Beyond HIPAA: Maintaining patient privacy in a big data era
After a prolonged, painful era in which medical data were exchanged mainly by fax, most patients today have electronic health records. But the data within them aren’t as private as they might think, says Kenneth Mandl, MD, MPH.
As director of the Computational Health Informatics Program (CHIP) at Boston Children’s Hospital, he’s seen patient data flow freely in the commercial sector. Even as patients often struggle to access their complete record, their data are being shared with insurance companies, pharmaceutical companies, big tech companies, and a new breed of companies specifically rising up to monetize patient data. Some of these are electronic health record companies; others incorporate patient data into services, such as clinical decision support or matching patients to clinical trials.
HIPAA’s privacy rule regulates how patient data can be shared and how they must be protected. However, once those data have been de-identified — stripped of names, dates of birth, addresses, and other telltale information — the data no longer fall under HIPAA. But it’s been shown repeatedly that people can be re-identified fairly readily from data sets, for marketing and other purposes, using computational techniques. And that’s what worries Mandl.
In a Perspective piece in The New England Journal of Medicine, Mandl and coauthor Eric Perakslis, PhD, warn of a “torrential leak” of de-identified data.
“With just a few data elements like date of birth, zip code, and gender, a supposedly de-identified data set can be matched up against publicly available data like voting records or financial information, often leading to re-identification of the vast majority of people in a data set,” says Mandl.
A patient privacy proposal
Mandl and Perakslis propose several approaches to ensuring patient privacy:
- To a large extent, health care institutions should treat de-identified data much the way they treat HIPAA-protected health information. They should inform patients that their data may be used in research and possibly shared with commercial parties, and should maintain controls over de-identified data sets, even though those controls are not required by HIPAA.
- When health care institutions share data with third parties, contractual controls should specify that health data never pass beyond these parties, and that the data cannot be linked with other data sets or re-identified without the permission of the health care provider who originated the data.
- Providers should take measures to prevent data from leaving the health care institution, and instead establish methods to allow external parties to analyze the data while keeping the records in-house. Protective contracts or agreements can be used to protect patients’ privacy on a project-by-project basis.
- Legislators and regulators should explore new consumer protections, such as a California law that makes re-identification of de-identified health data illegal. They should also consider the pros and cons of “right to erasure” policies enacted in the European Union. These would ensure that a patient can choose to have their information erased from a data set when the data are being used for purposes other than the original one, or simply because they no longer consent to their data being used.
“We are both very much in favor of using data in health care to drive intelligent treatment decisions, improve value, and underpin discovery,” says Mandl. “We need to find a way to promote beneficial uses while maintaining individuals’ right to privacy and protecting them from harms.”
Related Posts :
CHIP-ing away at health and medicine for 25 years: A look back
In 1994, when CHIP was formed, the dotcom boom was just dawning. iPhones and social media (except for the earliest versions) ...
If another pandemic hits, our online 'footprints' may help the experts
When the new coronavirus hit early last year, little was known about it. As people started coming to the emergency ...
New health care data-sharing rule, coming in 2022, has its roots at Boston Children’s Hospital
Are you sick of health care systems not communicating with each other? Do you wish you could access more of ...
Affordable Care Act eases health care costs for families with children, study finds
On November 10, the U.S. Supreme Court will hear arguments on a case challenging the Affordable Care Act. With the ...