NIH Collecting Medical Records Is Dangerous, Privacy Advocates Warn
Privacy advocacy organizations are warning about the dangers of having the federal government collecting medical and health data from citizens after the National Institutes of Health (NIH) announced on Monday that medical records will be compiled from commercial and federal databases as part of an autism study.
Sign up for a free preview to unlock the rest of this article
"Compiling health and disability-related data from both federal and commercial sources to create a federal registry of people with autism, without individuals’ consent, is the latest dangerous effort by this Administration to repurpose Americans’ sensitive information for unchecked government use," said Ariana Aboulafia, project lead of Disability Rights in Technology Policy at the Center for Democracy and Technology (CDT). “This plan crosses a line in the sand, particularly given longstanding and historical concerns surrounding the creation of registries of people with disabilities.”
Sara Geoghegan, senior counsel at the Electronic Privacy Information Center (EPIC), said it should be difficult to share such information. “There should be safeguards in place that slow down transfers of our most sensitive information, because this shouldn't be a common practice, and this is an unnecessary practice,” she said.
Geoghegan also said she was concerned about who will access the data. “We have seen, and we see almost every day, that unelected tech billionaires have access to information through their role at DOGE, information across federal agencies that they shouldn't have access to.” Geoghegan added, “If this database must exist -- which I question the purpose at all, [as] there is a serious harm of putting a database together of a list of people with disabilities to begin with ... there are questions about who has access to this information. What are their clearances? What are the protocols involved for who can access it?”
Hayley Tsukayama, associate director of legislative activism at the Electronic Frontier Foundation (EFF), said collecting this data will erode trust. “Trust is essential to effective medical care,” she said in an emailed statement to Privacy Daily. “We all want our medical information to be private, because we believe it should be something that’s between us and our health care providers. Unconsented medical data undercuts this trust and puts people at risk by sharing their sensitive data in ways they don’t expect.”
Geoghegan agreed. “People should be able to trust their providers and institutions that we look to for medical and health advice,” she said. “It is frustrating that because of abuse and misuse of personal information, including very sensitive categories of information, like health-related information, that that trust is being eroded and undermined.”
Even if the information is “anonymous,” if looked at in combination with other information about you, it can be used to identify you, Tsukayama said. “The wider the breadth of sources a database may draw from, particularly if those sources include entities that aren’t covered by medical privacy laws, the greater this risk,” she said. “People should have full control over the use and disclosure of their health records, including the ability to voluntarily participate in research if they are given a fully informed choice to opt-in.”
Aboulafia made the same point in an emailed statement. “While NIH has claimed that the confidentiality of this information will be safeguarded using 'state of the art protections,' it’s also unclear if it’ll be anonymized or disaggregated, or how it will be protected from a hack or breach.”
Since the records collected are commercially available, Geoghegan said she is concerned about the data's accuracy and efficacy. “The [Institutional Review Board] has standards for medical research,” she said. “There are protocols to be put in place, not only to protect the privacy of the patients and people involved, but also to make sure that the information collected is accurate.”
Aboulafia said that while there are research purposes for sharing health and disability-related information, this should be limited and centered in research design. “Compiling data to create a registry of people with autism, particularly in a way that is not sufficiently privacy-protective and does not heed the oft-expressed concerns of the disability rights community, is a breach of trust,” she said. “And, this breach of trust could lead people to disclose less information or limit interactions with physicians, providers, and the federal government, contributing to poorer health outcomes overall. It sets a dangerous precedent for Americans with and without disabilities."
Geoghegan also had concerns about data breaches and security. “An accessible database of very, very highly sensitive information is an invitation for bad actors to access it without authorization,” she said.