HIPAA’s Broken Promises

SFox - LgIf you hate HIPAA, it’s your lucky day. Paul Ohm is handing you ammunition in his article, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.” His argument: our current information privacy structure is a house built on sand.

“Computer scientists…have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease.”

Ohm’s article describes HIPAA, in particular, as a fig leaf – or worse, as kudzu choking off the free flow of information.

“[I]t is hard to imagine another privacy problem with such starkly presented benefits and costs. On the one hand, when medical researchers can freely trade information, they can develop treatments to ease human suffering and save lives. On the other hand, our medical secrets are among the most sensitive we hold.”

Indeed, one might reformulate that statement:

“When e-patients can freely trade information (with fellow patients, with family members, with health professionals…), they can track symptoms, treatments, and outcomes that would otherwise go unobserved.

That’s the hope and the promise of participatory medicine. Yet there is a danger to all that health data floating around.

Ohm uses a haunting phrase to describe the possibility of re-identification: the database of ruin. It will reveal all our secrets to everyone, at any time, and follow us wherever we go (calm down, it doesn’t exist yet).

My take on his essential message is:

Fear the database of ruin, but don’t become paralyzed by it. Instead, work toward its prevention.

That call should be heard by everyone, not just those of us living with diagnoses we want to hide. Ohm argues that only people with absolutely no secrets and no connection to the modern world can live free of the threat of the database of ruin, but he delightfully calls them “the unicorns and mermaids of information privacy.” We live in glass houses and type at glass keyboards, people.

Another phrase that is sticking with me:

“Utility and privacy are, at bottom, two goals at war with one another.”

The more useful a data set, the less likely it is to be scrubbed of identifying information. Think about the implications. If we want useful data, we need to make trade-offs on what might be revealed in that data. Who should make those choices? E-patients? Health professionals? Regulators? Trade groups? What groups or types of data should get special treatment? (See: “Children and Population Biobanks” in Science, 14 August 2009: 818-819 – hat tip to Chris Hoofnagle).

Ohm focuses on a lawmaker’s conundrum: regulation of reidentification is “the latest example of the futility of attempting to foist privacy on an unappreciative citizenry.” Indeed, regulators might point to the millions of people flocking to MySpace and Facebook, or the thousands participating in even deeper personal experiments of data tracking, and ask, “Who am I to get in the way of all this sharing?” Ohm argues that this laissez-faire attitude would be irresponsible and I think e-patients should hear him out: “[T]oday’s petty indignity provides the key for unlocking tomorrow’s harmful secret.” In sum, Ohm’s article is a strong vote for data protection even as he eviscerates the current system.

You see, there is no such thing as “security through obscurity” when so many databases exist, containing all the clues someone might need to match your “25 Random Things About Me” with your search-term trail and, in turn, your financial or health records.

All of which leads us to this question:

“Once regulators choose to scrap the current HIPAA Privacy Rule – a necessary step given the rule’s intrinsic faith in deidentification—how should they instead protect databases full of sensitive symptoms, diagnoses, and treatments?”

Nobody is on the sidelines of this debate. Yes, your participation in an online health data-sharing site puts you at greater risk, but Ohm points out that “stored search queries often contain user-reported health symptoms” and indeed, Pew Internet research has consistently shown that 80% of internet users have looked for health information online and search is usually the first stop. Few people want to cut off access to the vital information found online, but what about the opportunities for advancement through data sharing?

Finally, as Jane Sarasohn-Kahn points out, “Americans feel dis-empowered when it comes to health information technology.” Frankly, most people don’t even know the half of what is going on in this debate — imagine how they would feel if they did!

So: If you care at all about health information technology: Read the article, form your own opinion, and get to work.

Categories: Uncategorized

Tagged as: , , ,

19 replies »

  1. I was amazed at what HIPPA meant when my wife and I recently paid to have calcium score CT done, at our expense. The center could provide the results to our physician no problem (although he had not asked for the test), but COULD NOT provide that information to us (the patient and the payer) without us signing a release form. duh?

  2. Hi Alexander,
    I agree with your public health concerns but think that our primary objective must be to improve the care individual patients receive while reducing its cost. We can do that now — and relatively easily.
    But if we muck up this primary objective with other nice-but-not-readily-doable objectives, such as forcing docs to adopt EMR systems so we can feed a web-focused network, trying to exchange information among EMR systems that can’t talk to one another, and/or satisfying the broad range of public health concerns, we will delay for years our ability to meet our primary goal.
    In a vacuum, such delays don’t appear costly. But we’re dealing with human lives, and delays in making a patient’s complete medical record available to care providers when and where they need it could cost that patient his/her life, or trigger adverse rather than positive results.
    Thus, I submit that we should do first things first. Let’s get a patient’s complete medical record in the hands of the care provider who is treating them. Then, we can focus on the other issues.
    It so happens, it is possible to do both with the MedKaz System we are developing but my purpose in joining this dialog is not to promote our product.
    My purpose is hopefully to stimulate new and different approaches to healthcare IT because, as I see it, the path we as a society are pursuing is slowing down what we can do now and will be incredibly expensive — and we simply can’t afford either!

