Beyond HIPAA: Maintaining patient privacy in a big data era

patient privacy concept
Even as we struggle to access our complete medical records, our data are being shared with insurance companies, pharma, big tech, and new companies seeking to monetize patient data. (Image: AdobeStock/Illustration: Sebastian Stankiewicz, Boston Children's)

After a prolonged, painful era in which medical data were exchanged mainly by fax, most patients today have electronic health records. But the data within them aren’t as private as they might think, says Kenneth Mandl, MD, MPH.

As director of the Computational Health Informatics Program (CHIP) at Boston Children’s Hospital, he’s seen patient data flow freely in the commercial sector. Even as patients often struggle to access their complete record, their data are being shared with insurance companies, pharmaceutical companies, big tech companies, and a new breed of companies specifically rising up to monetize patient data. Some of these are electronic health record companies; others incorporate patient data into services, such as clinical decision support or matching patients to clinical trials.

HIPAA’s privacy rule regulates how patient data can be shared and how they must be protected.  However, once those data have been de-identified — stripped of names, dates of birth, addresses, and other telltale information — the data no longer fall under HIPAA. But it’s been shown repeatedly that people can be re-identified fairly readily from data sets, for marketing and other purposes, using computational techniques. And that’s what worries Mandl.

In a Perspective piece in The New England Journal of Medicine, Mandl and coauthor Eric Perakslis, PhD, warn of a “torrential leak” of de-identified data.

“With just a few data elements like date of birth, zip code, and gender, a supposedly de-identified data set can be matched up against publicly available data like voting records or financial information, often leading to re-identification of the vast majority of people in a data set,” says Mandl.

A patient privacy proposal

Mandl and Perakslis propose several approaches to ensuring patient privacy:

  • To a large extent, health care institutions should treat de-identified data much the way they treat HIPAA-protected health information. They should inform patients that their data may be used in research and possibly shared with commercial parties, and should maintain controls over de-identified data sets, even though those controls are not required by HIPAA.
  • When health care institutions share data with third parties, contractual controls should specify that health data never pass beyond these parties, and that the data cannot be linked with other data sets or re-identified without the permission of the health care provider who originated the data.
  • Providers should take measures to prevent data from leaving the health care institution, and instead establish methods to allow external parties to analyze the data while keeping the records in-house. Protective contracts or agreements can be used to protect patients’ privacy on a project-by-project basis.
  • Legislators and regulators should explore new consumer protections, such as a California law that makes re-identification of de-identified health data illegal. They should also consider the pros and cons of “right to erasure” policies enacted in the European Union. These would ensure that a patient can choose to have their information erased from a data set when the data are being used for purposes other than the original one, or simply because they no longer consent to their data being used.

“We are both very much in favor of using data in health care to drive intelligent treatment decisions, improve value, and underpin discovery,” says Mandl. “We need to find a way to promote beneficial uses while maintaining individuals’ right to privacy and protecting them from harms.”

Learn more about CHIP

Share this: