The Fight for Patient Privacy Under Big Data Analytics

Share this content:
The HIPAA Privacy Rule generally requires written patient authorization for the disclosure of protected health information.
The HIPAA Privacy Rule generally requires written patient authorization for the disclosure of protected health information.

A viewpoint review published in JAMA examined the adequacy of the Health Insurance Portability and Accountability Act (HIPAA) in the “big data” era of MyHealthEData and similar electronic record systems.   

Introduced by the Trump administration in March 2018, the MyHealthEData initiative seeks to broaden patient access to electronic health records and insurance claims information. MyHealthEData and similar electronic systems allow patients to share health information at their discretion, an approach which may enable individuals to identify optimal treatment plans and network with health services. However, the digital sharing of health-related information raises new privacy concerns, not the least of which is the prospect of “invasive marketing” and “discriminatory practices that evade…law.” In the present day, the authors assert, HIPAA-protected data owns a “diminishing share” of health information stored electronically, and privacy regulations should be amended accordingly.

The HIPAA Privacy Rule generally requires written patient authorization for the disclosure of protected health information. Researchers may obtain de-identified data without patient consent only with the approval of a privacy board or institutional review board. This privacy rule has curtained inappropriate access in the past, but modern advances in computation and the growing volume of sensitive data generated outside healthcare settings pose new challenges, the authors say. HIPAA does not cover data produced by noncovered entities or information shared by patients (eg, through social media), and the expanding scope of these influences represents a threat to confidentiality.

To maintain an ecosystem that preserves the usefulness of big data without compromising individual privacy, the authors propose a separate set of regulations for health-related data not covered by HIPAA. The European Union's General Data Protection Regulation represents one potential framework by which the United States might modify existing laws. Regardless of specificities, the authors assert that individuals should have agency over their personal information and that data users must be held accountable for any breaches of privacy. The complicated landscape of privacy in the digital age requires participation from healthcare providers, medical software companies, and “digital citizens.”

Reference

Cohen IG, Mello MM. HIPAA and protecting health information in the 21st century [published online May 24, 2018]. JAMA. doi:10.1001/jama.2018.5630

Free E-Newsletter