Consumers should ask: are your medical records safe?

About two decades ago, William Weld, then Massachusetts governor, went to a local hospital for tests. A year later, and after Weld had left office, a Harvard professor, researching the issue of privacy of an individual’s medical records, was able to match anonymous hospital data about state employees admitted, by age and gender, plus voter rolls for Cambridge, Weld’s home town, to identify Weld, his diagnosis and his medicines.

As extreme as the individual identification of the governor was, it points up one issue consumers must grapple with, a prominent medical researcher says: Your medical records are not as safe from prying eyes as you think.

Specifically, adds Adam Tanner, in a recent issue of Scientific American, medical data-mining companies can use and cross-check available data about doctors’ patients and hospitals’ admissions – even without names and Social Security numbers – to uncover medical trends and exploit them for profit. Tanner, a Harvard researcher, is writing a book on the issue: Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records, will be published in January 2017.

The privacy of medical records is important to consumers. The federal Health and Human Services Department runs the privacy regulations under the 20-year-old Health Insurance Portability and Accountability Act (HIPAA). Under it, individuals’ records are supposed to be sacrosanct, available only to patients themselves, medical professionals and – when patients agree – insurers or other health care providers.

“A major goal of the Privacy Rule is to assure individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and wellbeing,” HHS says in its introduction to a 25-page booklet about consumer health protections.

“The rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed,” HHS says.

The catch, Tanner says, is HIPAA covers doctors, hospitals and other health care facilities and their individual information about patients, but not aggregate data: How many operations doctors perform, what diseases they treat and particularly what medicines they prescribe.

Put that aggregate data together with other information about patient populations, and medical companies, particularly drug manufacturers, can get a pretty good idea of where current and emerging pharmaceutical markets are – and who will use what medications.

That’s where the data-mining firms come into the picture. They collect aggregate data, analyze it and sell the results to the drug makers. Tanner says one big drug company alone, Pfizer, spent $12 million last year to buy pharmaceutical use data from several data-miners.

And while patients’ names are blacked out of the records, doctors’ names aren’t, Tanner notes. The data-mining firms know how many drugs, and which ones, physicians prescribe.

“Once upon a time, simply removing a person’s name, address and Social Security number from a medical record may well have protected anonymity,” Tanner wrote in the Scientific American. “Not so today.”

He added that “straightforward data-mining tools can rummage through multiple databases containing” anonymous and non-anonymous data “to re-identify the individuals from their ostensibly private medical records,” just like the Harvard researcher did with Gov. Weld.

Doctors and states don’t like the data mining and have tried to stop it. Thirty-six states passed laws banning such data-mining and its sales for profit. Data-mining firms challenged Vermont’s law – the first such statute – in federal courts. In 2011, they won in the Supreme Court. The justices ruled that Vermont’s ban violated the firms’ commercial free speech.

Pfizer and other big drug companies use the information from the data-miners to create big pro-pharmaceutical campaigns, pitching drugs not just at physicians who prescribe them, but at consumers. They spent $5.4 billion last year on direct-to-consumer drug ads.

And if you were watching TV during the two political conventions last month, you saw part of that spending. FiercePharma, a critic of the industry, noted the drug companies – led again by Pfizer – ran 126 ads combined on network and cable TV during the conventions.

With the states stymied in federal court, the American Medical Association stepped in, from the other direction. It called, last November, for a ban on such direct-to-consumer drug advertising – the advertising the data-mining supports. Direct-to-consumer ads “drive demand for expensive treatments” even where there are more-affordable alternatives, AMA said.

AMA’s demand for an ad ban “reflects concerns among physicians about the negative impact of commercially driven promotions and the role marketing costs play in fueling escalating drug prices,” said Dr. Patrice Harris, the organization’s board chair.

And the labor-backed National Consumers League says U.S. health care standards should include “careful monitoring and regulation of the promotion and advertising of prescription drugs” – the promotions and ads the data-mining encourages and enables.

Sometimes identifying the pharmaceuticals markets can aid consumers, too. FiercePharma noted CVS, the big drugstore chain, just tossed 10 more drugs, from a variety of drug companies, out of its list of approved “formulary” medicines, because the firms, using the aggregate data, engaged in huge price markups on those medications to consumers.

Tanner has his own proposal for battling the data-miners’ use of your health records: Follow Rhode Island’s lead and put the consumers in the drivers’ seat. That state’s law says consumers must have “the chance to forbid collection of their information for commercial use.” The law also bans “sharing anonymized insurance claims” with outsiders.

Photo: In 2015 the price of Daraprim, the only treatment for a rare, life-threatening parasitic infection, was raised by more than 5,000 percent. Business Wire via AP