- Cyberattacks and other types of data breaches have exposed the vulnerability of databases, including those holding sensitive personal health information, to misuse (Powell).
- Laws and regulations have been developed to protect the privacy of personal health information, yet may have unintended consequences for medical research (Powell).
- Patients are often willing to share their data for research purposes, but they want some privacy protections and the ability to give consent (Powell).
NOTE: These points were made by the individual speaker identified above; they are not intended to reflect a consensus among session participants.
In 1854, John Snow used geographical grids to chart deaths from the cholera epidemic that was ravaging London. The map showed that cases clustered around a water pump on Broad Street, identifying the pump as the source of the epidemic. By combining individual health information with a map, Snow quietly began a revolution in public health, by creating exceptionally powerful data that revealed new patterns and risk factors, said Tia Powell, director of the Montefiore Einstein Center for Bioethics at the Albert Einstein College of Medicine.
Fast forward to 2015, where massive amounts of personal data are stored in databases all over the world, and a single data breach at the Office of Personnel Management led to the theft of personal information from some 21.5 million federal government employees and applicants for federal jobs, as well as some of their spouses and friends, who had been subjected to background checks. The data included names, Social Security numbers, addresses, and financial and health history (Davis, 2015). This cyberattack and others like it highlight a growing problem, said Powell: How can we devise policies to facilitate the harvest of knowledge from big data while protecting individual privacy and respecting individual preferences?
Big data, including medical data, can be used in what some consider ethically troubling ways, noted several participants. For example, Powell said that FICO, the company that created the FICO score as a measure of consumer credit risk, has developed a medication adherence score based on publicly available data, and is free to sell that information to insurance companies or anyone else who has an interest in patient compliance with doctor recommendations (Parker-Pope, 2011). Mining big data is also widely used by retailers to enable targeted marketing. Although the public may object to some of these uses of personal data and clamor for more privacy protection, Powell cautioned that regulation is a blunt instrument and that legitimate uses of data, such as for medical research, may be inadvertently swept up in regulations intended to protect privacy.
The sources of data relevant to medical research are diverse and broad, as outlined in Chapter 2. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to protect the privacy of personal health information by removing 18 specific items from health records. But the anonymization of data proved more complicated than originally thought. Powell recalled the work of Latanya Sweeney, then a graduate student at the Massachusetts Institute of Technology, who in 1996 cross-referenced “de-identified” data from Massachusetts state employees that had been released by the Group Insurance Commission, and reidentified many of the individuals using publicly available voter rolls, which included name, address, zip code, birth date, and gender of
every voter. She then presented Massachusetts Governor William Weld at the time with his personal health records (Ohm, 2010). This incident led to changes in the HIPAA Privacy Rules; for example, HIPAA now precludes the use of name, date of birth, full zip code, and address. A recent study suggests that reidentification is now more difficult, but that some data sources are still vulnerable (Benitez and Malin, 2010). According to a recent IOM report, “de-identification and data security alone may not provide adequate protection; additional privacy and security techniques are being developed for these cases” (IOM, 2015, p. 13).
When HIPAA was updated in 2009 with passage of the HITECH Act,1 provisions were incorporated that were intended to strengthen privacy protection by establishing civil and criminal enforcement rules regarding the electronic transmission of health information. A recent study of reported data breaches affecting 500 individuals or more between 2010 and 2013 identified 949 breaches affecting 29.1 million records (Liu et al., 2015). Breaches frequently involved laptop computers and portable electronic devices, and most resulted from criminal activity. The authors of this study concluded that because it only included reported breaches, it “likely underestimated the true number of health care data breaches,” and predicted that these numbers are likely to increase with the rapid expansion of DHR use.
According to Powell, participant preferences for data use vary by region and nation. Many people are willing to share data for medical research, but they want to be asked, give consent, and have some privacy protection (Kim et al., 2015). Willingness to give consent also varies by who holds the data (hospital, corporation, government) and its planned used, for example, to cure or diagnose a disease or for marketing or government surveillance purposes.
In 1995, the European Commissioned established the Data Protection Directive (95/46/EC) as an effort to regulate the processing (which should be transparent, for legitimate purposes, and not in excess for the purposes in which they were obtained) and movement (within or outside the European Union) of personal data to protect individuals (European Commission, 1995). In 2012, the European Commission proposed a General Data Protection Regulation (De Hert and Papakonstantinou, 2012). Powell said this legislation, which would add restrictions for big
1See http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html (accessed September 10, 2015).
data collection and require re-consent for use of data in many legacy repositories, has been widely debated. Critics view the regulations as an impediment to international research collaborations, with significant implications for genetic and other types of medical research. In response to concerns about the responsible use of genomic and other data, the Global Alliance for Genomics and Health2 was established in 2013. It brought together an international group of researchers, patient advocates, bioethicists, and privacy experts to develop best practices for sharing and protecting research data.