TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Dr. Halamka, or How I Learned To Stop Worrying and Publish My Medical Records Related reading: Moving Past the New HIPAA Rules

rss_feed
GDPR-Ready_300x250-Ad

""

Of all the personal data people guard most closely, personal medical records are near the top. Along with financial information, personal health records are data sets that have the potential to make us the most vulnerable in society. So it’s no surprise that, in the U.S., there are very specific and rigid laws that protect such data.

Of course, HIPAA is perhaps the most commonly known U.S.-based law related to privacy, even though the "P" is for "Portability" and not "Privacy."

The law has come under fire lately as we enter this advanced digital era of big data, genomic research and health fitness trackers. For one, researchers argue that medical records can help with a broad array of research efforts aimed at curing and stopping the spread of disease and often point to HIPAA as a roadblock to such efforts. HIPAA’s scope is also becoming less relevant with the rise in wearable fitness trackers because app makers, for example, aren't covered under the federal statute. And, interestingly, HIPAA is regularly misinterpreted to the point where it has “become an all-purpose excuse for things people don’t want to talk about,” according to one healthcare advocate.

Plus, health records are being compromised at an alarming rate. Community Health Systems, Anthem and countless others have sustained major breaches affecting millions of individuals, and, of course, medical information was included in some of the more than 22 million records that were compromised in the second hack of the Office of Personnel Managementa hack, incidentally, that affected seven percent of the U.S. population. We don’t even have to look back that far: Just last Friday, UCLA Health System announced 4.5 million records were compromised in an unencrypted database.

Even best-selling author and cognitive scientist Steven Pinker said it’s time to chill out on the privacy panic:

So we’re all getting hacked. We’re all getting exposed. HIPAA isn’t really helping. And with sophisticated hacks on the up-and-up, we'll likely never fully protect our data.

That’s why Harvard Medical Chief Information Officer John Halamka has a radical idea: We should all voluntarily give up our privacy.

Yes, his task is to protect the medical records for millions of people, but on a personal level, he’s decided to share all of his data. Don’t believe me?

“Have I lost stature in the community because of my genetic risks, my treatment for glaucoma or my occasional episodes of supra ventricular tachycardia? Have I been denied insurance, lost employment or experienced tension among my family and friends?” he queries.

So far, he says, he hasn’t.

But upon inspection, it’s hard not to notice that he’s got a pretty stellar medical history. He’s got low cholesterol; his parents survived into their 90s; he never used tobacco or alcohol, has less than one cup of coffee per day, rare sun exposure and exercises between 10 and 20 hours per week. Oh, and he’s a vegan. So really, he doesn’t have to worry about higher medical insurance rates or from being socially ostracized from some lip fungus that hasn't been identified yet. To his credit, he admits as much.

Other people, however, do have to worry about such things. For some, having their medical records public could be the difference between having a job and being unemployed. And though it didn't affect him, it's hard not to believe that certain diagnoses could negatively affect insurance rates.

On the other hand, there is some merit to Halamka’s proposal.

For example, he says opening up his (and his family’s) personal data is a relief. “None of my family members are concerned about the hacking of our own medical data: It’s already public.” More importantly, no matter where he is, doctors can now access his records without issue. And misuse of their data? No problem. He’s already approved its use as “open-source” material.

And though he gave up his privacy, Halamka understands the crux of it: user control.

For him and his family, this was a voluntary and an informed choice. He doesn’t think everyone should follow his example or that government should mandate it. Halamka concedes that other people have sensitive data in their records: drug abuse, domestic violence, sexually transmitted diseases and mental health issues, but he hopes over time, people will learn to stop worrying and feel more comfortable with sharing their medical records through more social awareness and acceptance.

Ultimately, Halamka predicts two trends will change the medical records paradigm from one that places the onus on data protection to one that promotes open data: The burgeoning “cold war with hackers” will accelerate, exposing more personal health information, and medical discrimination laws will mature. Because of this, he argues, “more individuals will choose to openly share their medical data rather than (try) to protect it.”

