Question that needs to addressed and answered:
How could informed consent unlock value generation by Healthcare Big Data companies?
HIPAA and Protecting Health Information in the 21st Century HIPAA and Protecting Health Information in the 21st Century In March 2018, the Trump administration announced a new initiative, MyHealthEData, to give patients greater ac- cess to their electronic health record and insurance claims information.1 The Centers for Medicare & Medicaid Ser- vices will connect Medicare beneficiaries with their claims data and increase pressure on health plans and health care organizations to use systems that allow patients to ac- cess and send their health information where they like. MyHealthEData is part of a broader movement to make greater use of patient data to improve care and health. The movement seeks to make information avail- able wherever patients receive care and allow patients to share information with apps and other online services that may help them manage their health. At the population level, this approach may help identify optimal treatments andwaysofdeliveringthemandalsoconnectpatientswith healthservicesandproductsthatmaybenefitthem.Analy- sis of deidentified patient information has long been the foundation of evidence-based care improvement, but the 21st century has brought new opportunities. With devel- opmentsininformationtechnologyandcomputationalsci- encethatsupporttheanalysisofmassivedatasets,the“big data” era has come to health services research. For all its promise, the big data era carries with it substantialconcernsandpotentialthreats.Partofwhaten- ables individuals to live full lives is the knowledge that cer- tain personal information is not on view unless that per- son decides to share it, but that supposition is becoming illusory. The increasing availability and exchange of health- related information will support advances in health care and public health but will also facilitate invasive market- ing and discriminatory practices that evade current anti- discrimination laws.2 As the recent scandal involving Facebook and Cambridge Analytica shows, a further risk is that private information may be used in ways that have notbeenauthorizedandmaybeconsideredobjectionable. Reinforcing such concerns is the stunning report that Facebook has been approaching health care organizations to try to obtain deidentified patient data to link those data to individual Facebook users using “hashing” techniques.3 Given these concerns, it is timely to reexamine the adequacy of the Health Insurance Portability and Ac- countability Act (HIPAA), the nation’s most important le- gal safeguard against unauthorized disclosure and use of health information. Is HIPAA up to the task of pro- tecting health information in the 21st century? HIPAA Framework for Information Disclosure HIPAA was considered ungainly when it first became law, a complex amalgamation of privacy and security rules with a cumbersome framework governing disclosures of pro- tected health information. HIPAA has been derided for being too narrow—it applies only to a limited set of “cov- ered entities,” including clinicians, health care facilities, pharmacies,healthplans,andhealthcareclearinghouses— and too onerous in its requirements for patient authoriza- tionforreleaseofprotectedhealthinformation.Overtime, however, HIPAA has proved surprisingly functional. Par- ticularly after being amended in the 2009 HITECH (ie, the Health Information Technology for Economic and Clinical Health) Act to address challenges arising from electronic health records, HIPAA has accomplished its primary objec- tive: making patients feel safe giving their physicians and othertreatingclinicianssensitiveinformationwhilepermit- ting reasonable information flows for treatment, opera- tions, research, and public health purposes. HIPAA’sPrivacyRulegenerallyrequireswrittenpatient authorization for disclosure of identifiable health informa- tion by covered entities unless a specific exception applies, such as treatment or operations. Researchers may obtain protected health information (PHI) without patient autho- rizationifaprivacyboardorinstitutionalreviewboard(IRB) certifies that obtaining authorization is impracticable and the research poses minimal risk. The investigators can ob- tain a limited data set that excludes direct identifiers (eg, names, medical record numbers) without patient autho- rization if they agree to certain security and confidential- ity measures. Importantly, data sets from which a broader set of 18 types of potentially identifying information (eg, county of residence, dates of care) has been removed may be shared freely for research or commercial purposes. This has been a serviceable framework for regulating the flow of PHI for research, but the big data era raises new challenges.HIPAAcontemplatedthatmostresearchwould be conducted by universities and health systems, but to- day much of the demand for information emanates from private companies at which IRBs and privacy boards may be weaker or nonexistent. Additionally, removing identifi- erstoproducealimitedordeidentifieddatasetreducesthe value of the data for many analyses. Moreover, the increas- ing availability of information generated outside health care settings, coupled with advances in computing, under- mines the historical assumption that data can be forever deidentified.4Startlingdemonstrationsofthepowerofdata triangulationtoreidentifyindividualshaveofferedaglimpse of a very different future, one in which preserving privacy and the big data enterprise are on a collision course.4 It will be difficult to reconcile the potential of big data with the need to protect individual privacy. One reform ap- proach would be data minimization (eg, limiting the up- stream collection of PHI or imposing time limits on data retention),5butthisapproachwouldsacrificetoomuchthat benefits clinical practice. Another solution involves revis- iting the list of identifiers to remove from a data set. There is no doubt that regulations should reflect up-to-date best practices in deidentification.2,4 However, it is questionable VIEWPOINT I. Glenn Cohen, JD Harvard Law School, Cambridge, Massachusetts. Michelle M. Mello, JD, PhD Stanford Law School, Department of Health Research and Policy, Stanford University School of Medicine, Stanford, California. Viewpoint pages 229 and 233 Corresponding Author: Michelle M. Mello, JD, PhD, Stanford Law School, 559 Nathan Abbott Way, Stanford, CA 94305 (mmello@law .stanford.edu). Opinion jama.com (Reprinted) JAMA July 17, 2018 Volume 320, Number 3 231 © 2018 American Medical Association. All rights reserved. Downloaded From: https://jamanetwork.com/ by a Wake Forest School of Medicine User on 07/26/2021 https://jama.jamanetwork.com/article.aspx?doi=10.1001/jama.2018.8829&utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jama.2018.5630 https://jama.jamanetwork.com/article.aspx?doi=10.1001/jama.2018.8374&utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jama.2018.5630 mailto:
