In honor of the occasion of the Fifth Anniversary of Bill of Health, this post reflects on the past five years of what’s generally known as “privacy” with respect to health information. The topic is really a giant topic area, covering a vast array of questions about the security and confidentiality of health information, the collection and use of health information for public health and research, commercialization and monetization of information, whether and why we care about health privacy, and much more. Interestingly, Bill of Health has no categorizations for core concepts in this area: privacy, confidentiality, security, health data, HIPAA, health information technology—the closest is a symposium on the re-identification of information, held in 2013. Yet arguably these issues may have a significant impact on patients’ willingness to access care, risks they may face from data theft or misuse, assessment of the quality of care they receive, and the ability of public health to detect emergencies.
Over the past five years, Bill of Health has kept up a steady stream of commentary on privacy and privacy-related topics. Here, I note just a few of the highlights (with apologies to those I might have missed—there were a lot!) There have been important symposia: a 2016 set of critical commentaries on the proposed revisions of the Common Rule governing research ethics and a 2013 symposium on re-identification attacks. There have been reports on the privacy implications of recent or proposed legislation: the 21st Century Cures Act, the 2015 proposal for a Consumer Privacy Bill of Rights, and the proposed Workplace Wellness Bill’s implications for genetic information privacy. Many comments have addressed big data in health care and the possible implications for privacy. Other comments have been highly speculative, such as scoping out the territory of what it might mean for Amazon to get into the health care business. There have also been reports of research about privacy attitudes, such as the survey of participants in instruments for sharing genomic data online. But there have been major gaps, too, such as a dearth of writing about the potential privacy implications of the precision medicine and million lives initiative and only a couple of short pieces about the problem of data security.
Here are a few quick sketches of the major current themes in health privacy and data use, that I hope writers and readers and researchers and most importantly policy makers will continue to monitor over the next five years (spoiler alert: I plan to keep writing about lots of them, and I hope others will too):
- security of health information remains a significant problem. While nothing in the health sector quite compares to the Equifax security breach, both small and large providers, state Medicaid programs, and health insurers continue to be hacked with disturbing frequency. Health information is a particularly inviting target: unlike credit cards and passwords, information in a health record can’t be changed. And, tantalizingly, health records likely contain addresses, social security numbers, dates of birth, and a great deal of other information about people. Moreover, many of the thefts involve information about children, who may be entirely unaware of the thefts or how to protect themselves. Clever data thieves will sit on this information for a few years, and the children won’t have a clue if anything eventually does happen. In most states, however, security breach laws only address financial, not health, information. And the HIPAA security rule continues to provide covered entities with the flexibility of a reasonableness standard, ostensibly to encourage innovation but all too likely to permit questionable judgments about risks.
- the HIPAA privacy and security rules, now at nearly 15 in mid-adolescence, still haven’t grown up to cover all the places where health information resides today. They cover “covered” entities—health care providers, health plans, data clearinghouses—and their business associates. The rules no longer apply when health information was transferred from these protected spaces or was never in them. Think Facebook, Fitbits, or iFetalpregnancy, to take just one letter of the alphabet.
- Most revisions of the Common Rule will go into effect in January, 2018. These will include permitting broad consent for the later use of biospecimens and requiring HHS to issue further privacy and security guidance for IRBs. There will be much to watch about the impact of these changes.
- We lack good research about whether, why, and how health privacy matters to people. Privacy advocates, bolstered especially by the history of HIV/AIDS, contend that patients may stay away from seeking health care out of privacy concerns. Several studies indicate that HIV+ patients in rural areas in the US South delayed seeking care in part out of privacy concerns. There’s also data about adolescents avoiding care to protect their information, especially among adolescents engaged in risky behavior or reporting symptoms of depression. And there’s a study about participants in genetic studies wanting to be asked before their data are used. But try to find comprehensive data driven studies of actual patient behavior—my research assistant has—and you are likely to come up close to empty. The absence of good research in the area opens the door to unsubstantiated claims about how everyone has just gotten over the privacy they don’t have.
- Efforts to change individual health behavior—often with good intentions of encouraging better health but also with perhaps more mixed motives of cost control—are growing and may become increasingly intrusive. The GINA final rule on employer wellness programs is just one example. There will be much to watch over the next few years of how these initiatives play out, what patients think of them, and how they affect people’s lives.
- Big data, bigger data, biggest (?) data. Humongous data. Algorithms. Predictive analytics. Syndromic surveillance. We’ll need to keep thinking about how all these are used, how they should be used, what should be used, and how we even know what’s happening.
- Precision medicine needs information about individuals to support relevant research. The all of us cohort of a million lives is still expected to roll out in 2018. How concerns about privacy will affect enrollment, in particular among disadvantages groups, remains to be seen. So does how the all of us initiative will in turn protect privacy and participants’ choices about data use through methods of participant representation.
- And then there’s automation. Automated vehicles, the vogue of the moment, may need to collect lots of information about operator behavior, including the use of override functions, to develop the software needed for safe use. Kuri the robot companion will bring sparks of life to your house, learning the floor plan and cruising around, greeting you when you come home and waking in the morning—and, yes, she’s a great listener, too. There’s Buddy, the wellness home companion for senior citizens—who can also monitor them carefully. More, and more sophisticated robots are appearing all the time—and along with them serious privacy and security concerns.
I look forward to Bill of Health’s contributions to the debates about these and related issues over the next five years.
Leslie Francis, University of Utah