S.C. law, contracts offer few privacy protections for huge ‘data warehouse’
By RICK BRUNDRETT
If you receive health-related services from certain state agencies, chances are you weren’t told your personal information could be included in a massive “data warehouse” that lawmakers and their staffs have been allowed access to for years.
A state privacy law and inter-agency agreements for the 16-year-old database offer weak privacy protections for citizens who deal with S.C. agencies, a review by The Nerve found.
The issue is timely as lawmakers could return to Columbia next month to consider Republican Gov. Henry McMaster’s vetoes of the 2018-19 state budget, including a proviso that would create another “data warehouse” containing sensitive information on South Carolinians – and which lawmakers and their staffs could access.
McMaster vetoed the proviso in July, several days after The Nerve raised privacy concerns about the proposal to create a workforce and education database, which could track tens of thousands of adults and children. In theory, it could be linked to the existing health database, effectively creating an even larger, state-run bank of personal information.
“This proviso provides no official oversight for the decisions made by the data warehouse committee, no requirement that citizens consent to their personal information being released and quite frankly no one to say ‘no’ or ‘pull the plug’ before it’s too late,” McMaster wrote in his veto message about the proposed “South Carolina Industry, Workforce and Education Data Warehouse.”
McMaster, however, let stand a separate budget proviso that has been renewed annually by lawmakers authorizing the “South Carolina Health and Human Services Data Warehouse,” created in 2002.
A Charleston School of Law professor who reviewed agreements at The Nerve’s request between the state Revenue and Fiscal Affairs (RFA) Office, which manages the health database, and the departments of Health and Human Services (HHS), Health and Environmental Control (DHEC), and Social Services (DSS), said there is a lack of specific privacy protections in the contracts for individuals whose personal information is included in the database.
“There is … nothing that tells the consumer, ‘This is how we’re going to use your information; these are the purposes for it; who we are going to share it with, etc.,’” said Allyson Haynes Stuart, who teaches information privacy law at the law school.
Under a state privacy law, state agencies that collect personal information, which includes photographs, Social Security number, date of birth, home address, driver’s license number, medical or disability information and bank account numbers, must “at the time of collection advise the citizen to whom the information pertains that the information is subject to public scrutiny or release.”
That law, however, doesn’t require agencies to tell individuals who specifically will receive their information or how exactly their records will be used, or obtain written permission from individuals each time before sharing their information.
Under the state budget proviso for the existing database, “internet-accessible secure analytic query tools” are supposed to be “made available to members of the South Carolina General Assembly and their research staff members, state agencies, and researchers.”
Similar language is in the separate proviso for the proposed workforce and education database. The RFA earlier told The Nerve in a written response that “(u)nder no circumstances will personally identifiable information be accessible or released to legislative members or their staff.”
The S.C. Constitution bans “unreasonable invasions of privacy.” Stuart said although that provision has historically applied to criminal matters, the lack of specific privacy protections in the inter-agency agreements for the health database could be considered an unreasonable invasion of privacy “depending on whether the court construed this to apply to the civil context as opposed to just the criminal context.”
The health database is managed by about 20 employees in the RFA, whose three-member governing board is appointed by the governor and chairmen of the House Ways and Means and Senate Finance committees. Senate president pro tempore Hugh Leatherman, R-Florence, is chairman of the Senate Finance Committee, which first passed the budget proviso earlier this year to create the workforce and education database.
The RFA did not respond to an initial written request by The Nerve for specifics on how it protects personal information in the health database. The Nerve later submitted a formal request to the agency under the S.C. Freedom of Information Act for all current contracts between it and public or private agencies that participate in the health database, but was informed that it would cost $114.78 for “more than 20 documents which total more than 100 pages.”
The Nerve declined to pay that amount, contending it would equate to an hourly rate of $38.26 for the quoted three work hours to retrieve the requested records, which likely are readily available. In contrast, HHS, DHEC and DSS provided their respective agreements with the RFA at no charge.
Besides those departments, at least 13 other state agencies or divisions dealing with health issues are required under the annually renewed proviso to “collect and provide client data in formats to be specified” by the RFA.
Protections not specified
The DSS and DHEC contracts, which were signed in 2014, require the agencies to obtain permission from the individual “prior to RFA furnishing the individually identifiable information pertaining to an individual,” and that “(s)uch authorizations or permissions shall be furnished to RFA.”
Nothing in those agreements, though, require the agencies to tell citizens how exactly their personal information will be used, or with what other public or private agencies their information will be shared.
“As long as they can say you consented, a lot of time, that’s going to be considered OK, but whether it’s meaningful notice and meaningful consent, that’s another question,” Stuart said.
“The further the information gets from the original person who gathered it, the original agency that gathered it, the more likely it will get corrupted or hacked into, or any number of things that could go wrong,” she said.
DHEC and HHS each has a written “notice of privacy practices,” which, among other things, allow individuals to get a list of who received their personal information. But those documents are not easily located on the agencies’ websites.
A 2016 agreement between the RFA and HHS, which manages the state’s Medicaid program, doesn’t specifically require individual permission before sensitive information is provided for the health database.
“A lot of the language seems to be protecting the South Carolina agency that’s providing the information to begin with, and that’s kind of its focus as opposed to the individual consumer,” Stuart said, noting that the HHS contract focuses on “security and risk management.”
HHS earlier told The Nerve that the agency provides “medical claims data” to the RFA, including the names, dates of birth and medical treatment records of Medicaid patients. Over 1 million South Carolinians enroll in Medicaid every fiscal year, records show.
Those medical records, according to HHS, are included in the nonprofit South Carolina Health Information Exchange, described on its website as “an innovative statewide highway information system that allows participating health care providers to view a patient’s medical history, including medications, diagnoses and procedures.”
HHS spokeswoman Colleen Mullis said in a written response to The Nerve that when submitting a Medicaid application, beneficiaries “authorize” the agency to “use PHI (protected health information) and PII (personally identifiable information) for eligibility determination and service delivery purposes as well as share this information with authorized entities such as Business Associates,” which include the RFA.
Mullis said beneficiaries are provided the agency’s “notice of privacy practices” as part of the application and also with their “Healthy Connection Cards.”
DHEC provides information from birth and death records to the RFA, including the mother’s and child’s names and dates of birth for birth records; and the decedent’s name, date of birth and death, and Social Security number for death records, agency spokesman Tommy Crosby said in an email.
Asked how exactly that permission is obtained, Crosby said the “only time DHEC agrees to release” personal information to the RFA is “for approved research purposes,” noting a researcher will have “recruited individuals to participate in an Institutional Review Board (IRB) approved study and will have obtained informed, written consent from those individuals, which allows DHEC to release the information.”
“It has been the rare exception that individually identifiable information has been requested,” he said.
Asked the same questions, DSS spokeswoman Marilyn Matheus in an email response Friday to The Nerve said only, “There is no publicly available record that answers your questions.”
Brundrett is the news editor of The Nerve. Contact him at 803-254-4411 or email@example.com. Follow him on Twitter @RickBrundrett. Follow The Nerve on Facebook and Twitter @thenervesc.
Nerve stories are free to reprint and repost with permission by and credit to The Nerve.