This will, in turn, improve the collective medical health for all because medical researchers will have more data with which to work and hackers will have to find something else to exploit.

His solution, though, concerns me. He looks to air travel and the Global Entry program as a possible model moving forward. Yes, you trade your privacy for convenience, but he proposes a national healthcare identifier as part of that solution. “Once such identifiers are in place,” he writes, “a new application could be built enabling patients to disclose their relationships with hospitals, doctors’ offices, labs and pharmacies.”

Doesn’t this just bring us back to square one? We already have huge issues with our unofficial national identifier: the Social Security number (SSN). In fact, exposed SSNs were a huge part of the problem with all the breaches cited at the beginning of this post. Whether we’re talking about government systems (think OPM hack) or sophisticated security firms (think Hacking Team), I don’t think there’s A) a lot of confidence that such data can be adequately protected and B) that it will actually be protected.

For Halamka’s system to truly work, everyone would opt in to a national program. It would require a massive cultural shift where people realize that the benefits of sharing their data outweigh the privacy risk. This utopian vision is commendable, but naive. It fails to take into account the differing leaps of faith each person would have to take. And, significantly, it would not be an equal leap for all.

And what about those who choose not to take that leap of faith? Halamka tries to offer a system that wouldn't coerce individuals into sharing their medical records but would rather involve social acceptance of open medical data. I'm reminded of David Eggers' The Circle, where everyone is supposed to be transparent. If you're not open, then you must have something to hide. Would those who choose to not disclose their medical data be looked upon as suspicious? I'd say that's highly likely.

I do sympathize with his idea for better self-stewardship among patients, and I back his idea of more user control and choice in our healthcare systems. Halamka may be on to something with his proposed medical record devaluing, but for those less fortunate, the stakes are higher, the results potentially more devastating and the records invaluable.

photo credit: drstrangelove via photopin (license)

3 Comments

If you want to comment on this post, you need to login.

  • comment Jeff • Jul 21, 2015
    Give me single-payer healthcare, and this becomes a more viable proposition. That said, if someone opts-out, many will then infer they DO have something to hide (e.g. drug abuse, domestic violence, sexually transmitted diseases and mental health issues). To date, employers, insurance companies and the government have not given met reason to want to be an 'early adopter' of full public disclosure of my health information!
  • comment Chris • Jul 21, 2015
    A terrible idea in my opinion, but exactly what I would expect the head of an organization that relies on such data for research grants to say. Its easy for the good doctor to share so much data while his health is relatively good. And his family's is. In the long run, this kind of data will certainly be used against us. If we think employers are misusing Facebook to screen potential candidates, wait until they're analyzing our genomes for traits they don't want in employees. Even if patients can "opt out", the laypersons will ask "what do you have to hide?" Here's a great movie plot scenario: An assassin uses a patient's medical data to kill her victims while fooling investigators into thinking its allergic reactions or a simple overdose of an over-the-counter product.
    
    Let anyone who wants to share their data share their data. Let everyone else keep their privacy and their data to themselves. That's real privacy. From a security perspective, the best way to protect this kind of data is to get it OUT of the hands of the organizations that lose it by encrypting it in such a way that the individual controls ALL THE KEYS to the data via a two-factor authentication mechanism. Let hackers steal all the encrypted data they want.
  • comment Alena • Jul 21, 2015
    This solution - making our medical records public because they're being hacked anyway - is for the ultra-privileged few like Dr. Halamka. If the choice to make medical records public was the status quo, it would put some people at risk of serious harm and the end result would be that those people would not seek medical care at all. Consider how this would affect victims of domestic violence, women seeking to terminate a pregnancy, etc. The idea that privacy must be sacrificed because there are not enough protections in place to secure it is the wrong argument to make. Is there any such precedent anywhere for such an idea? I doubt it because it's a bad idea. If some people want to make their medical history public, that's their prerogative, but this should never be expected in general.