  3. Merle,
    I agree with you that your care provider only need your PHR on any portable media type. But you will have to keep it on you at all times, just in case. Accidents happen… And if you allergic to latex or certain drug, I bet you want the ED doctor to be aware of that. You may also want to let him know your advance directives. Hopefully, our PHR does not become unusable in a car crash.
    Apart from your personal care, please consider public health needs, such as early epidemic detection and biosurveillance in general. Sure, we can rely on Google Flu Trends, but there are other viruses around that we definitely prefer to stay away from.
    Without reliable statistics, we cannot expect significant improvement in care practices. Even finding candidates for clinical trials will be difficult.
    I‘m not saying that we should ignore vulnerabilities of the Internet, but getting back to the era of disconnected isles of data doesn’t seem the right option too.

  4. There is a simple way to ensure medical record privacy and security. Don’t store patient records on web servers — and that includes health record bank servers. Put them exclusively in the hands of the patients.
    Notwithstanding assurances from well intentioned people like Deborah Peel, Microsoft, Google, John Halamka, et al., absolutely no one can guarantee that web-based records accessible over the Internet are inviolate! If you are gullible enough to believe them, I’d lke to talk with you. I have a bridge or two I’d like to sell!
    The White House, DOD, Fort Knox, and other government offices — including other governments’ offices — are not absolutely secure. Doesn’t that tell you something about Internet security?
    I can understand someone desperately ill saying they’ll store their medical records on web servers even though they know doing so is risky. What good are secure records if you die of your illness? But for the rest of us, that is a terrible choice we need not make.

  5. HIPAA is used as a way to stop quality control efforts at almost all levels. Even if you had access, they can say you didn’t and get away with squashing you.
    HIPAA = #1 Legal Method for Bashing a Whistleblower

  6. It’s not about digging dirt. If you obtain a database of voters registration from, say, a particular county, and combine that with a deidentified database (or query results) of admissions to the county hospital, you can come up with a name and address for most admissions in that county with very “reasonable” accuracy.

  7. It really isn’t a THCB post without an MD as Hell non sequitur entry….
    The Ohm paper Ms Fox references unwittingly serves 2 purposes: it highlights the ease with which personal data may be re-assembled with REASONABLE accuracy, and the difficulty of wielding any personal health data, whether de-or -re-anonymized, with CERTAINTY.
    When it comes to health care, there’s a big difference between reasonable accuracy and certainty. Ask your doctor how prepared s/he is to diagnose and/or operate on you based on a reasonable assurance s/he is working from your personal health data, as opposed to being certain s/he has your very own data at her fingertips. Now ask, say, an insurer – and its lawyers – how prepared it is to make a determination about a specific individual’s account on the basis of “reasonable” certainty.
    The examples Ohm provides of “successful” de-anonymization defeat their purpose (see the MA Gov. Weld example, p. 18), because in their telling Ohm reveals how impractical it is to seek out person-specific information in the manner he suggests. If you’re looking for “dirt” on a specific person, it’s still pretty much as easy to employ conventional methods as it is to duplicate the methods of the PhD student that Ohm cites.
    In the folds of the difference between ‘reasonable’ and ‘certain’ can be found a host of cues to making the ‘risks’ of access to private information smaller, and the keys to diminishing risks of pooling individual health information more evident.

  8. Interestingly, the Business Week article, Dr. Peel refers to, doesn’t mention any data mining by or at the request of a third party. In its concept, a health record bank is similar to cloud-based PHR systems Google and Microsoft already have, where everybody can store his/her electronic health records for free. I am sure both companies have certain ideas about generating some revenue from the use of that data, that is why creating a legislative and regulatory framework regarding access control and patient privacy should not be far behind.

  9. Dr. Peel, your objectives are admirable and I support them wholeheartedly, however your proposed solution is (as incohate wrote) disastrous.
    Queries against databases return data. The same exact data that you propose not to give “researchers” outright. There is no difference, unless you come up with elaborate restrictions on allowed queries. Success in deidentifying data is reversely proportional to the amount of data your deidentifying. The more you have in the bank, the worse it gets, particularly if you add personal information regarding lifestyle, occupation, etc.
    There is no Fort Knox, if the doors are locked, but the windows are open.

  10. Dr Peel’s post suggests that she is well-intentioned, but startlingly naive concerning information technology. Her absolute statements concerning the powers of “health record banks” with “DoD level security” are – well, they’re just plain silly.
    Issues concerning health records privacy/security are as much matters of human behavior as technology, and her bank vaults just don’t have room to house every variant of the former.
    Whomever is putting her up to such foolish utterances knows better. They should respect her dignity & let her in on their little secrets.

