When you generate health data, where does it go? I mean, if you visit the doctor, and they collect all their requisite information in their electronic health records, where do the records go? Who may access them? Despite all the regulations in place regarding patient privacy, these questions aren’t easy to answer, especially in circumstances where data breaches may have left sensitive data open to access from unintended parties. This is the ground covered by theDataMap, a project by Prof. Latanya Sweeney and Harvard’s Data Privacy Lab.

The map is essentially an index of known data sharing arrangements between parties, irrespective of whether any single person or group may participate in those relationships. Most of its health data is from state-level discharge records, i.e., partially-structured records describing individual details of a patient and hospital visit, including payment details. While these records don’t include names or other personal identifiers, the project’s creators note that discharge records provide enough detail to link patients to news stories and thereby identify patients. (In theory, some could be linked to clinical case reports as well.) These records also don’t match HIPPA standards as they’re governed by state regulations instead.

So, the answer to “where does my health data go” is essentially “to whoever buys it or finds it after a data breach”. Click on any of the nodes on the project site and you’ll get a list of organizations known to handle health data, along with any instances of data going missing. I think this is the most interesting aspect of the project: with a more comprehensive graph representation and/or a simple API, theDataMap could be a way to automatically trace paths between known data leaks and specific patient groups. If a Florida real estate company suffers a data breach and is known to have purchased discharge records, the impacted parties (i.e., patients of Florida hospitals) should know ASAP. Then again, sometimes it can take nearly a decade for health data breaches to become public.