Our system for protecting health data in the United States is fundamentally broken and we need a national effort to rethink how we safeguard this information, say three experts in data privacy.
In a perspective article in the New England Journal of Medicine, the experts call for an effort similar to what led to the Belmont Report in 1979, which laid the foundation for bioethics standards in the United States to protect human participants in research.
“Data scandals are occurring on a regular basis, with no end in sight,” said Efthimios Parasidis, a co-author of the article and a professor at the Ohio State University’s Moritz College of Law and College of Public Health.
“Data privacy laws for health information don’t go far enough to protect individuals. We must rethink the ethical principles underlying collection and use of health data to help frame amendments to the law.”
Parasidis wrote the article with Elizabeth Pike, Director of Privacy Policy in the Office of the Chief Information Officer at the U.S. Department of Health and Human Services; and Deven McGraw, chief regulatory office at Citizen, a company that helps people collect, organize and share their medical records digitally. Previously, McGraw was Deputy Director for Health Information Privacy at the Office of Civil Rights in the U.S. Department for Health and Human Services, and Acting Chief Privacy Officer at the Office of the National Coordinator for Health Information Technology.
Parasidis said a process analogous to the Belmont Report would be a good blueprint to follow today.
The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research produced the 1979 report, which resulted in Congress passing laws to protect people who participated in medical research.
“Indignities in human subjects research compelled the government to create a commission to propose ethical guidance for new laws. We are experiencing a rerun of what was happening then, with the scandals involving use of health data now rather than the use of human subjects,” Parasidis said. “We need an equivalent response.”
Currently, the Health Insurance Portability and Accountability Act (HIPAA) is the main law protecting the data of patients. But it doesn’t apply to many of the new companies and products that regularly store and handle customer health information, including social-media platforms, health and wellness apps, smartphones, credit card companies and other devices and companies.
“All of this data held by digital health companies raises a lot of ethical concerns about how it is being used,” Parasidis said.
For example, some life insurers are offering contracts that have policyholders wear products that continuously monitor their health, and the information can be used to increase a customer’s premiums.
Most regulations require only that consumers be notified about how their information is used and give their consent.
“That system doesn’t work. Very few people read the notice and most people just click agree without knowing what they’re agreeing to,” he said.
So how can health data privacy be fixed?
One idea would be to establish data ethics review boards, which would review projects in which health data are collected, analyzed, shared or sold, according to the authors of the NEJM article.
Parasidis said such boards could function as safeguards required in both public and private settings, from university medical centers to private life insurance companies.
These boards could consider the benefits and risks of the proposed data use and consider policies governing data access, privacy and security. Members could include project developers, data analysts and ethicists, as well as people whose data would be collected.
“Right now, everything is about compliance. Companies and institutions check the boxes, fill out the forms and don’t really think about whether they’re doing the right thing,” Parasidis said.
“Deliberations about use of health data should take the ethical obligations to individuals and society into account. The law should mandate that this occurs.”