Medical privacy has preexisted privacy regulations by thousands of years so it makes sense that medical data is its own category of personal data (GDPR recital 35, HIPAA). The definition is rather consistent across regulations: personal information related to the health of an individual. But is it so easy to separate health information from other types of personal information? Let’s use the now ubiquitous vaccine passports to illustrate our story.
The blurry lines between health and non-health data
Sometimes the most intuitive definitions are the hardest to write. This post aimed at giving a rigorous yet actionable definition of personal information. Let’s do the same for medical data. GDPR is a good place to start. It defines medical data as “data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject”.
The patient record at a hospital would trivially qualify as health data. But what about the appointment to the hospital’s specialist? It may be debated that it pertains to the health status of a data subject but it clearly reveals information about the current health status of the data subject.
And how about the history of weekly rides to a specialist’s address stored by a ride-hailing company? It also reveals information about an individual’s health too.
HIPAA explicitly excludes from its scope such indirect information by applying only to “health plans, health care clearinghouses, and to any health care provider”. But whether it is regulated by HIPAA or not is only part of the story. Leaking health data can cause irreparable damage to individuals (and hefty litigation cost for the data controller in cases of breaches!) and it should definitely not be treated lightly.
Arguably the harder it is to make the connection between data and the health-related insights the better. But how can we be sure it is hard? Enter vaccine passports.
The challenges of the Covid-19 vaccine passports
In many countries, most real-world activities now require checking vaccination statuses (or swab tests): restaurants, malls, museums, and much more. All of a sudden, all information, log, trace of any individual doing any such activity became a trivial link to health information.
The connection is much stronger than connecting Uber rides to possible medical conditions: it is mandated by law!
Take-away: protect all personal data as if it could become health data
The main take-away is that there is no such thing as mundane personal information. It is all connected and a souvenir from the aquarium or an online review on a restaurant can yield direct insights into a patient profile!
It might be hard to derive health information from such data but the thing that is even harder is to have any certitude. Doing guesswork is a risky endeavor and luck-based compliance is probably not the best way forward. This example is a reminder that all personal data should be protected with appropriate care.