June 30, 2009
These fillips focus on eprivacy. Most people may consider this subject a big joke as personal data rights are either denied or trampled upon.
Forever the optimist, I comfort myself with the fact that the subject refuses to die away. For those who intend to profit from privacy violation, there is even a worrisome trend. Given a chance, legislators tend to tighten legal requirements. So, given enough time, our data rights might come to enjoy some serious recognition.
Take for example the so-called stimulus bill which was signed into law last February (1). Tucked among hundred of pages, Correy E. Stephenson notices new measures to better protect health-related confidential data (*). Starting with the original HIPAA law (1), the US Congress has deemed politic to balance each mandate to the healthcare industry for more electronic processing with new measures in favor of eprivacy.
There is no doubt about the stakes. As Walecia Konrad reports (**), medical ID theft can damage more than one's credit and one's purse. Whenever the thief receives medical attention under another name, the resulting diagnosis and prescriptions may well corrupt the victim's health record, with life threatening consequences. "In an emergency, doctors could treat you based on this erroneous information."
Since eprivacy receives better credence online when one's health is on the line, why not use a visit to the doctor as a way to illustrate some of the important points raised in past fillips?
Privacy enforcement is commonly restricted to what HIPAA calls "individually identifiable health information". If I cannot be linked personally to a data record, why should I want it be kept confidential? Eprivacy is not some ultimate good which deserves unlimited support. If one's interests are not put at risk, either from the potential for exposure or the loss of negotiating power, society should not deprive itself of the benefits of sharing.
Let us say you obtained some 2009 data from Methodist University Hospital relative to a 54-year-old white male with a history of cancer and a current prescription of tacrolimus (2). Isn't this information perfectly anonymous? Taken in isolation, this is indeed the case. Tacrolimus however is an immunosuppressant used for organ transplantation, of which the Memphis hospital mentioned at most performs a few hundreds a year. From this limited population, the five additional clues may well narrow the field enough to identify the subject of Joseph Menn's recent article (***) (3).
As I wrote earlier, "given the scale at which it is aggregated, all consumer data must be considered identifiable", even when carefully "de-identified".
With this in mind, each patient-physician encounter is typical of what I call a bundled transaction. Both parties may want to focus on the real reason for the visit. Yet, explicitly or not, this exchange of care for money provided under the Hippocratic oath is supplemented by an exchange of data whose terms and conditions can be as complex as the medical case.
Knowing how harried for time the physician can be and how anxious about his or her health the patient can be, do we believe this data transaction receives the attention it merits? It is dealt offhandedly with what can only be called a coerced signing by the patient of all kinds of consent forms.
The HIPAA Privacy rule and its subsequent enhancements (1) try to limit the damage. Key in this regard is a requirement to handle data with "the minimum necessary to accomplish the intended purpose". Elevating this concept into a principle of commercial law, I have indeed advocated that all data obtained as part of a transaction remain confidential beyond what is necessary to implement this transaction. Anything else should be unbundled into a separate data transaction.
Despite the good intentions of the legislator, this unbundling ideal is still out of reach. One obstacle is the sheer number of third parties legitimately involved, starting with insurance companies. As in the case of personal identifiable information, all the minima necessary to satisfy this tangled web of "business associates" soon add up beyond measure. Another issue is the fact that the physician ought to have data rights as well as the patient.
We have already explained how physician prescription patterns are left unprotected and commented on the efforts by the state of New Hampshire to stop their free exploitation. Coincidentally the latter approach has just received the implicit blessing of the US Supreme Court, as documented by Thomas O'Toole (****). But third parties are not the only ones to prey on physician data rights. The patient is also inclined to bundle with a visit to the doctor the right to post his or her own point of view. Pity the poor physician who faces Internet-borne calumnies. Peter Vieth tells us how Medical Justice advises physicians to solve the problem (*****). Get the patient to sign a "mutual privacy agreement".
My intent today is neither to criticize existing solutions nor to suggest new ones, only to underline the complexity of what I call the data transaction. But another point is worth stressing in conjunction with online physician rating. Take away posturing and all parties will agree, at least in private. While mutual respect, and hence confidentiality, must attend each physician patient encounter, there is also a need for a sound recommendation mechanism, another major theme of these fillips (4).
For Angie Hicks, founder of Angie's List, quoted by Peter Vieth, "consumers are looking for a trusted filter to help them make decisions". Jeffrey Segal, founder of Medical Justice, told Michael E. Carbine (******) "[he] is not opposed to physician ratings on public web sites". The issue of course is how difficult it is to build and operate a recommendation system which respects the data rights of the parties concerned, presents unbiased information and follows a sustainable business model.
For my more entrepreneurial readers, here is indeed an illustrative challenge. Why not an online patient rating site which physicians could trust to filter out patients reputed to be non compliant, litigious or prone to switch doctors every other day, if not actually shopping for prescription drugs?
Personal profiles cannot remain de-identified for long. Bundling coerces the parties to an ordinary transaction to consent to unilateral terms for the underlying data exchange. Effective recommendation systems are a sensitive requirement. Doctor, isn't eprivacy a serious condition?
Philippe Coueignoux
- (*) ........... HIPAA changes included in stimulus law, by Correy E. Stephenson (Massachusetts Medical Law Report) - Summer 2009
- (**) ......... A New Ailment: Medical ID Theft, by Walecia Konrad (New York Times) - June 13 , 2009
- (***) ....... Job's vision is not the only factor keeping Apple ripe, by Joseph Menn (Financial Times) - June 26, 2009
- (****) ..... Supreme Court Declines to Review IMS Health, Cable News Network Cases, by Thomas O'Toole (E-Commerce and Tech Law) - June 29, 2009
- (*****) ... Doctors try to stop patients from rating them online, by Peter Vieth (Massachusetts Medical Law Report) - Summer 2009
- (******) . Physicians Use Copyright Infringement Threat to Block Patient Ratings on the Web, by Michael E. Carbine (Inside Consumer Directed Care)
................... - March 30, 2009
- (1) for details, check out the links listed in Handling of Medical Records from our lectures on Liabilities and Vulnerabilities in the Information Age.
- (2) this example has been fabricated from a mix of publicly available information and pure speculation.
..... I have not been in contact with Methodist University Hospital nor any of its employees.
- (3) see the public announcement by Methodist University Hospital
- (4) see "recommendation mechanisms" in the list of major themes in Philippe's fillips
|