US healthcare marketplaces shared citizenship and race data with ad tech giants

Posted by ZeidJ 5 days ago

US healthcare marketplaces shared citizenship and race data with ad tech giants(techcrunch.com)

521 points | 169 commentspage 2

offmycloud 5 days ago|

I'm still surprised by the number of web developers who do not understand that, once you include someone else's Javascript on your site, they have full access to everything on your site, including all submitted customer data.

tantalor 5 days ago||

> whether they provided details about whether they have incarcerated family members

Okay. That's not much of a signal, is it? This is "metadata" level of detail.

lava_pidgeon 5 days ago||

Cookie Banner isn't such a bad idea now

xp84 5 days ago|

Nah, it’s still stupid and pointless

lesuorac 5 days ago||

Why shouldn't somebody has to ask for permission before using your stuff (disk space)?

It's just by default nobody really wants to give up disk space so you can do better ad tracking so the banner is necessary to convince them to.

Pacers31Colts18 5 days ago||

This is nothing new. They do the same with drivers license data.

shevy-java 5 days ago||

The US citizens will have to fight down those corporate overlords. It is now really just shameful how they leech off of the common man (and common woman). People in democracies outside of the USA shake their head in sadness now. Even Canada is doing better here - don't tell anyone the crazy orange king, for he may begin to potty-mouth and threaten them with invasion again.

aksss 5 days ago|

corporate overlords? These are the state governments selling your data. The call is coming from inside the house. The sooner we realize that government is comprised of the same slithering slime of human greed and laziness, the more realistic discussions we can have.

DangitBobby 5 days ago||

It's not even remotely the same scale. At least the government ostensibly has its incentives aligned with the public. False equivance gets us further from where we need to by focusing people on the wrong problems.

aksss 5 days ago||

"Ostensibly" is the mistake in your formula. Current events are replete with examples to the contrary. It's not equivocating to recognize that governments are organizations of humans, subject to the same limitations - the larger they get, the harder they are to manage well; talent is incredibly important to success in mission; leadership is incredibly important to integrity, ethics, and strategy; lower oversight and mediocre control structures lead to abuse. You can see the challenges that government as an organization has there. And as to scale..? Son. At least you can "ostensibly" choose whether or not to interact with corporations unless they are colluding with... government.

DangitBobby 4 days ago|||

Consider the bulk of your comment to be directed similarly as criticism to corporations, minus effective correction mechanism, plus direct incentive to extract as much wealth as possible by providing as little value as possible.

aksss 5 days ago|||

Which isn’t to say government is bad as an institution.. just to say that we regard it with an assumption of good faith at our collective peril - it’s track record counsels the opposite.

DangitBobby 4 days ago||

It would be comical hear this as if you think it contrasts with companies if I didn't know you believed it. The very "slime" that leads to the government doing these things accumulates at the behest of the entities you're defending.

josefritzishere 5 days ago||

How is this not a HIPAA violation?

SoftTalker 5 days ago||

HIPAA applies to healthcare professionals and providers, not ad tech companies. And race and citizenship are not personal health-related data.

malcolmgreaves 5 days ago||

That's not actually true. It applies to health care data. If you're a software engineer making a system that includes HIPAA-protected data, you can face individual criminal liabilities for mishandling the data.

dekhn 5 days ago||

No, not really. If you are not a covered healthcare entity, or a business association of a covered healthcare entity, the law simply does not apply to you at all.

Also, I believe (but am not certain) that if there was any criminal case, it would be leadership (C*O) not individual software engineers who would be charged. This is speculation on my part, if anybody has clear facts I'm happy to hear them.

Legend2440 5 days ago|||

It might be a HIPAA violation, depending on the details of the data being shared. Several other healthcare websites have gotten in trouble over the same thing: https://techcrunch.com/2023/04/17/pixel-tracking-hipaa-start...

monksy 5 days ago|||

It is if it connects an individual to an explicit health outcome or category.

dekhn 5 days ago|||

HIPAA as a law is intended to ease transfer of medical information, not restrict it.

ux266478 5 days ago|||

That's not true. It's intended to define a regulated and standard means of transferring medical information while ensuring confidentiality and patient privacy.

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...

