News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Dr. Halamka, or How I Learned To Stop Worrying and Publish My Medical Records Related reading: Moving Past the New HIPAA Rules

rss_feed

""

Of all the personal data people guard most closely, personal medical records are near the top. Along with financial information, personal health records are data sets that have the potential to make us the most vulnerable in society. So it’s no surprise that, in the U.S., there are very specific and rigid laws that protect such data.

Of course, HIPAA is perhaps the most commonly known U.S.-based law related to privacy, even though the "P" is for "Portability" and not "Privacy."

The law has come under fire lately as we enter this advanced digital era of big data, genomic research and health fitness trackers. For one, researchers argue that medical records can help with a broad array of research efforts aimed at curing and stopping the spread of disease and often point to HIPAA as a roadblock to such efforts. HIPAA’s scope is also becoming less relevant with the rise in wearable fitness trackers because app makers, for example, aren't covered under the federal statute. And, interestingly, HIPAA is regularly misinterpreted to the point where it has “become an all-purpose excuse for things people don’t want to talk about,” according to one healthcare advocate.

Plus, health records are being compromised at an alarming rate. Community Health Systems, Anthem and countless others have sustained major breaches affecting millions of individuals, and, of course, medical information was included in some of the more than 22 million records that were compromised in the second hack of the Office of Personnel Managementa hack, incidentally, that affected seven percent of the U.S. population. We don’t even have to look back that far: Just last Friday, UCLA Health System announced 4.5 million records were compromised in an unencrypted database.

Even best-selling author and cognitive scientist Steven Pinker said it’s time to chill out on the privacy panic:

So we’re all getting hacked. We’re all getting exposed. HIPAA isn’t really helping. And with sophisticated hacks on the up-and-up, we'll likely never fully protect our data.

That’s why Harvard Medical Chief Information Officer John Halamka has a radical idea: We should all voluntarily give up our privacy.

Yes, his task is to protect the medical records for millions of people, but on a personal level, he’s decided to share all of his data. Don’t believe me?

“Have I lost stature in the community because of my genetic risks, my treatment for glaucoma or my occasional episodes of supra ventricular tachycardia? Have I been denied insurance, lost employment or experienced tension among my family and friends?” he queries.

So far, he says, he hasn’t.

But upon inspection, it’s hard not to notice that he’s got a pretty stellar medical history. He’s got low cholesterol; his parents survived into their 90s; he never used tobacco or alcohol, has less than one cup of coffee per day, rare sun exposure and exercises between 10 and 20 hours per week. Oh, and he’s a vegan. So really, he doesn’t have to worry about higher medical insurance rates or from being socially ostracized from some lip fungus that hasn't been identified yet. To his credit, he admits as much.

Other people, however, do have to worry about such things. For some, having their medical records public could be the difference between having a job and being unemployed. And though it didn't affect him, it's hard not to believe that certain diagnoses could negatively affect insurance rates.

On the other hand, there is some merit to Halamka’s proposal.

For example, he says opening up his (and his family’s) personal data is a relief. “None of my family members are concerned about the hacking of our own medical data: It’s already public.” More importantly, no matter where he is, doctors can now access his records without issue. And misuse of their data? No problem. He’s already approved its use as “open-source” material.

And though he gave up his privacy, Halamka understands the crux of it: user control.

For him and his family, this was a voluntary and an informed choice. He doesn’t think everyone should follow his example or that government should mandate it. Halamka concedes that other people have sensitive data in their records: drug abuse, domestic violence, sexually transmitted diseases and mental health issues, but he hopes over time, people will learn to stop worrying and feel more comfortable with sharing their medical records through more social awareness and acceptance.

Ultimately, Halamka predicts two trends will change the medical records paradigm from one that places the onus on data protection to one that promotes open data: The burgeoning “cold war with hackers” will accelerate, exposing more personal health information, and medical discrimination laws will mature. Because of this, he argues, “more individuals will choose to openly share their medical data rather than (try) to protect it.”

This will, in turn, improve the collective medical health for all because medical researchers will have more data with which to work and hackers will have to find something else to exploit.

