How Should Health Data Be Used?
Privacy, Secondary Use, and Big Data Sales
Published online by Cambridge University Press: 09 March 2016
Electronic health records, data sharing, big data, data mining, and secondary use are enabling exciting opportunities for improving health and healthcare while also exacerbating privacy concerns. Two court cases about selling prescription data, the Sorrell case in the U.S. and the Source case in the U.K., raise questions of what constitutes “privacy” and “public interest”; they present an opportunity for ethical analysis of data privacy, commodifying data for sale and ownership, combining public and private data, data for research, and transparency and consent. These interwoven issues involve discussion of big data benefits and harms and touch on common dualities of the individual versus the aggregate or the public interest, research (or, more broadly, innovation) versus privacy, individual versus institutional power, identification versus identity and authentication, and virtual versus real individuals and contextualized information. Transparency, flexibility, and accountability are needed for assessing appropriate, judicious, and ethical data uses and users, as some are more compatible with societal norms and values than others.
- Departments and Columns
- Copyright © Cambridge University Press 2016
1. Laura Wexler’s comments as a respondent at “The Critical Life of Information,” a conference at Yale University, April 11, 2014, outlined dualities related to big data; see http://wgss.yale.edu/sites/default/files/files/Critical%20Life%20of%20Information%20Program%20spreads.pdf (last accessed 19 Aug 2014) for conference information.
2. Jost, TS. Readings in Comparative Health Law and Bioethics. 2nd ed.Durham, NC: Carolina Academic Press; 2007.Google Scholar
3. Institute of Medicine (IOM). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press; 2009, at 78.Google Scholar
5. Jones, P. Permission-based marketing under Canada’s new privacy laws. Franchise Law Journal 2004;24(2):267–303.Google Scholar
7. Srinivas, N, Biswas, A. Protecting patient information in India: Data privacy law and its challenges. NUJS Law Review 2012;5(3):411–24.Google Scholar
9. United States Government, Department of Health and Human Services, Office for Civil Rights. Summary of the HIPAA Privacy Rule; available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ (last accessed 30 June 2013).
10. United States Government, Department of Health and Human Services, Office for Civil Rights. Standards for Privacy of Individually Identifiable Health Information; available at http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm (last accessed 19 Jan 2014).
11. United States Government, Department of Health and Human Services, HSS Press Office, New rule protects patient privacy, secures health information 2013 Jan 17; available at http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-health-information.html (last accessed 1 Jan 2016). See also United States Government, Department of Health and Human Services, Office of the Secretary. 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA Rules; final rule. Federal Register 2013 Jan 25:5565–702; available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (last accessed 2 July 2014).
12. European Union. EU Directive 95/46/EC—The Data Protection Directive; available at http://www.dataprotection.ie/docs/EU-Directive-95-46-EC--Chapter-2/93.htm (last accessed 23 Mar 2014).
13. European Commission, Directorate General for Justice and Consumers. Agreement on Commission's EU data protection reform will boost Digital Single Market 2015 Dec 15; available at http://europa.eu/rapid/press-release_IP-15-6321_en.htm (last accessed 5 Jan 2016). See also European Commission, Directorate General for Justice and Consumers. Reform of EU data protection rules; available at http://ec.europa.eu/justice/data-protection/reform/index_en.htm (last accessed 5 Jan 2016).
14. Rossi B. Countdown to the EU General Data Protection Regulation: 5 steps to prepare. Information Age 2015 Mar 24; available at http://www.information-age.com/it-management/risk-and-compliance/123459219/countdown-eu-general-data-protection-regulation-5-steps-prepare (last accessed 13 May 2015).
16. Ohm, P. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review 2010;57:1701–77, at 270.Google Scholar
19. Kaplan B. Patient health data privacy. In: Yanisky-Ravid S, ed. The Challenges of the Digital Era: Privacy, Information and More. New York: Fordham University Press; forthcoming.
22. See note 19, Kaplan forthcoming.
24. Koontz L. What is privacy? In: Koontz L, ed. Information Privacy in the Evolving Healthcare Environment. Chicago: Healthcare Information and Management Society (HIMSS); 2013:1–20.
25. See note 19, Kaplan forthcoming.
27. World Medical Association. International Code of Medical Ethics; available at http://www.wma.net/en/30publications/10policies/c8/index.html (last accessed 2 May 2014).
28. World Medical Association. Declaration of Helsinki—Ethical Principles for Medical Research Involving Human Subjects; available at http://www.wma.net/en/30publications/10policies/b3/ (last accessed 2 May 2014).
29. World Medical Association. Declaration on Ethical Considerations Regarding Health Databases; available at http://www.wma.net/en/30publications/10policies/d1/ (last accessed 2 May 2014).
30. See note 29, WMA 2014.
34. Dunkel, YF. Medical privacy rights in anonymous data: Discussion of rights in the United Kingdom and the United States in light of the Source Informatics cases. Loyola of Los Angeles International and Comparative Law Review 2001;23(1):41–80.Google Scholar
42. Choy C, Hudson Z, Pritts J, Goldman J. Exposed Online: Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protection to Internet Users. Health Privacy Project, Institute for Healthcare Research and Policy, Georgetown University: Pew Internet and American Life Project; 2001, at 4; available at http://www.pewinternet.org/files/old-media/Files/Reports/2001/PIP_HPP_HealthPriv_report.pdf.pdf (last accessed 11 May 2015).
