Health Policy

Patient Privacy Rights: Comment on Regulatory Capture

Deborah C. Peel
Adrian Gropper


To ONC and CMS

We begin by commending HHS, CMS, and ONC for skillfully addressing the pro-competitive and innovative essentials in crafting this Rule and the related materials. However, regulatory capture threatens to derail effective implementation of the rule unless HHS takes further action on the standards.

Regulatory capture in Wikipedia begins:

“Regulatory capture is a form of government failure which occurs when a regulatory agency, created to act in the public interest, instead advances the commercial or political concerns of special interest groups that dominate the industry or sector it is charged with regulating.  When regulatory capture occurs, the interests of firms, organizations, or political groups are prioritized over the interests of the public, leading to a net loss for society. Government agencies suffering regulatory capture are called “captured agencies.” (end of Wikipedia quotation.)

The extent to which HHS has allowed itself to be influenced by special interests is not the subject of this comment. This comment is just about how HHS and the Federal Health Architecture can act to more effectively implement the sense of Congress in the 21st Century Cures Act.

Over a decade after establishing the goal of a nationwide health information network, incumbent information brokers, primarily large private-sector hospitals that have consolidated their dominance with over $35 B of Federal incentives, continue to find reasons for delay in transparency and opening to meaningful competition. Standards dominate pretty much all of the proposed ONC Rule as well as companion rules from CMS, and TEFCA. Regulatory capture by the interests of consolidated hospitals and their consolidated software vendors hampers progress on patient matching, patient consent, accounting for disclosures, price transparency, and longitudinal health records. Other lobbyists, including an army of hidden data aggregators and brokers from inside and outside the healthcare industry, although they do not participate directly in the standards process, exert a large influence on obscuring the uses of personal information.

Regulatory capture drives negative progress. At a time when privacy is driving much of the conversation on general data, Congress is being lobbied to weaken the privacy protections on behavioral health data. At a time when opt-in, automated, and transparent financial transactions are ubiquitous, the proposed Rule and TEFCA still avoid opt-in consent models and transparent accounting for disclosures for all uses of personal health data. Computer science has long recognized that re-identification and anonymization are wholly ineffective, and can’t prevent hidden data brokers and machine learning from re-identifying personal health data. Turn-of-the-century health regulations still allow for discrimination and unintended consequences of data use.

The proposed Rule does not adequately account for regulatory capture of the standards that matter for competition. This puts the outcome sought by the 21st Century Cures Act at significant risk. It is understandable that regulators are reluctant to lead innovation in technological standards. But it is notable that neither the patients nor the physicians currently have market power over health information technology. And privacy NGOs representing the public’s rights, 501c3 human rights organizations that defend patients’ rights, have no market power.

In the absence of market power to drive innovation, the role of Government as a payer must come to the fore in standards development and deployment.

Government already pays directly for about half of all healthcare services and indirectly for much of the other half.  Yet government involvement in technical standards for scaling patient consent (that would also fix the patient matching problem), accounting for disclosures, price transparency, and longitudinal health records is almost non-existent—yet none of the proposed standards to serve taxpayers have been implemented. Blue Button 2.0 is an admirable initiative but it is has not been adopted for patient-controlled standards such as User Managed Access. The VA and DoD, although they have immense leverage over their private-sector EHR supplier, have done nothing to lead in standards development in support of veterans’ needs for longitudinal health record initiatives and privacy. The work they have commissioned with MITRE has been timid and totally inadequate to the scope of the problem.

History has shown that the proposed ONC and CMS rules will be nullified by regulatory capture. The only way to create a transparent market that supports innovation and cost-containment through competition is for Government, as the primary payer, to take a leadership role in standards development and to deploy standards for the real payers: taxpayers, who need patient-directed interoperability at scale. This can start with Dynamic Client Registration and User Managed Access in all Federal Health Architecture projects and must demonstrate the meaning of “without special effort” for physicians and patients.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

Deborah C. Peel, MD, is the Founder and President of Patient Privacy Rights.

3 replies »

  1. To William’s point, the use of de-identification as an alternative to specific consent for data use must stop.

    For one thing, in the age if ubiquitous high resolution data sets in the hands of Google, Facebook, and maybe thousands of others the application of artificial intelligence makes re-identification trivially cheap.

    Moe important, replacing de-identification with specific data use authorization means that the requester can still use de-identification as an optional incentive to get authorization if that makes sense for the particular data use.

    To deal with the societal threat of near-universal surveillance, we need to regulate data aggregation itself. Does society really need to have Facebook or Google keep detailed dossiers of individual’s data across unrelated domains like telecom + document storage + messaging + authentication + location + spending?

  2. Yes, good post. Thank you for your fine work.

    Can you believe all the billions of dollars that have been made by selling personal data from people without their slightest awareness as to what was happening? [ no, it is probably trillions] We were totally deceived by the descriptions of the anticipated uses and purposes for computerization of our society. It wasn’t just us, it was the world. The world was tricked and deceived….and now it is finally sinking in after the other side has accumulated the wealth equivalent of nations, so much economic power that the job of taking back our privacy has become Herculean. It has been an historical deceit of the world’s peoples. We may eventually need severe penalties for this, such as:

    Selling or withholding personal data without permission is a felony.

    You guys are like the little outposts of awareness and caring in civilization…like the monks in their monasteries off the coast of Ireland in the Middle Ages. Don’t give up! Some of us really care.