Skip to Main Content

Advertisement intended for health care professionals

Skip Nav Destination

Privacy Improbable

March 22, 2024

April 2024

So many people have never had so much access to patient data. Has patient privacy become an unrealistic concept?

Jill Sederstrom

Jill Sederstrom is a journalist based in Kansas City.

For decades, health systems across the country have been devoting significant resources to make the shift to electronic health records (EHRs). Patient data are now at our fingertips at a moment’s notice, improving interoperability among providers and making it easier than ever to transfer data to pharmacies, laboratories, billing departments, and insurance companies.

The growth in digitized data has also paved the path for new research advancements, allowing for a greater understanding of population health and examination of real-world treatment implications.

But what have these advancements cost in terms of patient privacy?

As Harlan Krumholz, MD, SM, asserted in The British Medical Journal (BMJ), patient privacy in today’s digital age is an illusion.1 While patients could once be confident that any information they provided to a doctor would be kept strictly confidential, that trust has been eroded as more entities and third parties are gaining access to patient data for a multitude of reasons. The data are often even sold to other companies.

“The moment it’s documented, it’s no longer under control of you or the person you’ve just disclosed it to, and I think that’s a threat to health care,” Dr. Krumholz, a professor at the Institute for Social and Policy Studies of Investigative Medicine and of Public Health and professor of medicine at Yale School of Medicine, told ASH Clinical News.

Technology advancements over the last two decades have transformed our world and the medical field, but federal law has failed to keep up, creating a series of troubling patient privacy concerns.

ASH Clinical News spoke with experts about these concerns, the benefits of electronic health data, and what is being done to minimize the risk to patients and improve privacy in an ever-evolving world.

Who Owns Patient Health Data?

The answer to who owns patient health data is murky at best because each state has its own laws, and many have yet to decide who owns medical records. According to Forbes, the only state that has explicitly given patients ownership of their own data is New Hampshire.2

Harry Nelson, JD, the founder and managing partner of the health care specialty law firm Nelson Hardiman, LLP, explained to ASH Clinical News that in a technical sense, each patient owns their personal data.

“That’s great technically, but the practical answer is that every time you as a patient allow your data to be recorded by the doctor or by this laboratory or pharmacy … that organization or health care provider now has custody of your data,” he said.

Under federal law, patients themselves grant permission for a health care provider to have access to their data through the paperwork typically signed when a patient receives medical care. This paperwork includes specific provisions related to data sharing and acknowledges that the patient is granting permission for the data to be shared, but a patient may not always be aware of who will see those data and all the ways they are ultimately used.

What About HIPAA?

The primary federal law in place to govern patient privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

According to the Centers for Disease Control and Prevention, the act is “a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”3

HIPAA requires health care providers and other institutions to consider who has access to the data and put safeguards and systems in place to protect against data breaches.

“What HIPAA did really well was create a framework for thinking about … what does it look like to create an infrastructure inside an organization to protect privacy?” Mr. Nelson said, adding that HIPAA also deals with “setting rules, and having designated leadership to police, train the workforce, [and] enforce rules.”

It’s been nearly 30 years since the act was created, though, and in that time, the world has completely transformed.

“There’s been a revolution of data availability, data usage, and the way we think about our privacy since 1996 when HIPAA’s contract was set until today,” Mr. Nelson said. “We’re kind of living in yesteryear under HIPAA. [The law] was [created] long before we had smartphones and geolocation and the wealth of ways that you get tracked.”

For example, HIPAA does not give consumers the right to have institutions remove their data, and it does not contain any provisions that require an organization to destroy data after a given period of time. So once a laboratory, urgent care clinic, or insurer has your data, it is under no obligation to get rid of it.

The European framework on patient privacy and security, known as the General Data Protection Regulation (GDPR), went into effect in May 2018 and takes some of those factors into consideration.4 For instance, Nelson said that GDPR gives patients the right to have their data removed from a system — essentially the “right to be forgotten.”

In his BMJ paper, Dr. Krumholz also pointed out that HIPAA provisions are “permissive” when it comes to those organizations that play a role in a patient’s treatment.1

“The regulation allows anyone involved in a patient’s care to access health information about them,” he wrote. “It is based on the paternalistic assumption that for any health care provider or related associate to be able to provide care for a patient, unfettered access to all of that individual’s health records is required, regardless of the patient’s preference.”

The Role of EHRs in Transforming Clinical Care and Research

There’s no question that the advent of EHRs has greatly benefited both clinical care and the research community.

“In general, there is way more light than there are shadows,” said Christopher Sauer, MD, MPH, PhD, a clinical scientist in the Department of Hematology and Stem Cell Transplantation at University Hospital Essen in Germany.

