Patient Privacy Rights denounced Blue Cross Blue Shield’s plans to disclose [de-identified] data gathered from its enrollees. On August 4, 2006, Blue Cross and Blue Shield (BCBS) announced the creation of Blue Health Intelligence (BHI) comprised of claims and health information from 79 million plan enrollees and intends to disclose this data to employers, drug companies, device manufacturers, and other corporations. (See participating plans cited below.)

“This move by the Blues reveals what Americans can expect from an electronic health system because they no longer have the right to control access to their medical records. Their sensitive health records will be used for corporate profits and in ways that can directly harm them,” said Deborah C. Peel, M.D., founder and chair of Patient Privacy Rights, a national consumer privacy watchdog organization.

In a press release, Blue Cross and Blue Shield executives tout potential uses of the nation’s largest database of consumer health data as providing “a treasure trove of information that employers working with health plans can use to extract greater value for their health care dollars.”

In a conversation with Patient Privacy Rights, [Chief Medical Officer with BCBS of Minnesota] David Plocher, M.D., said that the intended use of the database is to “service the big employers that pay the bills and want to pay smaller bills for health insurance.” Further he said that he was “very enthralled about the ability to help multi-state employers fix their healthcare costs.” During the one and one-half years that BCBS has been building the BHI database, he had “never heard about privacy concerns.”

“Blue Cross is moving rapidly ahead with their plan to use—and we assume this means sell—the health data of 79 million [Americans] despite the moral, ethical, and legal violations this theft of personal data entails. Consumers agree to have their doctors share medical records with insurers only so that payment can be made. BCBS never asked consumers for informed consent to use their sensitive health records for any other purpose. Consumers’ expectations are crystal clear: we expect our medical records to remain private and we expect to control access to and uses of our sensitive health records,” Dr. Peel said.

Patient Privacy Rights states that, morally and ethically, sensitive medical records belong to patients. The patient privacy watchdog organization says that BCBS is acting in violation of state and common laws requiring consent before medical records are disclosed.

“Existing state laws do not say it’s OK to disclose medical records stripped of personal identifiers. In fact, there is great risk that de-identified records can be re-identified and no laws prohibit the re-identification of health data,” Dr. Peel said.

Patient Privacy Rights states that the BCBS plan to aggregate and disclose, sell and/or lease enrollees’ health data is wrong because:

• Consumers did not consent to the re-use of data that was disclosed only to pay claims.
• Consumers were not given the opportunity to opt-in or opt-out of the BHI database.
• Consumers do not have access to audit trails of disclosures of their data to other corporations beyond BCBS.
• Aggregating and using enrollees’ health data violates the Code of Fair Information Practices.
• The database violates medical ethics—patients were never asked for informed consent to have their data entered into the BHI database for uses BCBS did not specify or get consent for.
• The database violates state and common laws that require consent before the disclosure of medical records; there are no exceptions for de-identified records.
• Re-identification of data is not hard to do, subjecting consumers to risks of exposure, humiliation, credit loss, or to employer discrimination in hiring, firing and promotions.
• Operating without consumers’ permission, BCBS could decide to add other medical records in their possession to the BHI database, such as lab results, x-ray reports or films, clinical notes and records, etc.