Health privacy sits at an uncomfortable junction between three interests: individual human rights, public / population health, and private business interests. There’s no obvious reason for these three interests to be misaligned but a lot of pain and money are involved so either politics or competition are typically in the picture.
Health privacy is a subset of the human right to privacy, what Supreme Court Justice Brandeis called “the right to be left alone”. But privacy has never been defined, and is seldom enforced, in health care because of the competing interests of society to manage populations, and a $100 Billion industry in data brokerage that’s hidden from public view. Big Healthcare business seeks our trust on the one hand while doing their best to manipulate prices on the other.
Privacy is very different from security, but the two are used interchangeably by interests that want maximum leverage to sell or benefit from use of our personal data. Security problems arise as a result of hacking, bugs, and other unforeseen failures of a system. Privacy problems are in the system by design. Sale or abuse of personal data is done by people acting within their legal authority using technology that’s working as designed. The misdirection of privacy concerns to security discussions is intentional because it makes money.
HIPAA is a good example of the misdirection at work. The part of HIPAA we all hear about and the part that’s enforced is security. The part of HIPAA that looks like “information blocking” or your inability to easily get a health record from your hospital is hardly ever in the news and never the subject of enforcement action. HIPAA actually took away your right to control to how a hospital shares your data and, with the exception of a few states, you have no private right of action if your privacy is breached.
Outside of the US, in the European Union, where human rights benefit from some very bad experiences in the first half of the 20th Century, the regulatory climate is different than the US. EU privacy is now front and center for business as a result of the General Data Protection Regulations (GDPR) due to come into force less than a year from now. This marked divergence from US health privacy practice will certainly shake up the global market for personal data (ab)use.
The rapid rise of blockchain technology for trusted transactions is also coming into healthcare focus. Much of the HIPAA “information blocking” problem and the lack of transparency in how our personal health data is actually used is due to the consolidation of data around giant regional institutions that benefited most from nearly $40 Billion of Federal incentives and a relaxation of the Stark anti-kickback statutes as applied to electronic health records. Blockchain trust replaces institutional trust with trust in mathematics and health record systems can now be built that are truly patient-centric.
Is Health Privacy a Human Right? This and related topics are on the agenda at the 7th International Summit on the Future of Health Privacy on June 1 and 2 at Georgetown Law Center in Washington, DC. Admission is free and open to the public and the sessions are live streamed, also free.