Hostname: page-component-586b7cd67f-dlnhk Total loading time: 0 Render date: 2024-11-22T19:54:46.749Z Has data issue: false hasContentIssue false

How Should Health Data Be Used?

Privacy, Secondary Use, and Big Data Sales

Published online by Cambridge University Press:  09 March 2016

Abstract:

Electronic health records, data sharing, big data, data mining, and secondary use are enabling exciting opportunities for improving health and healthcare while also exacerbating privacy concerns. Two court cases about selling prescription data, the Sorrell case in the U.S. and the Source case in the U.K., raise questions of what constitutes “privacy” and “public interest”; they present an opportunity for ethical analysis of data privacy, commodifying data for sale and ownership, combining public and private data, data for research, and transparency and consent. These interwoven issues involve discussion of big data benefits and harms and touch on common dualities of the individual versus the aggregate or the public interest, research (or, more broadly, innovation) versus privacy, individual versus institutional power, identification versus identity and authentication, and virtual versus real individuals and contextualized information. Transparency, flexibility, and accountability are needed for assessing appropriate, judicious, and ethical data uses and users, as some are more compatible with societal norms and values than others.

Type
Departments and Columns
Copyright
Copyright © Cambridge University Press 2016 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Notes

1. Laura Wexler’s comments as a respondent at “The Critical Life of Information,” a conference at Yale University, April 11, 2014, outlined dualities related to big data; see http://wgss.yale.edu/sites/default/files/files/Critical%20Life%20of%20Information%20Program%20spreads.pdf (last accessed 19 Aug 2014) for conference information.

2. Jost, TS. Readings in Comparative Health Law and Bioethics. 2nd ed.Durham, NC: Carolina Academic Press; 2007.Google Scholar

3. Institute of Medicine (IOM). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press; 2009, at 78.Google Scholar

4. See note 3, IOM 2009, at 79.

5. Jones, P. Permission-based marketing under Canada’s new privacy laws. Franchise Law Journal 2004;24(2):267303.Google Scholar

6. Walden, I. Anonymising personal data. International Journal of Law and Information Technology 2002;10(2):224–37.CrossRefGoogle Scholar

7. Srinivas, N, Biswas, A. Protecting patient information in India: Data privacy law and its challenges. NUJS Law Review 2012;5(3):411–24.Google Scholar

8. Kaplan, B. Selling health data: De-identification, privacy, and speech. Cambridge Quarterly of Healthcare Ethics 2015;24(3):256–71.CrossRefGoogle Scholar

9. United States Government, Department of Health and Human Services, Office for Civil Rights. Summary of the HIPAA Privacy Rule; available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ (last accessed 30 June 2013).

10. United States Government, Department of Health and Human Services, Office for Civil Rights. Standards for Privacy of Individually Identifiable Health Information; available at http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm (last accessed 19 Jan 2014).

11. United States Government, Department of Health and Human Services, HSS Press Office, New rule protects patient privacy, secures health information 2013 Jan 17; available at http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-health-information.html (last accessed 1 Jan 2016). See also United States Government, Department of Health and Human Services, Office of the Secretary. 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA Rules; final rule. Federal Register 2013 Jan 25:5565–702; available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (last accessed 2 July 2014).

12. European Union. EU Directive 95/46/EC—The Data Protection Directive; available at http://www.dataprotection.ie/docs/EU-Directive-95-46-EC--Chapter-2/93.htm (last accessed 23 Mar 2014).

13. European Commission, Directorate General for Justice and Consumers. Agreement on Commission's EU data protection reform will boost Digital Single Market 2015 Dec 15; available at http://europa.eu/rapid/press-release_IP-15-6321_en.htm (last accessed 5 Jan 2016). See also European Commission, Directorate General for Justice and Consumers. Reform of EU data protection rules; available at http://ec.europa.eu/justice/data-protection/reform/index_en.htm (last accessed 5 Jan 2016).

