Of all the personal data people guard most closely, personal medical records are near the top. Along with financial information, personal health records are data sets that have the potential to make us the most vulnerable in society. So it’s no surprise that, in the U.S., there are very specific and rigid laws that protect such data.
Of course, HIPAA is perhaps the most commonly known U.S.-based law related to privacy, even though the "P" is for "Portability" and not "Privacy."
The law has come under fire lately as we enter this advanced digital era of big data, genomic research and health fitness trackers. For one, researchers argue that medical records can help with a broad array of research efforts aimed at curing and stopping the spread of disease and often point to HIPAA as a roadblock to such efforts. HIPAA’s scope is also becoming less relevant with the rise in wearable fitness trackers because app makers, for example, aren't covered under the federal statute. And, interestingly, HIPAA is regularly misinterpreted to the point where it has “become an all-purpose excuse for things people don’t want to talk about,” according to one healthcare advocate.
Plus, health records are being compromised at an alarming rate. Community Health Systems, Anthem and countless others have sustained major breaches affecting millions of individuals, and, of course, medical information was included in some of the more than 22 million records that were compromised in the second hack of the Office of Personnel Management—a hack, incidentally, that affected seven percent of the U.S. population. We don’t even have to look back that far: Just last Friday, UCLA Health System announced 4.5 million records were compromised in an unencrypted database.
Even best-selling author and cognitive scientist Steven Pinker said it’s time to chill out on the privacy panic:
HIPAA madness—it's time to rein in medical privacy panic. http://t.co/27IHNvLRuq
— Steven Pinker (@sapinker) July 18, 2015
So we’re all getting hacked. We’re all getting exposed. HIPAA isn’t really helping. And with sophisticated hacks on the up-and-up, we'll likely never fully protect our data.
That’s why Harvard Medical Chief Information Officer John Halamka has a radical idea: We should all voluntarily give up our privacy.
Yes, his task is to protect the medical records for millions of people, but on a personal level, he’s decided to share all of his data. Don’t believe me?
“Have I lost stature in the community because of my genetic risks, my treatment for glaucoma or my occasional episodes of supra ventricular tachycardia? Have I been denied insurance, lost employment or experienced tension among my family and friends?” he queries.
So far, he says, he hasn’t.
But upon inspection, it’s hard not to notice that he’s got a pretty stellar medical history. He’s got low cholesterol; his parents survived into their 90s; he never used tobacco or alcohol, has less than one cup of coffee per day, rare sun exposure and exercises between 10 and 20 hours per week. Oh, and he’s a vegan. So really, he doesn’t have to worry about higher medical insurance rates or from being socially ostracized from some lip fungus that hasn't been identified yet. To his credit, he admits as much.
Other people, however, do have to worry about such things. For some, having their medical records public could be the difference between having a job and being unemployed. And though it didn't affect him, it's hard not to believe that certain diagnoses could negatively affect insurance rates.
On the other hand, there is some merit to Halamka’s proposal.
For example, he says opening up his (and his family’s) personal data is a relief. “None of my family members are concerned about the hacking of our own medical data: It’s already public.” More importantly, no matter where he is, doctors can now access his records without issue. And misuse of their data? No problem. He’s already approved its use as “open-source” material.
And though he gave up his privacy, Halamka understands the crux of it: user control.
For him and his family, this was a voluntary and an informed choice. He doesn’t think everyone should follow his example or that government should mandate it. Halamka concedes that other people have sensitive data in their records: drug abuse, domestic violence, sexually transmitted diseases and mental health issues, but he hopes over time, people will learn to stop worrying and feel more comfortable with sharing their medical records through more social awareness and acceptance.
Ultimately, Halamka predicts two trends will change the medical records paradigm from one that places the onus on data protection to one that promotes open data: The burgeoning “cold war with hackers” will accelerate, exposing more personal health information, and medical discrimination laws will mature. Because of this, he argues, “more individuals will choose to openly share their medical data rather than (try) to protect it.”
This will, in turn, improve the collective medical health for all because medical researchers will have more data with which to work and hackers will have to find something else to exploit.
His solution, though, concerns me. He looks to air travel and the Global Entry program as a possible model moving forward. Yes, you trade your privacy for convenience, but he proposes a national healthcare identifier as part of that solution. “Once such identifiers are in place,” he writes, “a new application could be built enabling patients to disclose their relationships with hospitals, doctors’ offices, labs and pharmacies.”
Doesn’t this just bring us back to square one? We already have huge issues with our unofficial national identifier: the Social Security number (SSN). In fact, exposed SSNs were a huge part of the problem with all the breaches cited at the beginning of this post. Whether we’re talking about government systems (think OPM hack) or sophisticated security firms (think Hacking Team), I don’t think there’s A) a lot of confidence that such data can be adequately protected and B) that it will actually be protected.
For Halamka’s system to truly work, everyone would opt in to a national program. It would require a massive cultural shift where people realize that the benefits of sharing their data outweigh the privacy risk. This utopian vision is commendable, but naive. It fails to take into account the differing leaps of faith each person would have to take. And, significantly, it would not be an equal leap for all.
And what about those who choose not to take that leap of faith? Halamka tries to offer a system that wouldn't coerce individuals into sharing their medical records but would rather involve social acceptance of open medical data. I'm reminded of David Eggers' The Circle, where everyone is supposed to be transparent. If you're not open, then you must have something to hide. Would those who choose to not disclose their medical data be looked upon as suspicious? I'd say that's highly likely.
I do sympathize with his idea for better self-stewardship among patients, and I back his idea of more user control and choice in our healthcare systems. Halamka may be on to something with his proposed medical record devaluing, but for those less fortunate, the stakes are higher, the results potentially more devastating and the records invaluable.
If you want to comment on this post, you need to login.