Dr. Sauer and his colleagues researched the advantages of leveraging EHRs for data science in The Lancet.5 He told ASH Clinical News that having access to EHR data improves patient safety, cuts down on the time physicians must spend gathering information, and allows for a more comprehensive look at a patient’s history.

“In general, the question is, what is the alternative? If you think back, everything was on paper, which tended to be a huge mess,” Dr. Sauer said. “You’d have patients come into your emergency room, and you wouldn’t know basic things like whether or not they had allergies.”

Eric Poon, MD, MPH, who serves as the chief health information officer for Duke Health, says there have been tremendous benefits to having electronic patient data, particularly in the hematology/oncology space where patients are often transferred from outside health systems.

“Clinical care is an information-intensive endeavor, and having the right information — be it information coming from patients, patient-reported outcomes for surveys, observations from other clinicians within the health system, or labs, radiology, and other testing that’s done on the patient — is part and parcel of why we have EHRs in the first place,” he said.

There are also significant benefits to clinical research. Digital records can be easily accessed, analyzed, and used to assess study feasibility, conduct comparative effectiveness studies, streamline data collection, or perform observational studies.6

“A large portion of its benefit is efficiency,” said Charles S. Abrams, MD, the vice chair for research and chief scientific officer in the Department of Medicine at the University of Pennsylvania. “You can use data that are already captured, and with that, reduce administrative cost [and] effort.”

According to Dr. Abrams, who is a senior medical advisor and chair of the Sickle Cell Disease Research Network for the ASH Research Collaborative (ASH RC), digital data also allow researchers to minimize the selection bias that often exists in randomized control trials.

“EHRs are more representative of the total target population and less subject to inclusion bias,” he said, adding that the data also allow researchers to take a more holistic look at the population over time.

William A. Wood, MD, MPH, a senior medical advisor for the ASH RC and professor of medicine in the Division of Hematology at the University of North Carolina at Chapel Hill, said real-world data are useful to understand emerging treatment options for patients with hematologic diseases.

“For example, CAR T-cell therapy is an innovative approach for certain populations of patients with leukemia, lymphoma, and myeloma, and we’re increasingly seeing real-world consortia that are evaluating how these products perform outside the context of a clinical trial,” he said.

To capitalize on the tremendous potential of EHR data, ASH created the ASH RC, which has developed the ASH RC Data Hub for sickle cell disease and multiple myeloma.

“We’re using this to understand age distribution, comorbidities, and other characteristics of people who have these different conditions, how these vary across centers, and where there are gaps in care,” Dr. Wood said of the emerging work.

The introduction of artificial intelligence (AI) also could have powerful research impacts. For example, digital records could be used to train AI to generate a “digital twin” for use as a synthetic arm in a clinical trial.7 AI could also be used to mine unstructured data in EHRs to gather valuable information that is often buried in patient notes or reports.

“We are increasingly recognizing that for subspecialty areas like hematology, a lot of the really important value comes from unstructured data,” Dr. Wood said.

The Drawbacks of EHRs

Some experts caution that the use of EHRs and other forms of digital data is eroding patient privacy to a dangerous degree, despite the many advantages that digital data offer.

“Could good things come of all the data out there? For sure. But if it’s at the cost of diminishing people’s trust, if it’s at the cost of going around people’s autonomy, and if it’s something that people wouldn’t choose to do if they knew about it, then I think we have a problem,” Dr. Krumholz said.

For instance, Dr. Krumholz said many patients don’t realize that if they stop at a COVID testing center on a street corner in New York City, the company can now represent themselves as one of your health care providers and gain full access to your data because of the “loophole” that exists in HIPAA. Health systems often transmit patient data to affiliates, other health care systems, and vendors as part of business agreements.

“As a result, companies make massive profits from the sale of data,” he wrote in the BMJ.1 “Some companies claim to be able to provide comprehensive health information on more than 300 million Americans — most of the American public — for a price.”

Under these business agreements, data are often deidentified in an attempt to protect patient privacy, but Dr. Krumholz and others aren’t confident that it offers any true protection.

“It’s probable that most people can be identified even though the data have been scrubbed of names and other identifiers. There’s plenty about you that’s very specific,” Dr. Krumholz explained. “So deidentification is increasingly not going to be a safe harbor, because we are in a position where it’s very hard to truly make it deidentified.”

Dr. Poon acknowledged that health systems get requests for their data all the time.

“It’s not unusual for outside parties to come to us and say, ‘Hey, we want an extract of all your data, we’ll deidentify them in a HIPAA-compliant way, and then we will … comingle those data with other sites and create a large depository that would enable research, discovery, and collaboration in pharma.’ That is going on today,” he said.