14. Rossi B. Countdown to the EU General Data Protection Regulation: 5 steps to prepare. Information Age 2015 Mar 24; available at http://www.information-age.com/it-management/risk-and-compliance/123459219/countdown-eu-general-data-protection-regulation-5-steps-prepare (last accessed 13 May 2015).

15. Solove, DJ. A taxonomy of privacy. University of Pennsylvania Law Review 2006;154(3):477560.CrossRefGoogle Scholar

16. Ohm, P. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review 2010;57:1701–77, at 270.Google Scholar

17. Taylor, MJ. Health research, data protection, and the public interest in notification. Medical Law Review 2011;19(2):267303.CrossRefGoogle ScholarPubMed

18. See note 17, Taylor 2011, at 303.

19. Kaplan B. Patient health data privacy. In: Yanisky-Ravid S, ed. The Challenges of the Digital Era: Privacy, Information and More. New York: Fordham University Press; forthcoming.

20. See note 8, Kaplan 2015.

21. See note 16, Ohm 2010.

22. See note 19, Kaplan forthcoming.

23. Beyleveld, D, Histed, E. Betrayal of confidence in the Court of Appeal. Medical Law International 2000;4:277311.CrossRefGoogle ScholarPubMed

24. Koontz L. What is privacy? In: Koontz L, ed. Information Privacy in the Evolving Healthcare Environment. Chicago: Healthcare Information and Management Society (HIMSS); 2013:1–20.

25. See note 19, Kaplan forthcoming.

26. See note 8, Kaplan 2015.

27. World Medical Association. International Code of Medical Ethics; available at http://www.wma.net/en/30publications/10policies/c8/index.html (last accessed 2 May 2014).

28. World Medical Association. Declaration of Helsinki—Ethical Principles for Medical Research Involving Human Subjects; available at http://www.wma.net/en/30publications/10policies/b3/ (last accessed 2 May 2014).

29. World Medical Association. Declaration on Ethical Considerations Regarding Health Databases; available at http://www.wma.net/en/30publications/10policies/d1/ (last accessed 2 May 2014).

30. See note 29, WMA 2014.

31. See note 2, Jost 2007.

32. Malin, BA, El Emam, K, O’Keefe, CM. Biomedical data privacy: Problems, perspectives, and recent advances. JAMIA (Journal of the American Medical Informatics Association) 2013;20(1):26.CrossRefGoogle ScholarPubMed

33. See note 23, Beyleveld, Histed 2000, at 296.

34. Dunkel, YF. Medical privacy rights in anonymous data: Discussion of rights in the United Kingdom and the United States in light of the Source Informatics cases. Loyola of Los Angeles International and Comparative Law Review 2001;23(1):4180.Google Scholar

35. See note 7, Srinivas, Biswas 2012.

36. See note 5, Jones 2004.

37. Powell, J, Fitton, R, Fitton, C. Sharing electronic health records: The patient view. Informatics in Primary Care 2006;14(1):55–7.Google ScholarPubMed

38. Schers, H, van den Hoogen, H, Grol, R, van den Bosch, W. Continuity of information in general practice: Patient views on confidentiality. Scandinavian Journal of Primary Health Care 2003;21(1):21–6.CrossRefGoogle Scholar

39. See note 23, Beyleveld, Histed 2000.

40. See note 32, Malin et al. 2013.

41. See note 34, Dunkel 2001, at 70.

42. Choy C, Hudson Z, Pritts J, Goldman J. Exposed Online: Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protection to Internet Users. Health Privacy Project, Institute for Healthcare Research and Policy, Georgetown University: Pew Internet and American Life Project; 2001, at 4; available at http://www.pewinternet.org/files/old-media/Files/Reports/2001/PIP_HPP_HealthPriv_report.pdf.pdf (last accessed 11 May 2015).

