers Hospitals' Inability to Protect Patient Privacy, June 29, 2013. (Click on the image below to view the article.)

June 2013 Jordan Robertson breaks the news about how statewide personal health information is sold widely and how real names can be matched to the data. He made records requests to 20 states for lists of who's buying publicly available health data sold by the state. Twelve states supplied data. His report also includes Professor Sweeney's experiment in which she

June 2012 Jordan Robertson breaks the news in Bloomberg's Tech Blog about theDataMap™ and its launch at The 2nd International Summit On the Future of Health Privacy. His article includes Health Data Map 2010. As Health Records Go Digital, Where They End Up Might Surprise You, June 5, 2012. (Click on the image below to view the article.)

May 2012 Announcing website...

Over the last three years, Dr. Latanya Sweeney, the founder and Director of the Data Privacy Lab, now a program in the Institute for Quantitative Social Science (IQSS) at Harvard University, has been researching ways to gather detailed knowledge of flows of personal health information in the United States. Earlier this year, she designed a way to leverage the help of the public to get accurate information. The result is theDataMap™ project and the basic skeleton of the website is made available today, thanks to the help of Dr. Deborah Peel, founder and Director of the Patient Privacy Rights Foundation.

We live in a data-rich network savvy world. With so much personal data readily available, you might expect to see a litany of personal harms, but pronouncements seem rare. Dr. Sweeney cites many reasons for this, perhaps the most important being the lack of transparency in data sharing arrangements. These hidden activities make personal harms difficult to detect. How then can policy makers and individuals make educated decisions about privacy and data utility in the absence of such knowledge? If a data beach occurs, how would you know your data was stolen if you never knew the breach company had it? There are many worthy uses for personal data beyond the person, so the goal is not to stop data sharing, but to understand the risks so society can address the risks responsibly and reap benefits.

Working on her own, Dr. Sweeney constructed a data map of flows of personal health data based on her own professional knowledge of data sharing arrangements. What was a little surprising was the comparison of her data map in 2010 to that of an earlier data map in 1997. Together these show the dramatic increase in the number and nature of data sharing during the tenure of the HIPAA Privacy Rule, the regulation that provides privacy to medical information in the US. (See maps for links to images of these maps and more information about data maps.)

These maps shows representative, not comprehensive, descriptions of flows of health information between organizations based on ad hoc knowledge of committee members and researchers. What is needed is a comprehensive data map that records virtually all reports of personal data sharing arrangements found on the web.

Few requirements force non-government organizations to disclose with whom they share personal information, but information about the practices of these organizations may appear in privacy notices, IPO filings, documents in legal cases, and so on. Banks, brokerage houses, and insurance companies must have statements about information sharing. Online companies tend to have privacy notices. Government organizations file "system of records notices", which describes the type of information collected and leads to information about how the data are shared. There are many publicly available sources that document data sharing.

Dr. Sweeney will work with reporters to investigate some data sharing arrangements for accuracy, and to put names and stories to the data sharing claims to acquire deeper understanding of the nature and extent of data sharing and related benefits and risks. Veteran reporter, Adam Tanner, has agreed to be in residence. In the future, Dr. Sweeney has plans to enlist the public.

Dr. Sweeney will launch the project in Washington, DC at The 2nd International Summit On the Future of Health Privacy.

Copyright © 2012-2013 President and Fellows Harvard University.