Last week, the best and brightest gathered at the Federal Trade Commission’s Roundtable on Consumer Privacy. As part of the meeting, there was a lively discussion about health information: how much control do consumers have over their health information and should there be government policy to support information privacy?
Let’s clarify a bit by way of example. When you visit your doctor and have your heart rate taken, that number is considered medical information and is protected by the Health Insurance Portability and Accountability Act (HIPAA). But if your heart rate is measured by an exercise tool which transmits the data to an online profile, should that information be considered less sensitive with fewer restrictions on where and how the information is used. Currently, that information is not covered under HIPAA.
So how do we protect health information that falls outside of HIPAA? There are many new, nontraditional holders of health information online. In a Web 2.0 world, the roundtable participants questioned, should all health information be treated the same?
Many at the roundtable felt consumers should be given a choice, or at least be provided with the knowledge and resources necessary to understand the implications of posting medical information to the Web. There are risks as well as benefits.
Consumers with chronic conditions feel the use of health information and technology can be beneficial; they want their health information used in the hopes of finding the right treatment or cure for others. According to Executive Vice President and Chief Operating officer of the National Health Council Marc Boutin, as much as 30 percent of the 133 million people in the United States with chronic conditions are OK with their information being shared online in order to help others.
On the negative side, however, there are no baseline rules for keeping medical information secure. This is where the discussion turned to policy and regulation. It’s usually left to individual companies to determine how they handle privacy. Consumers who put their health information on the Internet expect a measure of security in protecting their data, although they may not know how their personal information will be used. Many patients don’t read or understand the protections available or what they are actually agreeing to when releasing their information to the Web.
“Implementing basic protections,” said Deven McGraw, Director of the Health Privacy Project, Center for Democracy and Technology, “could achieve significant progress in providing information privacy and protection.”
Kimberly Gray, Chief Privacy Officer at Americas Regions, IMS Health, also pointed out that the general public should be informed on what identified versus de-identified information is and what it really means. Briefly, identified information refers not only to data that is explicitly linked to a particular individual, it also includes health information with data items which reasonably could be expected to allow individual identification. De-identified information – or information that does not identify an individual -- allows for the free flow of information while not restricting research. Non-profits, research institutions, and the government, among others, could benefit most.
“De-identification is key,” said Gray. “Privacy advocates must be accountable and mitigate harm if needed.”
The United States has a long history of promoting privacy, and we have reached a critical point in health technology development. What world do we want to live in, and how can federal policy support or hinder that? The real challenge it seems is to strike the balance between privacy protection and collaboration and technology advancement.