43. See note 12, EU 2014.

44. McGraw, D. Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data. JAMIA (Journal of the American Medical Informatics Association) 2013;20(1):2934.CrossRefGoogle ScholarPubMed

45. Curfman, GD, Morrissey, S, Drazen, JM. Prescriptions, privacy, and the First Amendment. New England Journal of Medicine 2011;364(21):2053–5.CrossRefGoogle ScholarPubMed

46. Tien L. Online behavioral tracking and the identification of Internet users. Paper presented at: From Mad Men to Mad Bots: Advertising in the Digital Age [conference]. The Information Society Project at the Yale Law School. New Haven, CT; 2011.

47. Benitez, K, Malin, B. Evaluating re-identification risks with respect to the HIPAA Privacy Rule. JAMIA (Journal of the American Medical Informatics Association) 2010;17(2):169–77.CrossRefGoogle ScholarPubMed

48. See note 16, Ohm 2010.

49. See note 8, Kaplan 2015.

50. Sorrell v. IMS Health, Inc., et al., 131 S. Ct. 2653 (2011).

51. R v. Department of Health, Ex Parte Source Informatics Ltd. [C.A. 2000] 1 All ER 786. See also R v. Department of Health, Ex Parte Source Informatics Ltd. European Law Report 2000;4:397–414.

52. See note 8, Kaplan 2015.

53. See note 7, Srinivas, Biswas 2012.

54. See note 5, Jones 2004.

55. Baxter, AD. IMS Health v. Ayotte: A new direction on commercial speech cases. Berkeley Technology Law Journal 2010;25:649–70.Google Scholar

56. Pasquale, F. Restoring transparency to automated authority. Journal on Telecommunications and High Technology Law 2011;9:235–54.Google Scholar

57. Rodwin, MA. Patient data: Property, privacy, and the public interest. American Journal of Law and Medicine 2010;36:586618, at 589.CrossRefGoogle ScholarPubMed

58. Hall, MA, Schulman, KA. Ownership of medical information. JAMA 2009;301(12):1282–4.CrossRefGoogle ScholarPubMed

59. Gooch, GR, Rohack, JJ, Finley, M. The moral from Sorrell: Educate, don’t legislate. Health Matrix 2013;23(1):237–77.Google Scholar

60. NHS European Office. Data Protection; 2015 Mar 24; available at http://www.nhsconfed.org/regions-and-eu/nhs-european-office/influencing-eu-policy/data-protection (last accessed 15 May 2015).

61. See note 14, Rossi 2015.

62. O’Donoghue C. EU research group condemns EU regulation for restricting growth in life sciences sector; 2014; available at http://www.globalregulatoryenforcementlawblog.com/2014/02/articles/data-security/eu-research-group-condemns-eu-regulation-for-restricting-growth-in-life-sciences-sector/ (last accessed 23 Mar 2014).

63. Farrar J. Sharing NHS data saves lives; EU obstruction will not. The Telegraph 2014 Jan 14; available at http://www.telegraph.co.uk/health/nhs/10569467/Sharing-NHS-data-saves-lives-EU-obstruction-will-not.html (last accessed 23 Mar 2014).

64. European Public Health Alliance. [Update] General Data Protection Regulation; available at http://www.epha.org/5926 (last accessed 23 Mar 2014).

65. NHS Confederation. EU ministers table changes to data privacy; 2015 Mar 13; available at http://nhsconfed.org/news/2015/03/eu-ministers-table-changes-to-data-privacy-laws (last accessed 14 May 2015).

66. See note 13, European Commission 2015.

67. Doctorow C. UK set to sell sensitive NHS records to commercial companies with no meaningful privacy protections—UPDATED; 2014 Feb 4; available at http://boingboing.net/2014/02/04/uk-set-to-sell-sensitive-nhs-r.html (last accessed 5 Feb 2014).

68. Donnelly L. Hospital records of all NHS patients sold to insurers. The Telegraph 2014 Feb 23; available at http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html (last accessed 24 July 2014).

