Because Everyone Was Calling for YA Scifi About HIPAA!
I’ve joked on twitter many times that “I’m writing YA about medical data privacy practices. Haha you know the teens today just can’t get enough of HIPAA-focused fiction!”
I didn’t see the monkey’s paw, curling it’s mummified finger when I said it.
I’m increasingly tired of my work being so very topical.
For very nearly my whole adult life, I’ve worked in the mental health field, where knowing the ins and outs of medical privacy was a basic work requirement.
For the last 3.5 years, I’ve been running my own practice, and for most of that I’ve been dealing with the technical specificities of providing medical care over an Internet connection.
Since I was a teenager, I’ve been fighting with doctors to try to get my needs met.
Medical data privacy law is stitched up into every day of my life.
And it’s likely stitched into yours, to, but if you haven’t had to manage these systems, you might not see it.
Most adults in the US at least have some awareness of the forms they sign at each new clinic, saying they understand the clinics medical privacy policy. I would guess fairly few have memorized the basic terms that duplicate from clinic to clinic, by law.
Precious few have any idea what’s going on with medical privacy in the era of web 2.0. Because boy howdy, the algorithms that exist to sell you stuff, monitor your movements and push narratives at you really love to know intimate details of your needs.
The final time I signed on to Instagram I got an ad, targeted with terrifying laser-like precision, at the adult children of people who were considering getting a specific medical implant procedure my dad had been talking about getting. It encouraged me to “learn more” from the company that makes the device, so I could “help him” make a good choice.
I don’t have an Instagram account anymore.
Here’s a fun one- I semi-recently did a bunch of internet searches, trying to find a good program for a therapy client of mine who wanted to go to addiction counseling.
The whole next week, my twitter feed was flooded with ads for various types of alcohol.
Of course, Facebook’s Meta doesn’t have to go to such extremes. They’ve talked so many institutions into allowing them to install something called Meta Pixel on their webpages that they can skim off information right there in your online clinic web portal. Meta Pixel registers things like what doctor you’re asking to see, what issue you’re trying to see them for, and even your prescription.
Don’t worry though, Meta, that company so famous for their data use integrity and privacy practices promises that they totally delete all that medical stuff.
Why would a megacorporation that meddles in your voting, news, purchasing, and emotional state/mental health want to gather your medical information anyways? Just because they’re known for giving information to legal authorities and using user data to control rivals and allies alike-
I can’t even keep up the sarcasm.
Much as I hate Meta (and oh boy, do I ever), this isn’t really about them.
This is about what medical data privacy really means, and the limits of it under current law.
Years ago, I went to the doctor, and they let me know I was due for a routine vaccine. Cool, great, I love not having Diphtheria. (Fun fact- I didn’t have real insurance for most of my 20s, and so missed a bunch of boosters and got whooping cough and broke a rib from coughing. So I really love booster shots.). Then the doctor referenced my childhood immunization records.
That got my attention very quickly. I was a child in the era of paper charts and big olive green accordion folders. I had never seen this doctor before- how did she have my childhood immunization records? It was convenient, and, again, yay for not having Diphtheria! But still.
I did a bit of digging, and it turns out several of the huge mega-corporations that provide much of the medical care in my area had undergone a massive merger, automatically combining their charts unbeknownst to me and, I'm sure, most of the patients of the two patients. Medical consolidation is a major trend in the US, that few of us have reason to think about.
After all, better coordination between my medical providers is a good thing, right? Better communication and more information should lead to better care.
Till ableism ruins things, yet again.
I have known doctors to dismiss a lot of patient concerns if that patient has something in their chart that activates some prejudice. Have a history of a stigmatized mental health disorder? All your symptoms become psychological problems. Have a history of addiction, even an old one? All your complaints become “drug seeking”, whether you’re asking for medication or not. Have a doctor you used to see who just plain didn’t like you and put a lot of nonsense in your chart? Now that can be the introduction every doctor you ever see has to you.
Now that is bad enough, but say there’s some reason for those records to go outside your doctor's office.
You think- well, HIPAA will defend me then, won’t it?
There are overrides to HIPAA, beyond the “danger to yourself or others”, which give law enforcement agencies broad access to your data. Police do not have to comply with HIPAA, should they access this data.
