The Challenge of Modern Health Information Privacy Laws
Alex Berenson in the New York Times recently wrote, “The most precious commodity on Wall Street is information…” (1) A similar observation may hold true concerning health data in the modern contexts of health care practice, delivery, reimbursement, and research. Within an emerging national electronic health information infrastructure, personally identifiable health data are an essential commodity, exchanged routinely among providers, insurers, data clearinghouses, researchers, governmental agencies, employers, and others. Access to identifiable health data among multiple groups continues to grow exponentially as digital personal health records (PHRs) become pervasive. Ongoing national health care reform efforts may only increase demands for greater public and private sector access to health data to administer burgeoning health claims, provide quality care, eliminate fraud in health care spending, or conduct public health prevention programs.
Rapid, multifarious exchanges of electronic health data, far removed from the paper-based disclosures of health information through the doctor-patient relationship, contribute to heightened individual concerns about the privacy of identifiable health data. While many of these exchanges occur with individual knowledge and consent (or at least the opportunity for individual consent), others do not. Protecting the privacy of individually identifiable health data against this backdrop is a critical health policy objective. Responding to Americans’ fears and perceptions of actual and potential privacy abuses, lawmakers and policymakers have attempted to develop modern privacy protections through law as well as ethical and industry codes. (2) Thousands of legislative and regulatory proposals have been introduced and passed at all levels of governments with the goal of better protecting the privacy of identifiable health data in an array of settings. (3)
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, for example, applies to identifiable health data (e.g., protected health information or PHI) used or disclosed by covered entities (e.g., health care providers, health plans, health care clearinghouses), their business associates, and others performing “covered functions.” (4) Though developed just five years ago in 2004, the Privacy Rule already seems outdated. As a national privacy regulatory standard, it offers a comprehensive framework of protections but is submerged within an existing universe of legal and ethical privacy protections. With limited jurisdiction over specific entities, the rule provides little more than a floor, or base level, of privacy protections. (5) Beyond HIPAA’s base level of national privacy legal protections are a myriad other laws and policies that apply to selective health data at varying levels of government in specific settings.
Lack of national uniformity of health information privacy protections is problematic. Health care providers and patients are confused and burdened by an array of privacy protections. Yet larger issues remain. Framed in terms of traditional privacy protections that respect individual autonomy through principles of informed consent emanating from health care provider-patient relationships, modern privacy laws have purpose but ultimately miss the mark. These laws fail to reflect the fact that increasing amounts of identifiable health data are generated and circulated well outside the doctor-patient relationship that gives rise to legal protections like those set forth in the HIPAA Privacy Rule. Broadening conceptions of what constitutes “health data,” coupled with innumerable ways of identifying health information (even when stripped of typical, known identifiers), has expanded the pool of identifiable health data deserving of legal protections.
The new age of health data encompasses not only volumes of data produced in clinical or research settings, but also those data amassed through individual choices to gather, save, and post electronic PHRs. Modern health information privacy laws may protect identifiable health data related to your doctor’s office, but they do little to protect sensitive, individual health data on your PC or catalogued through Google, Microsoft, or a multitude of other electronic PHRs. Individuals may (and should) still be wary of potential privacy infringements inherent in these collections. When serious privacy violations occur (which seems to happen regularly), however, legal recourse for individuals may not follow.
Individuals and policymakers seeking to protect the privacy of identifiable health data through law must acknowledge the existence of “public” and “private” spheres of health data. Traditional legal protections like the HIPAA Privacy Rule are geared toward protecting health data generated through individual pursuits of health care, public health, or research services. To the extent that individuals seek these services through outside service providers, resulting identifiable health data may be traded lawfully in the “public” sphere. This is not to say that these data are subject to full public disclosure (unless truly unidentifiable). Rather, as a condition of receiving these health and public health services, exchanges of such identifiable data are expected and even required. Laws do protect the privacy of these data exchanges, although meaningful reforms are still needed.
Where individuals gather, chronicle, exchange, or store health data for their private use or consumption, these data exist within a “private” sphere. Individual’s privacy expectations concerning these data may match or exceed their expectations for health data in the public sphere. The dilemma of existing health information privacy laws is that they do less, if anything, to protect these private data.
This is the modern challenge of health information privacy laws and policies: protecting the privacy of all identifiable health data regardless of its source, location, user, or host. It is a significant challenge recognizing the balance of multiple benefits and threats for individuals, protected groups, and populations in accessing, using, and disclosing identifiable health data. Yet it is a challenge that can and must be met. Through innovative legal approaches, responsible data sharing practices can be embedded not only into governmental and institutional policies and practices, but also within emerging computer systems and software. Responsible data privacy practices must be structured within emerging components of the national electronic health information infrastructure and demanded of corporate entities serving individual data needs within the private sphere.
Technology responsibly guided by law offers the promise of privacy for all identifiable health data. Absent adequate legal protections, however, the future of health data as a commodity may end just as Wall Street has in the last several years: with a crash.
1) Berenson A. A thin line separates insider trading and legal research. NYT. October 20, 2009. B1.
2) Gostin, L, Hodge, JG Jr. Personal Privacy and Common Goods: A Framework for Balancing Under the National Health Information Privacy Rule, Minnesota Law Review 86 (2002): 1439-1480.
3) Hodge, JG, Gostin, KG. Challenging themes in American health information privacy and the public’s health: historical and modern assessments. Journal of Law, Medicine, and Ethics 2005; 32: 4: 670-679.
4) Kamoie, B., Hodge, JG. HIPAA’s implications for public health policy and practice. Public Health Reports 2004; 119: 216-219.
5) Lucido, S., Koo, D., Hodge, JG. HIPAA Privacy Rule: guidance for public health. Morbidity and Mortality Weekly Report 2003; 52: 1-24.
As a leading nonprofit health care research and consulting institute dedicated to improving human health, Altarum encourages open discussion and debate about the many challenges in health care today. All postings to the Health Policy Forum (whether from employees or those outside the Institute) represent the views of the individual authors and/or organizations and do not necessarily represent the position, interests, strategy, or opinions of Altarum Institute. Altarum is a nonprofit, nonpartisan organization. No posting should be considered an endorsement by Altarum of individual candidates, political parties, opinions, or policy positions.