[email protected] mailto:
[email protected] http://www.jama.com/?utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jama.2018.5630 whether deidentification methods can outpace advances in reidenti- fication techniques given the proliferation of data in settings not gov- erned by HIPAA and the pace of computational innovation. Therefore, expanding the penalties and civil remedies available for data breaches and misuse, including reidentification attempts, seems desirable. Limited Reach of HIPAA HIPAA “attaches (and limits) data protection to traditional health care relationships and environments.”6 The reality of 21st-century United States is that HIPAA-covered data form a small and diminishing share of the health information stored and traded in cyberspace. Such in- formation can come from well-known sources, such as apps, social media, and life insurers, but some information derives from less ob- vious places, such as credit card companies, supermarkets, and search engines. For example, non–health information that sup- ports inferences about health is available from purchases that us- ers make on Amazon; user-generated content that conveys infor- mation about health appears in Facebook posts; and health information is generated by entities not covered by HIPAA when over-the-counter products are purchased in drugstores. Because HIPAA’s protection applies only to certain entities, rather than types of information, a world of sensitive information lies beyond its grasp.2 HIPAA does not cover health or health care data generated by noncovered entities or patient-generated information about health (eg, social media posts). It does not touch the huge volume of data that is not directly about health but permits inferences about health. For example, information about a person’s physical activity, in- come, race/ethnicity, and neighborhood can help predict risk of car- diovascular disease. The amount of such data collected and traded online is increasing exponentially and eventually may support more accurate predictions about health than a person’s medical records.2 Statutes other than HIPAA protect some of these non–health data, including the Fair Credit Reporting Act, the Family Educa- tional Rights and Privacy Act of 1974, and the Americans with Dis- abilities Act of 1990.7 However, these statutes do not target health data specifically; while their rules might be sensible for some pur- poses, they are not designed with health in mind. For instance, the Family Educational Rights and Privacy Act of 1974 has no public health exception to the obligation of nondisclosure. 7 To ensure adequate protection of the full ecosystem of health- related information, 1 solution would be to expand HIPAA’s scope. However, the Privacy Rules’ design (ie, the reliance on IRBs and pri- vacy boards, the borders through which data may not travel) is not a natural fit with the variety of nonclinical settings in which health data are collected and exchanged.8 The better course is adopting a separate regime for data that are relevant to health but not covered by HIPAA. One option that has been proposed is to enact a general rule protecting health data that specifies further, custodian-specific rules; another is to follow the European Union’s new General Data Protection Regulation in set- ting out a single regime applicable to custodians of all personal data and some specific rules for health data. The latter has the appeal of reaching into non–health data that support inferences about health. Any new regulatory steps should be guided by 3 goals: avoid undue burdens on health research and public health activities, give indi- viduals agency over how their personal information is used to the greatest extent commensurable with the first goal, and hold data users accountable for departures from authorized uses of data. Rethinking regulation should also be part of a broader public pro- cess in which individuals in the United States grapple with the fact that today, nearly everything done online involves trading personal infor- mation for things of value. When such trades are made explicit, as when drugstores offered customers $50 to grant expanded rights to use their health data, they tend to draw scorn.9 However, those are just amplifications of everyday practices in which consumers receive products and services for free or at low cost because the sharing of personal information allows companies to sell targeted advertising, “deidentified” data, or both. Conclusions Improved public understanding of these practices may lead to the conclusion that such deals are in the interest of consumers and only abusive practices need be regulated. Or it may create pressure for better corporate privacy practices. Some consumers may take steps to protect the information they care most about, such as purchas- ing a pregnancy test with cash. Shaping health information privacy protections in the 21st century requires savvy lawmaking as well as informed digital citizens. ARTICLE INFORMATION Published Online: May 24, 2018. doi:10.1001/jama.2018.5630 Conflict of Interest Disclosures: Both authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest. Dr Mello has served as a consultant to CVS/Caremark. No other conflicts were disclosed. Funding/Support: Dr Cohen’s research reported in this Viewpoint was supported by the Collaborative Research Program for Biomedical Innovation Law, which is a scientifically independent collaborative research program supported by Novo Nordisk Foundation (grant NNF17SA0027784). Role of the Funder/Sponsor: The funder had no role in the preparation, review, or approval of the manuscript and decision to submit the manuscript for publication. REFERENCES 1. Trump Administration announces MyHealthEData initiative at HIMSS18. Centers for Medicare and Medicaid Services. https://www.cms .gov/Newsroom/MediaReleaseDatabase/Fact -sheets/2018-Fact-sheets-items/2018-03-06.html. Accessed April 3, 2018. 2. Health information privacy beyond HIPAA: a 2018 environmental scan of major trends and challenges. National Committee on Vital and Health Statistics