69. See note 68, Donnelly 2014.

70. NHS Choices. Your records: Better information means better care; available at http://www.nhs.uk/nhsengland/thenhs/records/healthrecords/pages/care-data.aspx (last accessed 24 July 2014).

71. See note 70, NHS Choices 2014.

72. Ramesh R. NHS patient data to be made available for sale to drug and insurance firms. The Guardian 2014 Jan 19; available at http://www.theguardian.com/society/ 2014/jan/19/nhs-patient-data-available-companies-buy (last accessed 24 July 2014).

73. Institute of Medicine. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: National Academies; 2009;Google Scholar available at http://www.iom.edu/∼/media/Files/Report%20Files/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy-Improving-Health-Through-Research/HIPAA%20report%20brief%20FINAL.pdf (last accessed 22 Jan 2014).

74. Open Humans Network. Open Humans Network wins Knight News Challenge: Health Award; available at http://openhumans.org/ (last accessed 1 July 2014).

75. Christakis, NA, Fowler, JH. Social network visualization in epidemiology. Norwegian Journal of Epidemiology 2009;19(1):516.Google ScholarPubMed

76. Christakis, NA, Fowler, JH. Social network sensors for early detection of contagious outbreaks. PLoS ONE 2010;5(9):e12948.CrossRefGoogle Scholar

77. Velasco, E, Agheneza, T, Denecke, K, Kirchner, G, Eckmanns, T. Social media and Internet-based data in global systems for public health surveillance: A systematic review. The Milbank Quarterly 2014;93(1):733.CrossRefGoogle Scholar

78. Andrews, L. I Know Who You Are and I Saw What You Did: Social Networks and the Death of Data Privacy. New York: Free Press; 2011, at 1–3.Google Scholar

79. Angwin, J. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. New York: Times Books, Henry Holt; 2014, at 33–4.Google Scholar

80. Geissbuhler, A, Safran, C, Buchan, I, Bellazzi, R, Labkoff, S, Eilenberg, K, et al. Trustworthy reuse of health data: A transnational perspective. International Journal of Medical Informatics 2013;83(1):19.CrossRefGoogle Scholar

81. See note 7, Srinivas, Biswas 2012.

82. See note 17, Taylor 2011.

83. Bambauer JR. Is data speech? Stanford Law Review 2014;66:57–120.

84. Zarsky TZ. The privacy/innovation conundrum. Lewis & Clark Law Review 2015;19(1); available at http://ssrn.com/abstract=2596822 (last accessed 19 May 2015).

85. Dvorak K. Med identity theft continues to rise; 2015 Feb 23; available at http://www.fiercehealthit.com/story/med-identity-theft-continues-rise/2015-02-23?utm_medium=nl&utm_source=internal (last accessed 14 May 2015).

86. Avila J, Marshall S. Your medical records may not be private: ABC News Investigation. ABC News 2012 Sept 13; available at http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986&page=2 (last accessed 22 Mar 2014).

87. Nguyen V, Nious K, Carroll J. Your medical records could be sold on black market: NBC Investigative Unit surprises strangers with private medical details. NBC Bay Area 2013 June 18; available at http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html (last accessed 22 Mar 2014).

88. Lawrence D. End of Windows XP support means added opportunity for hackers. Businessweek 2014 Apr 4; available at http://www.businessweek.com/articles/2014-04-04/end-of-windows-xp-support-means-added-opportunity-for-hackers (last accessed 1 July 2014).

89. Shahani A. The black market for stolen health care data. NPR; 2015 Feb 13; available at http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data (last accessed 14 May 2015).

90. See note 58, Hall, Schulman 2009.

91. See note 34, Dunkel 2001.

92. See note 47, Benitez, Malin 2010.

93. Roberston J. States’ hospital data for sale puts privacy in jeopardy. Health Leaders Media; 2013; available at http://www.healthleadersmedia.com/content/QUA-292963/States-hospital-data-for-sale-puts-privacy-in-jeopardy (last accessed 14 June 2013).

