Big data continues to reshape health. For patient privacy, however, the exponential increase in the amount of data related to patient health raises major ethical and legal challenges.
In a new paper in Nature Medicine, “Privacy in the age of medical big data,” legal and bioethical experts W. Nicholson Price and I. Glenn Cohen examine the ways in which big data challenges the protection (and the way we conceive) of health care privacy.
The Petrie-Flom Academic Fellow Alumnus and Faculty Director, respectively, compare the way health care data is governed in the U.S., including under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), contrasting it with the EU’s new General Data Protection Regulation (GDPR). The authors explain how the HIPAA-centered U.S. approach falls short, missing large swaths of the health data ecosystem.
“HIPAA does not cover health care data… recorded by life insurance companies,” write Price and Cohen. “It does not cover user-generated information about health, such as the use of a blood-sugar-tracking smartphone app or a set of Google searches about particular symptoms, and insurance coverage for serious disorders. And it certainly does not cover the huge volume of data that is not about health at all, but permits inferences about health—such as the information about a shopper’s Target purchases that famously revealed her pregnancy.”
Under HIPAA, US privacy law treats health data differently depending on how it is created and who is handling the data, “a set of rules that are arguably both overprotective and under-protective of privacy.” Meanwhile, the GDPR “sets out a single, broadly defined regime for health data (as well as other data), no matter what format, how it is collected, or who the custodian is.”
The paper discusses questions such as: to what extent should data be available for use without a patient’s consent? Should some health data be seen as a kind of public good? What role should patients have in deciding what kind of uses of their data are permissible? At the same time, they carefully outline why overprotection of patient privacy and data may not be the right answer.
The authors conclude with recommendations for future-proofing our medical data regulations including that we must strike “the right balance—protecting privacy so that patients are comfortable providing their data, but not allowing privacy to drive secrecy that reduces validation and trust in the potential benefits arising from those data,” an admittedly “tricky challenge.”