His solution, though, concerns me. He looks to air travel and the Global Entry program as a possible model moving forward. Yes, you trade your privacy for convenience, but he proposes a national healthcare identifier as part of that solution. “Once such identifiers are in place,” he writes, “a new application could be built enabling patients to disclose their relationships with hospitals, doctors’ offices, labs and pharmacies.”

Doesn’t this just bring us back to square one? We already have huge issues with our unofficial national identifier: the Social Security number (SSN). In fact, exposed SSNs were a huge part of the problem with all the breaches cited at the beginning of this post. Whether we’re talking about government systems (think OPM hack) or sophisticated security firms (think Hacking Team), I don’t think there’s A) a lot of confidence that such data can be adequately protected and B) that it will actually be protected.

For Halamka’s system to truly work, everyone would opt in to a national program. It would require a massive cultural shift where people realize that the benefits of sharing their data outweigh the privacy risk. This utopian vision is commendable, but naive. It fails to take into account the differing leaps of faith each person would have to take. And, significantly, it would not be an equal leap for all.

And what about those who choose not to take that leap of faith? Halamka tries to offer a system that wouldn't coerce individuals into sharing their medical records but would rather involve social acceptance of open medical data. I'm reminded of David Eggers' The Circle, where everyone is supposed to be transparent. If you're not open, then you must have something to hide. Would those who choose to not disclose their medical data be looked upon as suspicious? I'd say that's highly likely.

I do sympathize with his idea for better self-stewardship among patients, and I back his idea of more user control and choice in our healthcare systems. Halamka may be on to something with his proposed medical record devaluing, but for those less fortunate, the stakes are higher, the results potentially more devastating and the records invaluable.

photo credit: drstrangelove via photopin (license)

Author
Headshot Jedidiah Bracy IAPP Staff Contributor
Tags
Health Care
U.S.
Big Data
Biometrics
Data Loss
Personal Privacy
3 Comments

If you want to comment on this post, you need to login.

  • comment Jeff • Jul 21, 2015 
    Give me single-payer healthcare, and this becomes a more viable proposition. That said, if someone opts-out, many will then infer they DO have something to hide (e.g. drug abuse, domestic violence, sexually transmitted diseases and mental health issues). To date, employers, insurance companies and the government have not given met reason to want to be an 'early adopter' of full public disclosure of my health information!
  • comment Chris • Jul 21, 2015 
    A terrible idea in my opinion, but exactly what I would expect the head of an organization that relies on such data for research grants to say. Its easy for the good doctor to share so much data while his health is relatively good. And his family's is. In the long run, this kind of data will certainly be used against us. If we think employers are misusing Facebook to screen potential candidates, wait until they're analyzing our genomes for traits they don't want in employees. Even if patients can "opt out", the laypersons will ask "what do you have to hide?" Here's a great movie plot scenario: An assassin uses a patient's medical data to kill her victims while fooling investigators into thinking its allergic reactions or a simple overdose of an over-the-counter product.

Let anyone who wants to share their data share their data. Let everyone else keep their privacy and their data to themselves. That's real privacy. From a security perspective, the best way to protect this kind of data is to get it OUT of the hands of the organizations that lose it by encrypting it in such a way that the individual controls ALL THE KEYS to the data via a two-factor authentication mechanism. Let hackers steal all the encrypted data they want.
  • comment Alena • Jul 21, 2015 
    This solution - making our medical records public because they're being hacked anyway - is for the ultra-privileged few like Dr. Halamka. If the choice to make medical records public was the status quo, it would put some people at risk of serious harm and the end result would be that those people would not seek medical care at all. Consider how this would affect victims of domestic violence, women seeking to terminate a pregnancy, etc. The idea that privacy must be sacrificed because there are not enough protections in place to secure it is the wrong argument to make. Is there any such precedent anywhere for such an idea? I doubt it because it's a bad idea. If some people want to make their medical history public, that's their prerogative, but this should never be expected in general.
Related Stories
Moving Past the New HIPAA Rules
2
So, you’re a HIPAA covered entity or business associate who is in the final throes of revamping (or creating) appropriate and compliant HIPAA privacy and security policies. And, you finally think you are getting a handle on all the changes required by the new HITECH components of the HIPAA rules. An...
Read More queue Save This

Related Stories
Tags
Health Care
U.S.
Big Data
Biometrics
Data Loss
Personal Privacy
Recent Comments