When it comes to protecting health data privacy, where do we find balance?
Health and health-related data are fundamental to informing medical innovations and advances that save lives and better outcomes for all patients. These data include a wide range of metrics such as prescriptions, lab results, race/ethnicity, gender, and income and, more recently, they’ve come to include data collected on our fitness devices and social media posts.
But, the misuse – whether unintentionally or otherwise – of personal heath data and information can lead to feelings of discrimination, an encroachment on privacy, and even a loss of trust in our health care system.
Back in 2002, on the Senate floor, I stated: “Scientific advances hold the promise of higher quality medical care, yet there is a pressing need for federal legislation to reassure the public that learning this information will not result in a loss of health insurance coverage or in the loss of a job.”
Yes, medical advances demand robust, comprehensive data and information that allow clinicians and researchers to more effectively and efficiently diagnose and treat illness and disease. But we – as a society and as individuals – demand privacy protections and regulations to protect our autonomy. The former cannot and should not exist without the latter.
Yet over 20 years later, federal rules and regulations for health data remain vague and lacking. And though policy and health care leaders have been working to stabilize these two competing interests, it is now time to prioritize and update privacy protections and regulations to more appropriately reflect our 21st century health data and information ecosystem.
Current Privacy Protections And Shortcomings
Most of us have heard of HIPAA, or the Health Insurance Portability and Accountable Act. Since its implementation in 1996, HIPAA has been the most comprehensive legal protection put into place to safeguard our privacy when it comes to health data rules and regulations. As the only physician in the Senate at the time of its passage, I strongly supported HIPAA, but the law we designed nearly 30 years ago was before the digital age and has real limitations today.
For one HIPAA is a sectoral law. This means that it covers only specific types of entities – such as health care organizations and hospital systems – collecting health data and does not extend to organizations and businesses outside the immediate health care ecosystem that acquire health data. For example, it doesn’t apply to data and information collected by a smartphone app, or to big box stores or websites tracking consumers’ health-related purchasing history. Most people assume it does.
On top of this, once a health care entity “deidentifies” health data (or makes it to where the data cannot or should not be able to be attributed to a specific individual) HIPAA no longer applies. As Dr. Bradley Malin – a Professor within the Vanderbilt Department of Biomedical Informatics and leader on privacy and the ethical, legal, and social implications of research – writes on data sharing and deidentification, “Deidentification effectively severs the relationship between individual patients and their data. This prevents patients from learning that data about them have been deidentified or shared, even if a breach occurs. Further, since deidentified data are no longer subject to HIPAA, there is no clear liability for a breach.”
Deidentified data, therefore, can be exchanged with relative ease to non-health related entities. This can take place regardless of a patient’s or consumer’s desire for the data to not be exchanged or without them even knowing the data exchange has taken place.
Even more surprising, this data sharing can take place with no accountability for the health care entity to ensure the data have been sufficiently deidentified. Back in 1996, there was relatively little need for concern here – the chances of data being re-identified were essentially non-existent. But, given today’s more digitally advanced data landscape and the relative ease with which data today can be “reidentified”, this is a huge problem that demands further protections.
Considerations For A Better Health Data System
We not only need health data – we need more of it. These more comprehensive data are the fundamental, necessary building blocks of a learning health care system leading to continuously improving diagnostic capabilities, treatments, and outcomes for all patients. But, we need checks and balances on how these data and information are collected as well as on how and with whom they are shared.
We need accountability as we work to ensure our health data are being put to good use and that the right protections are in place to protect each person’s privacy. It’s a highly delicate give and take. But, together, we can find our footing to better juggle our privacy protections while still allowing our data to fuel life-saving medical advances.
Here are four ways we can get started:
1. Updating HIPAA’s Deidentified Data Rules And Regulations: Under current HIPAA protections, patients can request an overview of their health data disclosures. This allows patients to learn about the types of organizations that have access to their information and sometimes how it is being used. But, once data are deidentified, patients are no longer entitled to this information. In terms of privacy and autonomy, this is a critical shortcoming. We should be ensuring that patients have a right to know who has their data and why. And we should simultaneously be examining ways to make organizations – especially those that are outside of health care – more accountable for the uses of deidentified data once they have been acquired.
To equitably meet the health challenges of a 21st century health data ecosystem, we should build on current HIPAA deidentification standards by increasing the transparency for patients and consumers and the overall accountability of those using health data. This will require us to establish clear standards for deidentified data and its uses that protect all Americans, to implement ongoing monitoring and continuous regulation of deidentified data, and to strictly prohibit data reidentification.
