Thursday, April 8, 2010
The Privacy of a Learning System
Somehow the goals have evolved to include a Learning System, defined by ONC as “a system that is designed to generate and apply the best evidence for the collaborative health care choices of each patient and provider; to drive the process of new discovery as a natural outgrowth of patient care; and to ensure innovation, quality, safety, and value in health care.”
While the original goals could be achieved by the creation of a patient centric longitudinal medical record available, or transportable, to all care agencies, including patients and families, at the point of care, the new Learning System shifts the emphasis to a data centric system where medical records are available in aggregate for Learning purposes, the results of which will be shared with patients and care givers in a meaningful way. The Learning System derives value as an “outgrowth” of patient care and funnels it back into patient care in the form of evidence based cost effective care. This is a far cry from the humble proposition to make a comprehensive record available to all providers, by facilitating interoperability between providers of care. This is a major shift in paradigm.
The Learning System, by definition, requires large data repositories aggregating millions of records and trillions of discrete data elements, residing in dozens of data centers. The repositories could be governed by States, regional health organizations, the Federal Government or technology vendors. This sort of construct brings up three major concerns: Technical Feasibility, Security and Privacy. Technical Feasibility is by no means guaranteed or even simple to ensure, but the concept is, well, technical. Bytes, bits, metals, plastics, composites and sets of standards and protocols are pretty straight forward to negotiate. Security, the hound dog protecting Privacy, is also very technical and unambiguous.
But what is Privacy? What is it we are trying to protect?
Right to privacy is a fairly recent legal notion. The landmark definition of privacy as the “right to be let alone” originated in a Harvard Law Review article by Warren and Brandeis in 1890. Interestingly enough, the eventual inclusion of privacy considerations in common law were spurred by technology advances (photographic cameras in this case). While there are several tort categories of Privacy, the one most pertinent to our discussion would be the Intrusion category (Intrusion - A physical, electronic or mechanical intrusion into someone's private space. This is an information-gathering, not a publication, tort. The legal wrong occurs at the time of the intrusion; no publication is necessary). Public Disclosure may be pertinent too, if it follows Intrusion.
When it comes to medical information, Privacy has a very different origin. Physicians would easily recognize the following sentence “Whatever, in connection with my professional practice or not, in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.” as part of the Hippocratic oath. Guarding the privacy of patients is an ethical obligation for a doctor.
While most states have licensure requirements and some have statues or case law indicating a fiduciary responsibility of physicians (and hospitals) to hold medical information private, there is no explicit Federal law to that extent, although Justice Brennan, addressing computerized data, has warned over 30 years ago, in Whalen v. Roe, that the day may come when we will have “the necessity of some curb on such technology”.
More recently, The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, published by the ONC on December 15, 2008 and adopted by the current ONC Health IT Strategic Framework published on April 1, 2010, has very thoughtful principles guiding Privacy and Security solutions. Just like HIPAA, these frameworks are concerned with “Individually Identifiable” information and just like HIPAA it’s not very clear either who can obtain this information or for what specific purpose it can be obtained.
Moreover, the definition of Individually Identifiable Information is not clear cut. A few decades ago, information was considered no longer Individually Identifiable upon removal of such demographics as name, address, phone number, SSN and similar family members’ information. Today, this may not be nearly enough. As shown by Dr. Latanya Sweeney over a decade ago, simple database algorithms and joining of de-identified data from various sources can produce Individually Identifiable Information.
One is therefore forced to inquire whether the protections proposed by HIPAA and both ONC Frameworks pertain only to clinical data that includes individual identifiers, or more inclusively, to data that lends itself to re-identification using advanced algorithms and additional data sets, either publicly available or obtained from other clinical or non-clinical sources.
In an environment where personal information is collected, bought and sold at street corners (by government too), and security breaches are common, we may need to step back and evaluate the implications to Privacy rights in a Learning Environment.
A Health Care Learning System is a beautiful, visionary idea, which in due course will save lives and vanquish disease. However, a Learning Environment needs data in order to exist, and a responsible Learning Environment needs to manage its data responsibly, with an enforceable legal and fiduciary responsibility to the rightful owners of such data and their “right to be let alone”.
Either Congress steps in and enacts adequate privacy laws for this information age, or we wait until significant and irreversible damage is done and the inevitable case winds up in front of the Supreme Court, where I suspect serious “curbing” of technology will occur.