National Consumers League

Who wants my health data and what are they going to do with it? The paradox of data privacy


Tagged:

Do we really know how our health information is being used?  While patients want to know that their personal health information is protected by the HIPAA privacy rule, patient information is one of the best ways for the health system to improve care by learning from the patient experience.

 

At a recent annual meeting of Consumers United for Evidence Based Health Care (CUE), a national coalition of health and consumer advocacy organizations committed to empowering consumers to make the best use of evidence-based healthcare,  a panel of speakers discussed issues around patient privacy and the availability of data for research.  

As HIPAA currently operates, patient consent is needed for formal research that “contributes to the general knowledge.” But the internal use of personal health information for health care operations and to improve care , is NOT covered by HIPAA and thus patient informed consent is not required. In other words, as Deven McGraw from Manatt, Phelps & Phillips explained, if a health care organization uses research for its own internal use, then they are not subject to HIPAA requirements, but if an organization wants to share what is learned with the outside world to improve public health, then HIPAA applies. If we want to encourage sharing of research findings shouldn’t we make it easier, and not harder, to do so?  It seems that under the current paradigm we do not incentivize the sharing of knowledge. 

Nancy Kass, of Johns Hopkins Bloomsburg School of Public Health, stated that it is time for a new ethical framework for a learning healthcare system that will increase the likelihood of continuous learning, and in which participants’ rights are protected. According to Kass, what happens in clinical practice should be used to learn about how we can improve health care for our own practices as well as others. While we may be concerned about use of our health information for research purposes, our personal health information is already being used in many ways – ranging from ensuring quality of care to licensing and certification purposes. With the advent of electronic health records, how clinical practices use our data has drastically changed. “You want to protect patients from risk but also have good research,” said Kass. The reality is that there already is a systematic collection of patient data (without informed consent), which is used for internal operations – and patients have no idea. 

How do we create a trusted data collection system?  One way is to get patients more involved in research. PCORI, a government agency, was initiated by the Affordable Care Act to involve patients in a meaningful way in research. Research results should be shared with the patients who participate in the research in an accessible format, where hopefully conclusions are made based on a common data model.  We should also improve patient consent forms so that they are understandable and accessible to patients. Right now the consent forms are complicated and full of legal terms that make you wonder if the form is designed to protect the patient or the research. Peter Doshi, University of Maryland, explained that current consent forms do not say that if your data will or will not be used by others for the good of public health. Informed consent forms should change and FDA has recently developed a model consent form. 

Experiences with researchers failing to obtain informed consent and not being transparent about research goals, such as with the Tuskegee experiment, demonstrate the importance of both informed consent and transparency in the collection of data. The dilemma is how we balance the need for those protections, while encouraging research to improve clinical care. 

In this age of electronic health records and ongoing collection of our personal data wherever we turn, both patients and health care providers and organizations have a responsibility to promote and engage in continuous learning activities to improve the quality of clinical care. We need to increase the likelihood of continuous learning, while ensuring that learning proceeds in an ethically acceptable fashion and that participants’ rights are protected.   Health care providers and organizations have a responsibility to be transparent and disclose all the ways data are being used, and the patient has an obligation to participate in these learning activities so that clinical care can be improved for all of us.