You have to explicitly grant permission for your data to be sold. What's very likely is that either the healthcare provider or insurance company included a request for authorization to sell that data, and the authorization was signed without paying much attention to it.

dekhn 5 days ago|||

You're referring to the privacy rule, which is only part of the law (and not its primary prupose). The original intent of the law was to ensure easy transfer of information to keep health coverage when changing jobs. The privacy rule was not even part of the original law, it was added by HHS 3 years later. See more details here: https://www.ncbi.nlm.nih.gov/books/NBK9576/

arikrahman 5 days ago||

The article you cited states congress was aware of privacy concerns at the time and covered them as part of the third stated provision.

incr_me 5 days ago|||

You wouldn't need such a modern privacy rule if it weren't for the need for information portability in the digital age. The distinction between whether or not portability or privacy is primary in the law kind of doesn't matter. The real purpose of HIPAA was to help make the newly emerging market forms of health care sustainable. Protocol standardization and modernization of the Hippocratic Oath were both necessities, technical and ideological respectively.

aksss 5 days ago||||

Narrator: "But it did neither."

Honestly, we're better off with it than without it, speaking as someone with exposure to that industry's internals. That act drives a lot of good security practice within the organizations (mostly liability shifting, but still good). Specifically, the fear it instills of ruinous penalties from regulators drives good practice adoption, IME.

Further, multiple crappy patient portals across providers is a crummy experience, but it's an improvement over the world where providers held the data hostage and had zero interest in accommodating your requests for it, or even the idea that you owned it.

ButlerianJihad 5 days ago||||

The second “P” in HIPAA stands for “Privacy”

dekhn 5 days ago||

I wonder if that's why so many people write it as HIPPA.

tardedmeme 5 days ago||

That's because it's very similar to the name of an animal which is not called a hipoo.

SirFatty 5 days ago|||

"The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US federal law designed to protect sensitive patient health information from disclosure without consent."

dekhn 5 days ago|||

That's not really correct. It was designed for portability- the ability to move data between health care providers.

(I work in healthcare-adjacent and have met with many lawyers and had to explain them all about "HIPAA compliance"; my comment was not made from ignorance, but practical experience based on learning about how the law is used. There is a privacy rule in it, but that was not the real intent of the law. The intent was to make it easy to keep your health care when you moved between jobs.)

nickff 5 days ago|||

Could you please cite the source for that quote? I looked for it, but couldn't find a source; it seems like an AI hallucination.

nickthegreek 5 days ago||

Why would you call it an hallucination because you cant find immediately locate the source? You didnt say what in the single sentence would make you jump to that conclusion.

I highlighted SirFatty's text, looked up on google and first result show it near verbatim on cdc.gov.

https://www.cdc.gov/phlp/php/resources/health-insurance-port...

dekhn 5 days ago||

Here's the original text of the bill's purpose; very little of the bill talks about privacy, and most of the rules around that are part of the HHS Privacy Rule.

To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

avazhi 5 days ago||

Ok?

2 relevant attributes as it turns out.

xp84 5 days ago||

I’m more annoyed that these government healthcare marketplaces are asking people their race in the first place. Really don’t think anything should be, including job applications.

jjtheblunt 5 days ago||

I never (in the US) have understood why those questions include separate questions for race (seems to be like white or black or asian) and for ethnicity, including a really odd question about Latino or non Latino.

Why those questions, but no Danish vs non Danish, and so on?

nostromo 5 days ago||

It's because latinos can be white, black, or native - and historically most people tracking these data wanted to group latinos independently of non-latino whites, blacks, and natives.

dominotw 5 days ago||

do they ask about pre existing conditions? then prbly race also makes sense.

xp84 4 days ago|||

1. one of the main points of the ACA that hasn't been rolled back is that they can't worry about pre-existing conditions anymore

2. even if they could, it would be pretty illegal, I think/hope, to then be like "Oh, well your sickle cell anemia is going to be paid for differently, because everyone knows black people statistically have more of that.

worik 5 days ago|||

> do they ask about pre existing conditions? then prbly race also makes sense

Why?

alucardo 5 days ago||

"race data"... this isn't a thing, this should not be a thing. am i the only one being shocked?

giwook 5 days ago|

And just when you thought the American healthcare landscape couldn't be any more fucked.

More comments...