2. Improving Our Data Infrastructure: Data are key to building an effective learning health care system. But we need to assure patients that their health data are secure. To accomplish this, we need a strong data infrastructure that is consistent, secure, and interoperable. Standardization should play a key role here. And, new investments in our data infrastructure should support data standardization via electronic data medical records that reduce unnecessary administrative burdens and human error. This is not a new consideration. In June 2005, I worked with Senator Hillary Clinton to introduce the bipartisan Health Technology to Enhance Quality Act aimed at modernizing medical records with computer technology to reduce human errors.
This infrastructure rebuild should also be coupled with revised federal policies that prioritize and ensure secure, seamless transfer of vital health data within the health care industry. Already we are seeing policy makers step up here, and recent provisions in the 21st Century Cures Act called on the U.S. Department of Health and Human Services (HHS) to assure interoperability of health information and seek to establish more comprehensive data sharing by prioritizing use of electronic health records and digital sharing.
3. Establishing Individual Rights Over Data Sharing: HIPAA and most states with unique privacy rules and regulations uphold the right for individuals to consent to uses and disclosures of data. At first glance, this might seem like a sufficient method of protecting privacy, but it unfairly puts the burden on patients and consumers instead of holding institutions accountable. Moreover, in health care settings, HIPAA does not grant individuals the right to bring a lawsuit on their own behalf. This means there is little to no accountability for when HIPAA protections are violated, such as when a health care organization fails to sufficiently deidentify a patient’s data.
Moving forward, data collection – and resharing of these data – should be limited to what patients or consumers might expect. We should consider implementing rights to know when a company possesses one’s data, the right to obtain copies, and the right to request corrections to these data when mistakes are identified. A simple way to accomplish this level of transparency would be to allow patients at any time to see a full accounting of who has access to their data.
Further, organizations should consider establishing consumer oversight boards. These data ethics oversight boards could work much like Institutional Review Boards that oversee biomedical research. These boards would allow and encourage institutions to evaluate continually the legal and ethical implications of data projects against their ability to improve health or the health care system.
4. Encouraging Equitable And Beneficial Uses: To maximally provide patients with more effective treatments and better outcomes, we will continually need more data. Systemically, if we cannot assure patients that their data and privacy are protected, then we cannot continue to fuel medical discoveries and expand upon health and wellness interventions. So, while we focus on protective measures for health data, we simultaneously need to focus on assuring and encouraging its appropriate and equitable use.
Equally important to establishing increased transparency and accountability measures is the need to do this in an equitable and just way. And when it comes to current privacy protections, these have been distributed inequitably. In an article on health data values and priorities, Dr. Anita Allen – a Professor of Law and Philosophy at the University of Pennsylvania and expert on data protection law and ethics – writes: “The rise of big data and artificial intelligence in the digital economy has made it increasingly difficult for any individual, especially those from disadvantaged groups, to exercise meaningful control over the collection, manipulation, and use of medically related and other personal information about them.” We must work to swiftly correct course here and ensure that data collection is fair to, representative of, and beneficial for all.
Aspen Health Strategy Group Report
While data privacy was an issue I considered in Congress, I’ve been revisiting it in more detail over the past year with the Aspen Health Strategy Group, which I co-chair with former HHS Secretary Kathleen Sebelius. Last month, we released a report “Protecting Health Data Privacy and Improving Patient Care.” This report sought to comprehensively assess if we are really putting Americans’ health data to good use and if we are doing enough to protect our privacy.
In report findings, we distill “Five Big Ideas to Protect Health Data Privacy and Improve Patient Care” such as recommending that health data privacy laws reflect social norms and that all entities holding health data have clear policies. Within these suggestions to improve privacy rules and regulations is the deep understanding that a learning health care system can be only achieved with substantial data sharing. This requires trust with our health system and those that use our health data.
Because of this, patients and consumers should be involved in the development of new privacy practices along the way. And we need all voices represented – especially those most vulnerable to data misuse or exclusions from the benefits of data collection, use, and analysis.
It’s time for Congress and all those who hold and use health data to modernize how we approach health information in our current data ecosystem. Together, we can find solutions that continue our great strides in medical advances and innovation and simultaneously protect our privacy when it comes to personal health data and information.