Privacy, Transparency Called Crucial for Health Data
“People should have access to their own health data,” said Barbara Evans, director of the University of Houston Law Center’s Center on Biotechnology and Law, during a Health Privacy Summit Thursday. “Clouds of data are generated about us and the federal government did well regulating an individual’s right to access the data with the Health Insurance Portability and Accountability Act,” but now large amounts of data that are generated by items like wearables aren't protected by HIPAA, Evans said. There needs to be a HIPAA-equivalent for that data, she said. It’s not going to be too long before patients have far more information than any particular provider due to wearables and other devices that contain sensors like cellphones, said Mark Scrimshire, Entrepreneur-in-Residence at the Centers for Medicaid and Medicare Services. The government should step in and ensure that data is not used against us, Scrimshire said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Hugo Campos, a patient with a cardiac device, said he doesn’t have large concerns or expect much privacy, but would like to have access and control over his health information. Patients have the right to access information that was generated inside their own bodies, Campos said. Well intentioned regulators think they're protecting people from misusing data by not allowing access to the data, believing that patients with access to their information may get unnecessary medical care, Evans said. The First Amendment means just because someone may do something foolish with data is not a good enough reason to not give the person information, Evans said. If patients are having unnecessary surgery due to access to data, surgeons performing unnecessary surgery can be regulated, she said. Patients don't have to be left in the dark, Evans said.
Two types of patient data sets are collected, said Lucia Savage, chief privacy officer, Office of the National Coordinator (ONC) for Health IT. In one set a patient gives consent for research purposes so medical researchers can find patterns in similar biologically grouped people; another set is used to determine whether a physician is, for example, screening all females 40 and older for mammograms at least once per year or if doctors are over-prescribing antibiotics, Savage said.
Social media sites such as Patients Like Me prove some people want to participate in the research process, and the healthcare industry should enable that, not squash it, Savage said. The electronic health records (EHRs) technology has the capacity to be simpler than we made it, Savage said. Congress should look objectively at how much software companies are charging for interfaces because the price seems too high, Savage said. The ONC is working to create standards for patient-generated data such as scales that send a person’s weight directly to the doctor or data obtained from the use of a FitBit, as that data is currently not protected by HIPAA, Savage said.
Protecting privacy is “quintessential to our democracy,” said Clay Jenkins, director of Homeland Security and Emergency Management for Dallas County. People need to speak up for privacy, he said. Jenkins said he tried to protect Texas resident Eric Duncan, who had Ebola, by referring to him as patient zero. Jenkins also tried to keep private the identities of the first responders aiding in the Ebola epidemic so they were not unnecessarily quarantined. Texas is still monitoring two to three individuals who may have been exposed to Ebola, but their identities or that individuals are being quarantined hasn't been released to prevent inciting fear, anger and panic, Jenkins said.
Many people don’t read privacy practice rules that tell them exactly what’s happening with their data, Savage said. Corporate Privacy and Security Officer for Baptist Memorial Health Care Janelle Burns disagreed and said although Baptist Memorial's privacy practice is very thorough -- and some say too long -- even patients who take the time to read it won’t know every place their data is sent, Burns said. Baptist Memorial, like other medical facilities, participates in sharing data in several registries, as required, Burns said.
From a cybersecurity standpoint, the healthcare system as a whole is immature compared with other industries that collect data, Savage said. Small and large healthcare organizations need to be secure and stop putting password information on a sticky note on the file cabinet, Savage said. Security awareness and functionality has to be raised and people need to be aware, she said. Patients need to help the medical community understand that financial records should be kept out of the healthcare system and that a Social Security number isn't needed to receive healthcare, Savage said. Noting that the encryption key was stolen in the Anthem breach, Savage said, even when the industry does its best, there are going to be bad people and bad things will happen sometimes.