Oracle’s pending purchase of Cerner raises privacy concerns
How will Oracle, as a data broker, take necessary steps to ensure that patients’ records are kept private?
Because Oracle is a major data broker, its pending acquisition of electronic health records system vendor Cerner is raising some concerns among privacy experts.
Chief among those worries is the potential that Cerner’s database of de-identified patient data, which it makes available for research purposes, could somehow be combined with Oracle’s trove of consumer data to create more complete consumer profiles that then could be used to, for example, help companies develop more targeted advertising.
David Holtzman, Principal, HITprivacy:
“There’s a concern that Oracle will take that information and attempt to identify it in some way.”
In a December announcement of Oracle’s plans to complete its purchase of Cerner sometime this year for $28.3 billion in cash, Oracle Chairman Larry Ellison said one of its goals was to work with Cerner to “improve patient privacy.” The announcement also stated: “Oracle and Cerner are committed to continued and enhanced stewardship of health information, which will be bolstered by Oracle’s global operation infrastructure.”
Asked for further comment on privacy issues, an Oracle spokesman tells Health Data Management that the company “is not able to share anything beyond the official announcement at this time.”
A Call to Action
Privacy advocates are calling on Oracle to ensure it’s taking all necessary steps to maintain privacy, citing the serious problems that could result from the exposure of patient-identifiable health data.
For example, they warn that if patients’ health histories are somehow exposed, that could lead to discrimination, such as limits on the types of health insurance or financial products that could be purchased by individuals whose data was made available.
Additionally, if patients fear that their health data will be sold and used for marketing, they could become reluctant to reveal sensitive information to their healthcare providers, and that could have an adverse effect on their health status, says independent privacy attorney David Holtzman, principal at the consultancy HITprivacy. Holtzman formerly worked at the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA.
“The issue is Oracle, as a large data analytics company, has the capability to take information about individuals and consolidate it into a more complete profile of those individuals,” Holtzman says. “To the extent that Cerner could be a source of a vast store of de-identified health information, there’s a concern that Oracle will take that information and attempt to identify it in some way [such as by applying artificial intelligence] … and create value by adding it to other data they assemble.”
Under HIPAA, protected health information that has been de-identified in a specific way can be supplied to researchers without obtaining a patient’s permission.
The Need for Controls
In a recent blog by Justin Sherman, research lead of the data brokerage project at Duke University’s Sanford School of Public Policy, he offers concerns that “The question for Oracle is the degree to which the company will put controls in place on the sale of individuals’ data (that) it may get in the Cerner acquisition, and whether there will be public transparency on those controls.”
Privacy consultant Rebecca Herold contends that, as AI algorithms become more powerful, they could facilitate the matching of de-identified data to identifiable data, depending on the way in which de-identification is achieved. “If Oracle and Cerner have not synched and updated their marketing practices, then such re-identified [healthcare] data may be inappropriately used for marketing purposes,” she suggests. The two entities must “establish protections to keep such unauthorized marketing from occurring.”
Implications for privacy
In his blog, Sherman says the purchase of Cerner by “one of the largest data brokers in the country” presents “serious implications for citizens’ privacy.”
He writes that, “Oracle already holds and advertises data on millions of people, including highly sensitive data, like Americans’ GPS location histories. It could easily combine those immense datasets with supposedly ‘de-identified’ data held by Cerner to learn even more information about specific people. Oracle could then fold that information into its data brokerage services – all part of an ecosystem built on the virtually unregulated collecting, aggregating, buying selling and sharing of people’s highly sensitive information. Companies could buy that data to target and potentially exploit individuals in all kinds of ways.”
Oracle announcement, December 2021:
“Oracle and Cerner are committed to continued and enhanced stewardship of health information.”
Herold, CEO of Privacy & Security Brainiacs and the Privacy Professor consultancy, says the interpretations for what constitutes de-identified data “have continued to be debated by lawyers as technologies, such as AI, are becoming more powerful to re-identify the data. Ultimately, a HIPAA-covered entity should establish rules for researchers to follow governing the use of AI, and the very real possibility … that AI could re-identify PHI. This should be done prior to handing over the PHI. Rules should be established, such as indicating restrictions on the use of AI algorithms and providing notifications to the (covered entity) regarding AI outcomes that may have re-identified the data.”
Herold calls on Oracle and Cerner to complete certain privacy protection steps before they complete their merger.
“Oracle and Cerner need to take the time necessary to plan for merging digital operations, perform risk assessments on those plans, update plans to fix identified risks and repeat the planning/assessing cycle until doing an actual technology merge,” she says. "Such planning is absolutely critical and a prerequisite to a successful merger – and also to preventing security incidents, privacy breaches and noncompliance infractions.”
A National Privacy Law
Could the Oracle/Cerner deal build momentum for passage of a national privacy law?
The Center for Democracy and Technology, a Washington-based not-for-profit consumer advocacy group, is one of many organizations that, for years, have been pushing for a national privacy law that would, in part, define permitted uses of consumers’ data. But several bills that would create such a law are still languishing in committees, notes Andrew Crawford, senior policy counsel for the center’s privacy and data project.
Some members of Congress might see the pending Oracle purchase of Cerner as another reason to renew the debate on national privacy legislation that would supersede the current patchwork of state laws and provide more clarity, Crawford acknowledges. “But I’m not sure how strong a motivator that deal is or isn’t,” he adds.
Herold, the privacy consultant, argues that a better approach might be to beef up HIPAA and then expand its protections of personal data to apply to information in all sectors, not just healthcare. “It would certainly be one good possibility for establishing a strong and comprehensive national privacy regulation instead of starting from scratch.”
But Crawford notes that, “For better or worse, HIPAA is attached to the entity that holds the data and not the data itself. A new law needs to modernize those protections so they apply to the data itself” and provide “clearer and better privacy protections.”
Howard Anderson, contributing editor, was the founding editor of Health Data Management.