Where Health Data Ends and Personal Data Begins

Reflecting on the use of Personal Data in Health Insurance Risk Assessment

Last week, ProPublica published an interesting article (link) about how health insurers are using personal data to supplant a patient’s medical data in order to carry out a risk assessment of the individual and use this as a basis for determining, amongst other things, a risk score concerning the individual — ultimately deriving risk-adjusted pricing for the individual’s health insurance based on factors other than the individual’s actual health. While legislation concerning health data is strong in many countries, including the US (the target of the article), it is interesting to note that as personal data falls outside the classification of health data, this kind of use of personal data by an industry already under regulation provides a convenient, if unintentional, side-step mechanism by which the safeguards provided health data can be bypassed by leveraging (relatively) less-restricted personal data in ways not anticipated by the individual.

While the GDPR provides the basis upon which this kind of unintended use of personal data without the explicit, informed, consent of the individual can be inhibited, one could also imagine this kind of cross-dataset analysis to influence general risk assessment methodology by insurers in the EU as well — particularly as insurers seek to leverage customer data to minimize and contextualize their risks and individuals become more willing to share data in order to reduce the cost of their own premiums.

The overlap between this model and what has already happened with automotive insurance is perhaps unsurprising — usage-based pricing models (link) specifically leverage everything from basic trip data in more typical Pay-As-You-Drive (PAYD) models to analysis of more complex (advanced vehicle instrumentation) and increasingly invasive (driver behavioural assessment) data sets in more advanced Pay-How-You-Drive (PHYD) models. A similar kind of scaling in data query richness is then perhaps not far off in the Health insurance domain. One could imagine an analogous model looking something like:

• Pay-As-You-Live: an individual may choose to disclose that they have a gym membership; and
• Pay-How-You-Live: an individual may allow assessment of dynamic data from wearable fitness trackers to determine the extent to which they actually do anything with it.

While the real business value in the risk calculation stems from the latter kind of analysis (as with PHYD), this kind of invasive data collection and analysis will face significant acceptance issues both in an industry that is traditionally risk-averse and by individuals already distrustful about being monitored by connected things. The ProPublica article observes that much of the current risk assessment is done with personal data that is freely available or otherwise in the “public domain” — without the individual’s knowledge — an approach that, in our opinion, will ultimately face limited utility as the more valuable data sets remain under the individual’s control and cannot be passively collected.

The collection and use of personal data without the informed consent of the individual is unlikely to result in a scenario where individuals trust the insurer sufficiently to provide the highly sensitive and sought-after data, limiting the extent to which data-driven pricing models can be extended and, by extension, the amount of business value that can be realized — a situation greatly improved by the GDPR.

Within the RestAssured project (link), we specifically look at mechanisms by which the selective disclosure of sensitive data can be facilitated by the individual, exercising their rights under the GDPR, while also providing business users with the means by which to ensure that their service offerings and data accesses remain compliant and in line with the consent provisions of the individual. While our work in RestAssured has focused on the PAYD case, we look forward to advancing this in other domains that face similar challenges.

Are you an insurer interested in enabling these models in the EU? Are you an individual interested in finding out more about how your data influences risk assessment? Get in touch!

Originally published at www.adaptant.io on July 23, 2018.