Better consumer education about the privacy of health data and research on sharing policies could help protect patient information.
Few kinds of personal data are as sensitive as healthcare information. For people who visit a doctor’s office and use insurance, a principal way such data is shared is through the “consent” process, when patients agree to let their insurance carriers share data with third parties.
Many patients automatically grant sharing consent. But few have a good idea of how that data is protected once it leaves a healthcare company’s offices. Researchers and marketing companies pay millions for healthcare data annually.
Although certain protections are in place, including rules that require anonymization, or deidentification of shared data, many experts say that the consent process needs to be more transparent so that consumers can have more confidence in it.
Hard figures are scant on how much personal data may be exposed by the growing number of online organizations that pay for healthcare data. But the more this information is sold around the Internet, the greater the chances are that it will become unprotected, said Deborah Peel, founder of the nonprofit Patient Privacy Rights, speaking on a panel at a recent Washington data privacy conference sponsored by the Federal Trade Commission.
Peel pointed to a study last year by the U.S. Government Accountability Office that found that about 2 million people, mainly due to concerns including reputation, future job prospects, and difficulties in qualifying for insurance, avoided seeking mental healthcare.
One way to improve consumer control and confidence over the consent process would be for carriers to provide more data protection options, panelists said. To accomplish this, some form of stratification should occur regarding data sensitivity.
Improved insight into how data is shared by third parties could also help. Studies should be conducted that show how different kinds of healthcare and pharmaceutical data are shared and grouped together as they are sold to third parties, according to a few panelists.
Language should be simplified and standardized, said Stanley Crosley, co-director at Indiana University’s Center for Strategic Health Information Provisioning. Patients’ rights should be better explained.
Consumers do have the right to append restrictions to consent forms if there is certain data that they do not want shared, said Marc Boutin, executive vice president and chief operating officer of the National Health Council, which represents people with chronic diseases. But almost no consumers take advantage of this option, he said. They likely do not know that right exists, suggesting the need for more consumer education or a clearer statement of the right on forms.
At least a few panelists said stronger laws could be enacted regionally or nationally. An example of stronger rules surrounding consent is the Personal Health Information Protection Act, which was enacted by Ontario, Canada, several years ago, said one panelist. Among other controls, it allows consumers to withdraw data sharing consent at any point after it has been collected.
Some experts say the process of deidentification, which is required under the Health Insurance Portability and Accountability Act (HIPAA) for all data sharing, generally provides sufficient protection. HIPAA requires that all personally identifiable information is either entirely removed or removed so that it is “very unlikely” that a patient could be identified from the remaining data that will be shared.
But some panelists pointed to uncertainties surrounding the deidentification process. Some recent studies, conducted primarily by computer scientists, have shown how deidentified data could be reidentified, sometimes by combining it with data that is publicly available, such as online.
At IMS Health, all stored data is deidentified, said Kimberly Gray, chief privacy officer for IMS’s America region. But she said additional controls, including policies, education, and training, also help safeguard medical data.
Some companies may be cutting corners in areas such as deidentification and data sharing, some panelists said. Greater company accountability combined with stronger regulatory enforcement could help bolster patients’ trust in the process, they said.