July 25–29 — A week in review

Health data privacy from three perspectives.

As more health data is collected, stored, and shared electronically, people are starting to pay more attention to keeping that data private. This week, a number of announcements related to health data privacy have been circulating, and give us patient, company, and government perspectives.

AMA patient survey on privacy

The AMA recently partnered with Savvy Cooperative (an interesting data company in its own right) to release a survey of patient perspectives around data privacy. While I wasn’t able to find a copy of the survey questions (to understand exactly how the questions were asked), 92% of patients believe that privacy is a right — with many unclear about the privacy rules and who has access.

The survey seemed to focus most specifically around data that is shared outside of the confines of the HIPAA framework (which would be consistent with the AMA privacy principles which focus on non-HIPAA covered entities), and showed that patients felt most comfortable with physicians having access to their data, and least comfortable with social media, big tech, and prospective employers having access to their data.

A fundamental belief of the AMA is that the “primary purpose of increasing data privacy is to build public trust, not to inhibit data exchange” and reflect a focus on data that falls outside of those entities that are covered under HIPAA regulations. It was not clear where medical research, de-identified data (that protect privacy while putting health care data to good use), or other data issues are address.

The remedies suggested by the AMA are aligned with their privacy principles: transparency, control, and rules again discrimination that would disadvantage individuals — all good goals to restore public trust without inhibiting data exchange for public good.

Romney proposal for a new data agency for the protection of public health

Romney’s Senate office announced on Thursday a proposal to create an independent, HHS wide agency called the Center for Public Health Data (CPHD) According to the Romney website,

The Center for Public Health Data (CPHD) would be a modern data agency, focused exclusively on aggregating comprehensive, de-identified public health data from diverse sources, including local, state, and federal public health units; state health data utilities and exchanges; hospital systems; public and commercial laboratories; and academic and research institutions.

CPHD will be structured as an independent data subagency inside the Department of Health and Human Services (HHS), and led by a Chief Data Engineer. It will serve as an open and transparent repository of information to provide the public, academics, and policymakers objective, unbiased data in real time. A clear picture of the state of public health and disease spread will help policymakers develop and implement informed and proactive policy solutions.

What is interesting about this proposal, is that it emphasizes a comprehensive, de-identified approach to aggregating federated data sources. It requires that personally identifiable data would be de-identified at the source before it is sent to CPHD, and limited to infection disease information. Such a solution would need to leverage technology that can link data across different datasets while still maintaining a patients privacy.

The AMA survey didn’t include public health use cases, or a direct discussion of de-identified that to be used for the public good, but this is another approach to keeping patient’s data private while still allowing it to be used to improve health and healthcare.

Finally, a cautionary tale

Stat+ reported an investigation of IQVIA in which internal documents shows privacy lapses in the company’s relationship with Experian. Experian is a credit reporting agency with detailed consumer buying data and IQVIA which has over 1.2 billion patient records from around the world. This data is used to accelerate pharmaceutical research, but can also be used for other purposes such as developing specific marketing campaigns for those drugs, or targeting specific communities.

Companies like IQVIA follow HIPAA regulations to ensure that personally identifiable data is removed, but sometimes an individual can be re-identified when data from one de-identified data set is combined with another de-identified dataset. A example of this (not associated with IQVIA) was when Latanya Sweeney, (at the time, an MIT graduate student) was able to identify the records of the former Massachusetts governor by combining two de-identified data sets.

What the investigation identified is the importance of having — and following — established practices of expert privacy review for processes within an organization. Between 2009–2016, IQVIA failed to do an independent privacy assessment. To their credit, when the these privacy issues were identified, they re-instated the privacy review, using the firm Privacy Analytics, which they acquired in 2016. The two organizations continue to operate independently, but the authors raised the issue of potential favorable treatment of IQVIA.

Three perspectives, one bottom line

As health data becomes more ubiquitous, the public must trust that their data is being kept safe and private. But there are good reasons that data — when properly de-identified — can be used to support pandemic response and the public good. Finally, it is the responsibility of all organizations — hospitals, providers, data aggregators and the government — to ensure transparency, independent privacy audits, and assure a skeptical public that their data is being used responsibly.