94. Brief for the New England Journal of Medicine, the Massachusetts Medical Society, the National Physicians Alliance, and the American Medical Students Association as Amici Curiae Supporting Petitioners, William H. Sorrell v. IMS Health, Inc. et al., 2010 U.S. Briefs 779 (No. 10-779), 2011 U.S. S. Ct. Briefs LEXIS 299.

95. Holtzman, DH. Privacy Lost: How Technology Is Endangering Your Privacy. San Francisco: Jossey-Bass; 2006, at 195.Google Scholar

96. See, for example, RPC Health Data Store. CMS MedPAR Hospital Data File; available at http://www.healthdatastore.com/cms-medpar-hospital-data-file.aspx (last accessed 13 Sept 2013).

97. [Winston JS]. States’ hospital data for sale puts patient privacy in jeopardy; 2013 June 7; available at https://www.annualmedicalreport.com/states-hospital-data-for-sale-puts-patient-privacy-in-jeopardy/ (last accessed 19 Jan 2014).

98. Bady A. World without walls—privacy laws should be recrafted for the data fusion age. Technology Review 2011;114(6):66–71.

99. United States Government, Department of Justice. Fusion Center Guidelines: Developing and Sharing Information and Intelligence in a New Era; 2006; available at http://www.it.ojp.gov/documents/fusion_center_guidelines.pdf (last accessed Mar 2012).

100. See note 45, Curfman et al. 2011.

101. United States Government, Department of Health and Human Services, Centers for Medicare and Medicaid Services. Agreement for Use of Centers for Medicare & Medicaid Services (CMS) Data Containing Unique Identifiers, Form CMS-R-0235, OMB No. 0938-0734; available at http://www.cms.gov/Medicare/CMS-Forms/CMS-Forms/downloads//cms-r-0235.pdf (last accessed 13 Sept 2013).

102. Hebda, T, Czar, P. Handbook of Informatics for Nurses and Healthcare Professionals. 4th ed.Upper Saddle River, NJ: Pearson/Prentice Hall; 2009, at 321.Google Scholar

103. See note 68, Donnelly 2014.

104. See note 95, Holtzman 2006, at 192.

105. McGraw Hill General and Human Biology Case Studies. Gene Banks versus Privacy Invasion; available at http://www.mhhe.com/biosci/genbio/casestudies/sellinggenes.mhtml (last accessed 2 May 2014).

106. Brief for the Association of Clinical Research Organizations as Amici Curiae Supporting Respondents, William H. Sorrell v. IMS Health, Inc., et al., 2011 WL 2647130 (2011) (No. 10-779), (2011).

107. See note 59, Gooch et al. 2013.

108. See note 105, McGraw Hill 2014.

109. Austin, MA, Harding, S, McElroy, C. Genebanks: A comparison of eight proposed international genetic databases. Community Genetics 2003;6(1):3745.Google ScholarPubMed

110. Gillham, WW. Genes, Chromosomes, and Disease: From Simple Traits, to Complex Traits, to Personalized Medicine. Upper Saddle River, NJ: Pearson Education, published as FT Press Science; 2011, at 18–19.Google Scholar

111. Amgen. Amgen to Acquire deCODE Genetics, a Global Leader in Human Genetics; available at www.amgen.com/media/media_pr_detail.jsp?releaseID=1765710 (last accessed 2 May 2014).

112. See note 109, Austin et al. 2003.

113. Annas, GJ. Rules for research on human genetic variation—lessons from Iceland. New England Journal of Medicine 2000;342(24):1830–3.CrossRefGoogle Scholar

114. Gulcher, JR, Stefánsson, K. The Icelandic Healthcare Database and informed consent. New England Journal of Medicine 2000;342(24):1827–9.CrossRefGoogle ScholarPubMed

115. See note 19, Kaplan forthcoming.

116. Evans, BJ. Much ado about data ownership. Harvard Journal of Law & Technology 2011;25(1):69130.Google Scholar

117. For example, GE Data Visualization uses information “based on 7.2 million patient records from GE’s proprietary database”; available at http://visualization.geblogs.com/visualization/network/ (last accessed 27 Sept 2013). GE Healthcare’s Healthcare IT Solutions—available at http://www3.gehealthcare.com/en/Products/Categories/Healthcare_IT?gclid=CIKQ4Z6P7LkCFcE7OgodTDIAPQ and http://www3.gehealthcare.com/en/Products/Categories/Healthcare_IT/Knowledge_Center (last accessed 27 Sept 2013)—includes patient records and patient portals.