  11. The solution to having robust data for research AND privacy (personal control over the use of our sensitive health records) is to use health record banks and informed consent. See op-ed on the subject at: http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db20081218_385824.htm
    Individuals are entitled to free copies of ALL their electronic health records they can put in a health bank account AND add so much more information on diet, exercise, alternative treatments, occupation, environment, etc.
    The beauty of health bank accounts is ONLY YOU CONTROL your personal data and your records can never be used or data mined without your permission. So health banks will create the richest data for research PLUS ensure you control your sensitive records–which has been your ethical right since the time of Hippocrates and your legal right since the nation was founded. Privacy is ensured with health banks and we can reap all the benefits of research without risk to our jobs or our children’s jobs and futures.
    Instead of disclosing our sensitive data to unknown researchers, our data stays in the health bank (which will have “Fort Knox”, DOD-level security). The health bank can run research queries against the data of everyone who agrees to participate in the research and then return the answers to researchers. That way, our data is safe (behind Fort Knox-style security defenses), and is not shared across the globe with a research corporation or an entity where we have no way to know how many people can see it, use it, share it, sell it, or steal it.
    This is the research model used by the US census bureau: it never releases data that can be re-identified, but instead runs the studies on highly sensitive data and returns the results to researchers.
    Using health banks for research eliminates the problem of assuring that effective de-identification or anonymization were performed. If the data isn’t sent anywhere, there is no need to de-identify or anonymize it.
    Best of all, for those of us who want to see research on the most critical frontiers—on genetics and stigmatizing illnesses—we can all participate via health banks without fear of discrimination and without exposing our genes or data.
    Today’s HIT system grants researchers and government agencies unfettered access to our data without consent–violating centuries of American law and medical ethics. There is no way to be sure that researchers or government agencies protect our sensitive data and prevent it from being misused or sold. So far, both the government and industry have failed to protect Americans’ sensitive data. Opening up the nation’s health records to millions of users without informed consent is a prescription for disaster: identity theft and job discrimination will increase exponentially.
    Find out how to save your right to health privacy–sign up for alerts at http://www.patientprivacyrights.org
    Patient Privacy Rights is fighting to preserve the Hippocratic Oath and YOUR legal right to control personal health information, so you can trust that what you say in the doctor’s office stays in the doctor’s office.
    Deborah C. Peel, MD
    Founder and Chair, Patient Privacy Rights

  12. Tough times for now regarding our health care policy but what can we do? We don’t have the power and all we have to do is to follow. We are just ordinary people and hoping for a better future for our children’s health care system.I hope our president will realize what do we really need and not what their pockets want.

  13. Just to be clear, I am not suggesting that HIPAA is going away – that quote is from Ohm’s article, which I hope everyone is inspired to read for themselves.
    This post originally appeared on e-patients.net with links to other source material:
    I left Friday’s hearing feeling rather optimistic too, mostly b/c of the sharp questions asked by the committee members and the testimony provided by two of them, Deven McGraw and Latanya Sweeney.
    Here’s a garbly draft transcript of the hearing:
    Read the #HITpol tweets for more discussion of the issues raised that day.

  14. Who says that the current HIPAA Privacy Rule will be scrapped? If anything it is strengthened by the HITECH Act. De-identification is simply one of many issues that the Privacy Rule addresses.
    I suggest that instead of promulgating rumors of HIPAA’s demise that stakeholders get better acquainted with the statute and the corresponding regulations. The HIPAA Survival Guide (www.hipaasurvivalguide.com) is a good place to start.
    What remains true is that a fundamental understanding of HIPAA remains elusive, partly because it has never been enforced with any rigor. Full compliance with HIPAA’s Privacy and Security Rules is now part of HHS’ meaningful use definition and required by 2011.
    In case people have forgotten, non-compliance with HIPAA may lead to providers not getting paid their EHR incentives under HITECH. HIPAA is here to stay for the foreseeable future, and instead of complaining about I suggest that the industry “hug the monster.”

  15. While the country is in the middle of a debate on how to save our Health Care Systems from their cost we need to look back on examples like this. How many billions of dollars has been wasted on HIPAA compliance for minimal benefit. It won’t single handily resolve the problem but who wouldn’t like to have back the billions of mailings every year, the billions on software changes, on and on. Health Care is expensive because we elect idiots that make it so.
    HIPAA = failure
    COBRA = failure
    Medicare = BK
    Medicaid = BK

  16. There should not be such thing as blanket permission to use personal health information, de-identified or not, period. The law ought to be more specific defining “research” and “marketing purposes”, because these are grey areas where most of privacy related problems occur. Any organization requesting access to it must clearly state the intended use. Any deviations should be treated as unauthorized use and penalized.
    Following the last Friday’s Health IT Policy Committee meeting http://healthit.hhs.gov/portal/server.pt?open=512&objID=1269&parentname=CommunityPage&parentid=5&mode=2 , I feel relatively optimistic about the level of understanding of privacy concerns among the Committee members. Actually, the HITECH Act introduced a few new provisions extending and clarifying roles and responsibilities of Covered Entities and Business Associates under HIPAA. I am sure that Paul Ohm’s paper will help find the right balance between privacy protection and the drive for innovation.

  17. Anything on internet is compromisable. There is only a limited thing that can be done to protect the information…we also have to work on ways to make the information useless for those who steal it.
    It is just risk…which we will have to mitigate by additing security, and legislation, and accept a part of it.
    The securities provided at this time are more in terms of firewalls – physical or cyber – what we need to do is find an innovative ways to split, code, and dissemle and assemble.