Apple and the 3 Kinds of Privacy Policies

Screen Shot 2016-02-21 at 8.01.34 PM

Why Are Apple’s Competitors Staying Silent On the iPhone Unlocking Fight? is the question of the day on tech blogs. The answer is hardly technical and may not be legal, it’s all about privacy policies and business strategy and it is very evident in healthcare.

There are three classes of privacy policy in healthcare and everywhere else:

Class 1 – “Apple will not see your data.” This is Apple’s privacy policy for ResearchKit and HealthKit and apparently for whatever data the FBI is hoping to read from the terrorist’s phone. Obviously, in this case the person is in complete control of the data and it can be shared only with third-parties that the person authorizes.

Class 2 – “We will see and potentially use your data but you will have first-class access to your data”. This is the kind of privacy policy we see with Apple’s calendar and many Google services. The personal data is accessible to the service provider but it is also completely accessible via an interface or API. In healthcare, the equivalent would be having the FHIR API equally and completely accessible to patients and to _any_ third-parties authorized by the patient. This is Patient Privacy Rights’ recommendation as presented to the API Task Force.

Class 3 – “We will use your data according to xyz policy and if you don’t like it, take your illness elsewhere.” This is pretty much how healthcare and much of the Web world runs today. We have limited rights to our own data. On the other hand, the services that have our data can sell it and profit in dozens of ways. This includes selling de-identified data. In Class 3, you, the subject of the data are a third-class citizen, at best. In many cases, the subject doesn’t even know that the data exists. See, for example, The Data Map.

We are so completely engulfed by Class 3 privacy policies that we have lost perspective on what could or should be. A Class 1 policy like Apple’s is widely seen as un-American. A Class 2 policy like PPR’s is indirectly attacked as “insurmountable”.

The reality is that technology moves much faster than other parts of our society. Whether it’s encryption to secure iPhones so “Apple will not see your data.” or CRISPR to control Zika Virus, we need to plan for tomorrow’s technology today. In healthcare, that means encouraging businesses and health care services that adopt Class 1 and Class 2 privacy policies.

HIE of One, an open source technology project by Michael Chen, MD and myself, is a current proof of concept of how Class 2 privacy policies could transform healthcare in just a couple of years. This THCB post and this 14-minute video demonstrate that a patient-centered health IT architecture is possible with today’s technology. Turning the HIE of One proof of concept into reality is taking place in our HEART workgroup and will be the subject of many conversations with health industry vendors and regulators at HIMSS next week.

Categories: Uncategorized

Tagged as: