I don’t question the value of allowing my health data to be captured as a means to improve quality of care. Well-being for others and myself is very high on my list of imperatives. That being said, what I do question is the amount of control I have over my data relative to how much I trust the many hands through which it may pass. This past June here in the United States, the Centers for Medicare & Medicaid Services (CMS) released a final rule that allows our health data to be sold to for-profit companies. Do you trust for-profit companies with your health data? I do not.
Robin Wilton, Technical Outreach Director for Identity and Privacy for the Internet Society defines trust as “the belief that someone won’t act against your interests, even if they have the opportunity and motivation to do so“. Our health data is vulnerable to the actions of others who will likely have opportunity and motivation to act against our interests, but most of us are not aware of, do not understand, or are not actively taking part in managing the risks associated with the sharing of our data. Most people in the United States believe their privacy is protected by HIPAA because we sign those forms every time we visit a doctor. HIPAA does require the first tier of data handlers to strip your health data of all personally identifiable information.
However, once they’ve sold it to for-profit companies, there is nothing preventing them from combining it with other data to re-identify you. Further, there is no accountability that compels them to protect your data from others who may have unsavory intentions. Also, large health data companies are motivated by profit and their primary customers are pharmaceutical advertisers. What would be the basis for trusting these entities with information about us?
As with all advances in technology and society, there exists potential for good outcomes or for harm. Historically, legal frameworks learn and evolve accordingly as we adjust to these changes. We are still in the early stages of this process as the collection, storage, use, and handling of data increases exponentially. Health data is, for the most part, seen as a public good – but, interestingly, in the US, at least, it is also treated as “free speech” by the courts. Laws are moving to favor for-profit use of data whether we like it or not so, what do we need to trust this evolution? If you’re in a business negotiation and you’re offering something of value, you need to know what you want in return before you sit at the table.
If businesses are going to profit from healthcare data then laws need to protect consumers and hold data handlers accountable for breaches. Additionally, perhaps a portion of the money made on the sale of this data should be directed to making our personal data easily accessible to us at no cost. By 2020, the US healthcare IT market is expected to reach 24.55 Billion USD by 2021. We can’t personally profit from our own data without attaching our personal information to it, so at least we should be able to quickly and easily access our own data free of charge.