Thursday, September 27, 2012
In a new essay, available here, that is part of a Symposium collection, here, recommending legislative/regulatory action to the incoming Administration ("The Next Four Years") I argue for some enhanced privacy protections in the face of emerging "big data" models.
This essay discusses the threats to health privacy posed by “big data;” an ongoing revolution in data collection and processing. The essay takes the position that big data poses an exceptional group of problems for health care, its providers, researchers, and patients. Faced with increased privacy risks an exhaustive overhaul of HIPAA/HITECH is not proposed. Rather, this essay suggests an incremental approach, adopting aspects of the recent privacy proposals published by the White House and the Federal Trade Commission. The essay suggests that the battle to preserve health privacy needs to be fought on three fronts. First, while HIPAA/HITECH provides increasingly robust protections against unauthorized uses of health information by a relatively narrow set of traditional health care provider data stewards, it does almost nothing to regulate the collection of health data. It is time that the federal government put real limits on the collection and processing of personal information. Second, the U.S. has adopted a sector-based approach to data protection. HIPAA, as amended by HITECH, and the “privacy” and security regulations made thereunder apply only to a narrowly constructed version of the vertical health care market. Such sector-based approaches to regulation are frequently flawed because of poor calibration. Further, the very concept of health sector specific regulation is flawed because health related or medically inflected data frequently circulates outside of the traditionally recognized health care sector. Third, there is great value in patient information that could be extracted and used by responsible medical and public health researchers. Responsible public policy suggests that researchers should be able to request that information from patients. Many of the existing HIPAA and HITECH security and confidentiality protections apply here but are fundamentally flawed. Neither current policy nor regulations supply the key component: a coherent choice architecture for dealing with appropriate patient decision-making regarding research use of personal or familial health data.