118. Sittig DF, Singh H. Legal, ethical, and financial dilemmas in electronic health record adoption and use. Pediatrics 2011 Apr;127(4):e1042–7.

119. Moore J, Tholemeier R. Whose data is it anyway? The Health Care Blog; 2013 Nov 20; available at http://thehealthcareblog.com/blog/2013/11/20/whose-data-is-it-anyway-2/ (last accessed 3 Feb 2014).

120. Goodman, KW, Berner, E, Dente, MA, Kaplan, B, Koppel, R, Rucker, D, et al. Challenges in ethics, safety, best practices, and oversight regarding HIT vendors, their customers, and patients: A report of an AMIA special task force. JAMIA (Journal of the American Medical Informatics Association) 2011;18(1):7781.CrossRefGoogle ScholarPubMed

121. Hall, MA. Property, privacy, and the pursuit of interconnected electronic health records. Iowa Law Review 2010;95:631–63.Google Scholar

122. See note 57, Rodwin 2010.

123. See note 3, IOM 2009, at 77.

124. See note 58, Hall, Schulman 2009.

125. Atherley G. The public-private partnership between IMS Health and the Canada Pension Plan. Fraser Forum 2011:5–7.

126. Miller, RA, Schaffner, KF, Meisel, A. Ethical and legal issues related to the use of computer programs in clinical medicine. Annals of Internal Medicine 1985;102:529–36.CrossRefGoogle Scholar

127. Goodman, KW. Health information technology: Challenges in ethics, science and uncertainty. In: Himma, K, Tavani, H, eds. The Handbook of Information and Computer Ethics. Hoboken, NJ: Wiley; 2008:293309.CrossRefGoogle Scholar

128. See note 127, Goodman 2008.

129. Data mining case tests boundaries of medical privacy. CMAJ 2011;183(9):E509–10.

130. See note 44, McGraw 2013.

131. See note 17, Taylor 2011.

132. See note 57, Rodwin 2010, at 617–18.

133. See note 15, Solove 2006.

134. Goodman KW. Ethics, information technology, and public health: New challenges for the clinician-patient relationship. Journal of Law, Medicine and Ethics 2010 Spring:58–63.

135. Kaplan, B, Litewka, S. Ethical challenges of telemedicine and telehealth. Cambridge Quarterly of Healthcare Ethics 2008;17(4):401–16.CrossRefGoogle ScholarPubMed

136. See note 19, Kaplan forthcoming.

137. See note 134, Goodman 2010.

138. See note 135, Kaplan, Litewka 2008.

139. See note 19, Kaplan forthcoming.

140. Roland D. UK to get 200 high-tech factory jobs making “swallowable sensors.” The Telegraph 2014 Mar 10; available at http://www.telegraph.co.uk/finance/10687395/UK-to-get-200-high-tech-factory-jobs-making-swallowable-sensors.html (last accessed 17 July 2014).

141. See note 24, Koontz 2013.

142. See note 44, McGraw 2013.

143. See note 23, Beyleveld, Histed 2000.

144. See note 12, EU 2014.

145. Rodrigues, RJ, Wilson, P, Schanz, SJ. The Regulation of Privacy and Data Protection in the Use of Electronic Health Information: An International Perspective and Reference Source on Regulatory and Legal Issues Related to Person-Identifiable Health Databases. Washington, DC: World Health Organisation (WHO); 2001.Google Scholar