Most medical providers will automatically and immediately comply with a court subpoena. They shouldn’t, and I was thankful that one of my professors taught us, off the books, how to fight a subpoena, but many of them do. That could happen in a divorce, a wrongful termination case, a disability support hearing, and a handful of other instances.
A parole officer or child protection worker can usually threaten people into signing a release that will also crack your medical file open for their perusal and judgment. Both professions are shockingly shy of oversight or regulation about what they can demand, and again, do not have to comply with HIPAA.
On the other side, we have the question about what you, yourself, can access.
Theoretically, adults in the US "own" their medical data, and are entitled to access to their own medical charts, and entitled to insert statements into their chart to correct things they disagree with.
And yet.
Many states (I’m in one) have loopholes that say that providers can withhold information about a client’s medical chart if it’s likely to be “detrimental to the mental or physical health of the client”. Which means, legally, your doctors can lie to you if they think you can’t handle what’s actually in your chart. But it will still be there, and, depending on whether that provider is in a chart-sharing network, other providers you come into contact with may also see that information- providers that may or may not tell you what’s actually in there.
I had a DNA test done recently- with one of the few providers that doesn’t sell data or provide it to law enforcement- and I wasn’t permitted to access the final report once it was done until the doctor who ordered it signed off that I was allowed to see it, despite the DNA test being through a 3rd party on the other side of the country.
Getting my own information might be too much for my fragile constitution, you see.
The doctor knew nothing about any of the conditions or genes discussed. But this person who had met me once before for 30 minutes was presumed to be a better judge of what I should know than I was.
My very DNA was not my own to read.
Minors of course own nothing. Not their chart, not their privacy, not the right to make most medical decisions (though this is tremendously variable by state and in constant flux). This does not protect them from being surveilled, profiled, targeted, judged or prosecuted based on the data they do not own. Particularly if their parents aren’t on their side.
Much of the hysteria about trans health care is about adults who want to own the bodies of teens and enforce their prefered norms. Sometimes it’s their parents, other times it’d people at their school, their sports, their churches.
In an era of persistent surveillance, the body is the last bastion of true ownership and privacy. It is a nexus of identities, experiences, needs and wounds that touches everything we do, feel, or perceive.
HIPAA was enacted in 1996, 26 years ago, by people who had no way of predicting, much less legislating, the world of information management we live in today.
It's had some updates since then, and likely has more coming, but nothing that can grapple with the attacks on privacy we're experiencing today. Any effort to close the gaping loopholes would doubtless be met with a lot of opposition from companies with deep pockets and major vested interest in maintaining their access to these digitized bodies.
Finding your needs, your points of weakness or desperation is incredibly profitable. And all the algorithms, apps and websites that collect that data- from period trackers to Alexa to your doctors online appointment system, benefit from that profit.
I am honestly shocked I don’t see more scifi focusing on this. The future has snuck up on us and is crawling in through devices we rely on.
I’ve never been impressed with scifi that focuses on “oh no, new technology is scary!”.
But I am very keen on scifi that’s interested in looking at who controls the new tech. Who has the data? Who profits from it? Whose priorities are served in development? Who controls access? Who controls countermeasures? Who can opt out? What would that cost them?
I guess my glib comments dismissing teen's investment in medical privacy practices were premature.
Of course teens would care about this nexus of control, identity, need, and privacy, and the way it's going to shape the futures they have to rely on. Why shouldn't I give them stories about what some teens like them might do about it?
Names in Their Blood is vastly expanding the medical data themes hinted at in Secondhand Origin Stories, and that expansion is going to be critical to the whole rest of the series.
We have the right to know ourselves, and to defend that knowledge.
Or, at least we should.
So, that’s why I’m writing YA books about medical data privacy practices. I hope you enjoy it.
Thanks for joining me for another month. I really appreciate it.
Till next month,
Lee Brontide
Thank you for joining me for another month of Shed Letters. If you know someone who you think would like to join us, please feel personally invited to share any of these emails, or send them an invitation to sign up here. And remember that Secondhand Origin Stories is available for free as an ebook here, or in paperback form from your local independent book shop.