Is Health Privacy a Human Right?

Health privacy sits at an uncomfortable junction between three interests: individual human rights, public / population health, and private business interests. There’s no obvious reason for these three interests to be misaligned but a lot of pain and money are involved so either politics or competition are typically in the picture.

Health privacy is a subset of the human right to privacy, what Supreme Court Justice Brandeis called “the right to be left alone”. But privacy has never been defined, and is seldom enforced, in health care because of the competing interests of society to manage populations, and a $100 Billion industry in data brokerage that’s hidden from public view. Big Healthcare business seeks our trust on the one hand while doing their best to manipulate prices on the other.

Privacy is very different from security, but the two are used interchangeably by interests that want maximum leverage to sell or benefit from use of our personal data. Security problems arise as a result of hacking, bugs, and other unforeseen failures of a system. Privacy problems are in the system by design. Sale or abuse of personal data is done by people acting within their legal authority using technology that’s working as designed. The misdirection of privacy concerns to security discussions is intentional because it makes money.

HIPAA is a good example of the misdirection at work. The part of HIPAA we all hear about and the part that’s enforced is security. The part of HIPAA that looks like “information blocking” or your inability to easily get a health record from your hospital is hardly ever in the news and never the subject of enforcement action. HIPAA actually took away your right to control to how a hospital shares your data and, with the exception of a few states, you have no private right of action if your privacy is breached.

Outside of the US, in the European Union, where human rights benefit from some very bad experiences in the first half of the 20th Century, the regulatory climate is different than the US. EU privacy is now front and center for business as a result of the General Data Protection Regulations (GDPR) due to come into force less than a year from now. This marked divergence from US health privacy practice will certainly shake up the global market for personal data (ab)use.

The rapid rise of blockchain technology for trusted transactions is also coming into healthcare focus. Much of the HIPAA “information blocking” problem and the lack of transparency in how our personal health data is actually used is due to the consolidation of data around giant regional institutions that benefited most from nearly $40 Billion of Federal incentives and a relaxation of the Stark anti-kickback statutes as applied to electronic health records. Blockchain trust replaces institutional trust with trust in mathematics and health record systems can now be built that are truly patient-centric.

Is Health Privacy a Human Right? This and related topics are on the agenda at the 7th International Summit on the Future of Health Privacy on June 1 and 2 at Georgetown Law Center in Washington, DC. Admission is free and open to the public and the sessions are live streamed, also free.

Livongo’s Post Ad Banner 728*90

Categories: Tech, Uncategorized

Leave a Reply

2 Comment threads
3 Thread replies
Most reacted comment
Hottest comment thread
5 Comment authors
BobbyGvegaspjnelsonAdrian Gropper, MDtdgorJohn Irvine Recent comment authors
newest oldest most voted

Hm. Are you drawing a subtle distinction here between “privacy” and “confidentiality”? Leaving aside the fact that HIPAA contains something actually called the “Privacy Rule” that defines Protected Health Information (that which we consider to be “private”) and specifies the limits placed on the disclosure of [individually identifiable] PHI, saying that “privacy has never been defined … in health care” overlooks the duty of *confidentiality* originally found, of course, in the Hippocratic Oath. That oath gave rise to the physician-patient privilege (subject to some exceptions and waivers) exempting the information from disclosure in a court of law, first under the… Read more »

Adrian Gropper, MD
Adrian Gropper, MD

Laws are meaningless unless they’re enforced and the deliberate misuse of patient data has not been enforced to any meaningful extent. Can you think of one example? You can pay out-of-pocket but the prescription still goes into a nationally accessible health information system that the pharmacy uses and you cannot control or even monitor conveniently. Have you tried to see or control what Surescripts says about you? The format for the EHR is not a privacy issue. The data is valuable regardless of the format. Twenty years of interoperability debates are, from a privacy perspective, misdirection by incumbent economic interests.… Read more »


I am aware of a lawsuit, probably @10 years ago, involving a Pharmacy Benefit Manager that intended to help develop the market share of a medication for a pharmaceutical company by giving it the names and addresses of persons who received a prescription for a competing product during a specific time period. No authorizations to do this were given by the ‘consumers,’ physicians or the insurance companies involved. The outcome was not pretty for the offending PBM.


“Google did not innovate in search by waiting for web sites to standardize their format. All it needed was access.” ___ And, Google is making some orders-of-magnitude “improvements” there. See “The Great A.I. Awakening.” An excellent long read. The hyper-improved “Google Translate” aspect of it, well, draw your own conclusions as to the broader “interoperability” implications. In that regard, now that the Trump/GOP has authorized ISPs as well to traffick unbridled in our “digital exhaust,” the implications for personal privacy of ANY sort are pretty dismal. Unless you can go totally off-grid. “Laws are meaningless unless they’re enforced” And… Read more »