As a result, Duke Health is very conservative about who it shares data with and has concluded that full deidentification, as required under HIPAA by removing 18 key identifiers, “is a myth.”

“That is a philosophical posture that we have taken, and as a result, we are very careful about letting our data [leave] our control,” Dr. Poon said.

Providers also run the risk that the data could fall into the wrong hands. In 2015, a large data breach at the insurance company Anthem exposed approximately 78.8 million people (about twice the population of California) after a group of Chinese hackers gained access to patient data.7

Strategies to Protect Patient Privacy

One thing almost everyone can agree on is that digital data are here to stay, and with the advent of AI and other tools, its influence is only expected to grow in the years ahead. So, what can be done to protect patient privacy?

Mr. Nelson believes HIPAA is “long overdue for an overhaul” to better reflect the climate in 2024, but changing the federal law would require navigating a heated political climate and could take years to achieve.

At a minimum, Dr. Krumholz believes there needs to at least be an open, national discussion about what we are comfortable with as a society.

“If Congress wants to pass the law that no one in the U.S. owns their data and all of those data can be used for whatever purpose, then fine, pass that law,” he said. “Say it out loud, but let’s have a political discussion about it … Instead, it’s being done quietly.”

He’d like to see a system where a patient can provide tiered permissions and has a greater level of control about who can see what data.

“You should have control over what’s being disclosed,” Dr. Krumholz said.

Outside of political change, Dr. Poon said Duke Health has strategies in place specifically designed to protect patient privacy. The health system does participate in research collaboratives where data from patient cohorts are comingled with other academic partners to further research, but they are “very careful” to make sure it’s clear “how the data are going to be used [and] who will have access to them” before they agree to participate.

“We never just give people unfettered access,” he said.

The health system is careful to analyze any contracts with vendors or third parties up front, and they “put a lot of protections in the contract.”

“People don’t always have the same level of concerns about patient privacies, and we worry a lot about what happens to data once they go beyond our control. Contractual arrangements do help, but limiting the scope of data that people have access to also helps a lot,” Dr. Poon said.

The health system has found a unique way to collaborate with pharma by partnering with third parties to create a “data enclave” for patient data. The data are deidentified in a more thorough way that goes beyond removing the standard 18 identifiers required by HIPAA.

“The most important thing is even with that deidentified data, we make sure they stay in the enclave,” Dr. Poon said. “If pharma or external parties want to use the data, that’s great. They can come into this enclave and do what we agreed to ahead of time. The insights can leave, the knowledge can leave, but the data don’t.”

Patients can also be their own advocate by reading the legal disclosures provided by any entity they plan to provide health data to because they may be able to opt out of having their data shared.

Digitized health data are here to stay, but as the medical industry enters a new era, there are still many discussions yet to be had about how to protect patient privacy in this ever-evolving landscape.

References

  1. Krumholz HM. In the US, patient data privacy is an illusion. BMJ. 2023;381:1225.
  2. Sharma R. Who really owns your health data? April 23, 2018. Accessed January 25, 2024. https://www.forbes.com/sites/forbestechcouncil/2018/04/23/who-really-owns-your-health-data/?sh=7c36be566d62.
  3. Centers for Disease Control and Prevention. Health Insurance Portability and Accountability Act of 1996. Accessed January 25, 2024. https://www.cdc.gov/phlp/publications/topic/hipaa.html.
  4. International Trade Administration. European Union – Data Privacy and Protection. Accessed January 25, 2024. https://www.trade.gov/european-union-data-privacy-and-protection#:~:text=The%20EU%20General%20Data%20Protection,to%20companies%20of%20all%20sizes.
  5. Sauer CM, Chen LC, Hyland SL, et al. Leveraging electronic health records for data science: common pitfalls and how to avoid them. Lancet Digit Health. 2022;4(12):e893-e898.
  6. Cowie MR, Blomster JI, Curtis LH, et al. Electronic health records to facilitate clinical research. Clin Res Cardiol. 2017;106(1):1-9.
  7. National Academies of Sciences, Engineering, and Medicine. Opportunities and challenges for digital twins in biomedical research: proceedings of a workshop — in brief. Washington, D.C.: National Academies Press; 2023.
  8. Nelson H, Hausman Y. The “P” is not for privacy: unpacking common misconceptions about HIPAA. Nelson Hardiman Healthcare Lawyers. June 20, 2023. Accessed January 25, 2024. https://www.nelsonhardiman.com/the-p-is-not-for-privacy-unpacking-common-misconceptions-about-hipaa/.

 

 

Advertisement intended for health care professionals

Connect with us:

CURRENT ISSUE
February 2025

Advertisement intended for health care professionals

Close Modal

or Create an Account

Close Modal
Close Modal

Advertisement intended for health care professionals