Monday, July 19, 2010

De-Identified Patient Data and The Right to Privacy

"It's personal. It's private. And it's no one's business but yours.......Privacy is as apple-pie as the Constitution."
And so began one of the most important essays on Privacy in recent times. The essay was authored by Phil Zimmerman, the author of PGP--a public source encryption program that broadened access to secure electronic communication. And yet, scholars will tell you that, despite Mr. Zimmerman's "American as apple pie" comparison above, the US Constitution does not include an express right to privacy [1]. The Bill of Rights does, however, acknowledge the need for privacy and the US Supreme Court has firmly implied such a right through numerous rulings over the past century.

Healthcare records were not always afforded the same level of privacy as today. The road to HIPAA--today's governing legislation on healthcare records--was long and paved with some spectacular cases of misuse of personal health information. In recent times, HIPAA has strengthened privacy protections and emphasized enforcement. The penalties are steeper and the access terms are stricter than before.

The challenge with HIPAA, as with any other legislation, is to balance individual interests with those of society. For example, an individual has a self interest in protecting his or her health records from prying eyes. Yet, aggregate health information is extremely valuable to analyze trends, predict disease migration patterns, link treatment to outcomes, etc. The personal privacy protections from HIPAA make it difficult to get these societal benefits. The industry's approach at de-identified data appears to be a good compromise, but privacy advocates such as Deb Peel of Patient Privacy Rights have strongly clashed with industry advocates like Matthew Holt, the author of The Healthcare Blog on this subject.

For a recent example of how privacy alarmists can derail efforts to improve healthcare see this article. The issue described here was the selling of de-identified patient data by a free, hosted EMR system called PracticeFusion. The sale of de-identified data enables PracticeFusion to provide a free service to 30,000+ small physicians, but, the company's practices has privacy advocates up in arms.

Some of you may recall Facebook's Mark Zuckerberg claiming privacy was dead. Zuckerberg, of course, was referring to personal privacy in the context of what you do or share online and he was probably not thinking as much about personal health records. Are these two related? Will changing outlook on personal privacy affect how we view health information?

[1] a fact noted by Mr. Zimmerman later in his aforementioned essay.

No comments:

Post a Comment