Health privacy sits at an uncomfortable junction between three interests: individual human rights, public / population health, and private business interests. There’s no obvious reason for these three interests to be misaligned but a lot of pain and money are involved so either politics or competition are typically in the picture.
Health privacy is a subset of the human right to privacy, what Supreme Court Justice Brandeis called “the right to be left alone”. But privacy has never been defined, and is seldom enforced, in health care because of the competing interests of society to manage populations, and a $100 Billion industry in data brokerage that’s hidden from public view. Big Healthcare business seeks our trust on the one hand while doing their best to manipulate prices on the other.
Privacy is very different from security, but the two are used interchangeably by interests that want maximum leverage to sell or benefit from use of our personal data. Security problems arise as a result of hacking, bugs, and other unforeseen failures of a system. Privacy problems are in the system by design. Sale or abuse of personal data is done by people acting within their legal authority using technology that’s working as designed. The misdirection of privacy concerns to security discussions is intentional because it makes money.
HIPAA is a good example of the misdirection at work. The part of HIPAA we all hear about and the part that’s enforced is security. The part of HIPAA that looks like “information blocking” or your inability to easily get a health record from your hospital is hardly ever in the news and never the subject of enforcement action. HIPAA actually took away your right to control to how a hospital shares your data and, with the exception of a few states, you have no private right of action if your privacy is breached.
Outside of the US, in the European Union, where human rights benefit from some very bad experiences in the first half of the 20th Century, the regulatory climate is different than the US. EU privacy is now front and center for business as a result of the General Data Protection Regulations (GDPR) due to come into force less than a year from now. This marked divergence from US health privacy practice will certainly shake up the global market for personal data (ab)use.
The rapid rise of blockchain technology for trusted transactions is also coming into healthcare focus. Much of the HIPAA “information blocking” problem and the lack of transparency in how our personal health data is actually used is due to the consolidation of data around giant regional institutions that benefited most from nearly $40 Billion of Federal incentives and a relaxation of the Stark anti-kickback statutes as applied to electronic health records. Blockchain trust replaces institutional trust with trust in mathematics and health record systems can now be built that are truly patient-centric.
Is Health Privacy a Human Right? This and related topics are on the agenda at the 7th International Summit on the Future of Health Privacy on June 1 and 2 at Georgetown Law Center in Washington, DC. Admission is free and open to the public and the sessions are live streamed, also free.
Hm. Are you drawing a subtle distinction here between “privacy” and “confidentiality”?
Leaving aside the fact that HIPAA contains something actually called the “Privacy Rule” that defines Protected Health Information (that which we consider to be “private”) and specifies the limits placed on the disclosure of [individually identifiable] PHI, saying that “privacy has never been defined … in health care” overlooks the duty of *confidentiality* originally found, of course, in the Hippocratic Oath. That oath gave rise to the physician-patient privilege (subject to some exceptions and waivers) exempting the information from disclosure in a court of law, first under the common law and then by state statutes. Unless you are making a point about potential “unmasking” of individual identities by means of data aggregators, in which case the article should be a little more clear.
Perhaps wandering further afield, consider that the HIPAA Final Omnibus Rule effective September 23, 2013 a/k/a the “Pay-Out-Of-Pocket” Rule, 42 CFR § 164.522(a)(1)(vi), does appear to allow a patient to tightly restrict disclosure of information (subject to Tarasoff and other public health considerations). HIPAA comes into play only when a provider submits claims electronically, so for example a provider with a cash pay practice is not a covered entity for purposes of HIPAA. In that circumstance, the provider still owes a duty of confidentiality to the patient, HIPAA or no HIPAA, don’t you think?
Since we are still lacking a universal format for EHR, which would enable meaningful data sharing for the benefit of the patient, seizing on blockchain technology seems premature. There’s no sense in investing in a way to track a transaction that can’t yet take place because of incompatible systems.
Laws are meaningless unless they’re enforced and the deliberate misuse of patient data has not been enforced to any meaningful extent. Can you think of one example?
You can pay out-of-pocket but the prescription still goes into a nationally accessible health information system that the pharmacy uses and you cannot control or even monitor conveniently. Have you tried to see or control what Surescripts says about you?
The format for the EHR is not a privacy issue. The data is valuable regardless of the format. Twenty years of interoperability debates are, from a privacy perspective, misdirection by incumbent economic interests. Google did not innovate in search by waiting for web sites to standardize their format. All it needed was access.
I am aware of a lawsuit, probably @10 years ago, involving a Pharmacy Benefit Manager that intended to help develop the market share of a medication for a pharmaceutical company by giving it the names and addresses of persons who received a prescription for a competing product during a specific time period. No authorizations to do this were given by the ‘consumers,’ physicians or the insurance companies involved. The outcome was not pretty for the offending PBM.
“Google did not innovate in search by waiting for web sites to standardize their format. All it needed was access.”
And, Google is making some orders-of-magnitude “improvements” there. See “The Great A.I. Awakening.” https://www.nytimes.com/2016/12/14/magazine/the-great-ai-awakening.html
An excellent long read. The hyper-improved “Google Translate” aspect of it, well, draw your own conclusions as to the broader “interoperability” implications. In that regard, now that the Trump/GOP has authorized ISPs as well to traffick unbridled in our “digital exhaust,” the implications for personal privacy of ANY sort are pretty dismal. Unless you can go totally off-grid.
“Laws are meaningless unless they’re enforced”
And the front lines for statute enforcement are the implementing regulations, which Trump is loudly and mindlessly determined to eviscerate. Laws are “policies” statements (the “why” and “what” stuff), and their subsequent (always-hated) statutory regulations (“…as the Secretary shall…”) are the “procedures” pieces — the who/how/when/where operational compliance requirements mapping back to the statutes. Unless we move the latter directly INTO the statutes (ain’t gonna happen), laws will indeed be meaningless.
Yes, But … *