43. See note 12, EU 2014.
46. Tien L. Online behavioral tracking and the identification of Internet users. Paper presented at: From Mad Men to Mad Bots: Advertising in the Digital Age [conference]. The Information Society Project at the Yale Law School. New Haven, CT; 2011.
50. Sorrell v. IMS Health, Inc., et al., 131 S. Ct. 2653 (2011).
51. R v. Department of Health, Ex Parte Source Informatics Ltd. [C.A. 2000] 1 All ER 786. See also R v. Department of Health, Ex Parte Source Informatics Ltd. European Law Report 2000;4:397–414.
55. Baxter, AD. IMS Health v. Ayotte: A new direction on commercial speech cases. Berkeley Technology Law Journal 2010;25:649–70.Google Scholar
56. Pasquale, F. Restoring transparency to automated authority. Journal on Telecommunications and High Technology Law 2011;9:235–54.Google Scholar
59. Gooch, GR, Rohack, JJ, Finley, M. The moral from Sorrell: Educate, don’t legislate. Health Matrix 2013;23(1):237–77.Google Scholar
60. NHS European Office. Data Protection; 2015 Mar 24; available at http://www.nhsconfed.org/regions-and-eu/nhs-european-office/influencing-eu-policy/data-protection (last accessed 15 May 2015).
61. See note 14, Rossi 2015.
62. O’Donoghue C. EU research group condemns EU regulation for restricting growth in life sciences sector; 2014; available at http://www.globalregulatoryenforcementlawblog.com/2014/02/articles/data-security/eu-research-group-condemns-eu-regulation-for-restricting-growth-in-life-sciences-sector/ (last accessed 23 Mar 2014).
63. Farrar J. Sharing NHS data saves lives; EU obstruction will not. The Telegraph 2014 Jan 14; available at http://www.telegraph.co.uk/health/nhs/10569467/Sharing-NHS-data-saves-lives-EU-obstruction-will-not.html (last accessed 23 Mar 2014).
64. European Public Health Alliance. [Update] General Data Protection Regulation; available at http://www.epha.org/5926 (last accessed 23 Mar 2014).
65. NHS Confederation. EU ministers table changes to data privacy; 2015 Mar 13; available at http://nhsconfed.org/news/2015/03/eu-ministers-table-changes-to-data-privacy-laws (last accessed 14 May 2015).
66. See note 13, European Commission 2015.
67. Doctorow C. UK set to sell sensitive NHS records to commercial companies with no meaningful privacy protections—UPDATED; 2014 Feb 4; available at http://boingboing.net/2014/02/04/uk-set-to-sell-sensitive-nhs-r.html (last accessed 5 Feb 2014).
68. Donnelly L. Hospital records of all NHS patients sold to insurers. The Telegraph 2014 Feb 23; available at http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html (last accessed 24 July 2014).
69. See note 68, Donnelly 2014.
70. NHS Choices. Your records: Better information means better care; available at http://www.nhs.uk/nhsengland/thenhs/records/healthrecords/pages/care-data.aspx (last accessed 24 July 2014).
71. See note 70, NHS Choices 2014.
72. Ramesh R. NHS patient data to be made available for sale to drug and insurance firms. The Guardian 2014 Jan 19; available at http://www.theguardian.com/society/ 2014/jan/19/nhs-patient-data-available-companies-buy (last accessed 24 July 2014).
73. Institute of Medicine. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: National Academies; 2009;Google Scholar available at http://www.iom.edu/∼/media/Files/Report%20Files/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy-Improving-Health-Through-Research/HIPAA%20report%20brief%20FINAL.pdf (last accessed 22 Jan 2014).
74. Open Humans Network. Open Humans Network wins Knight News Challenge: Health Award; available at http://openhumans.org/ (last accessed 1 July 2014).
78. Andrews, L. I Know Who You Are and I Saw What You Did: Social Networks and the Death of Data Privacy. New York: Free Press; 2011, at 1–3.Google Scholar
79. Angwin, J. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. New York: Times Books, Henry Holt; 2014, at 33–4.Google Scholar
83. Bambauer JR. Is data speech? Stanford Law Review 2014;66:57–120.
84. Zarsky TZ. The privacy/innovation conundrum. Lewis & Clark Law Review 2015;19(1); available at http://ssrn.com/abstract=2596822 (last accessed 19 May 2015).
85. Dvorak K. Med identity theft continues to rise; 2015 Feb 23; available at http://www.fiercehealthit.com/story/med-identity-theft-continues-rise/2015-02-23?utm_medium=nl&utm_source=internal (last accessed 14 May 2015).
86. Avila J, Marshall S. Your medical records may not be private: ABC News Investigation. ABC News 2012 Sept 13; available at http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986&page=2 (last accessed 22 Mar 2014).
87. Nguyen V, Nious K, Carroll J. Your medical records could be sold on black market: NBC Investigative Unit surprises strangers with private medical details. NBC Bay Area 2013 June 18; available at http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html (last accessed 22 Mar 2014).
88. Lawrence D. End of Windows XP support means added opportunity for hackers. Businessweek 2014 Apr 4; available at http://www.businessweek.com/articles/2014-04-04/end-of-windows-xp-support-means-added-opportunity-for-hackers (last accessed 1 July 2014).
89. Shahani A. The black market for stolen health care data. NPR; 2015 Feb 13; available at http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data (last accessed 14 May 2015).
93. Roberston J. States’ hospital data for sale puts privacy in jeopardy. Health Leaders Media; 2013; available at http://www.healthleadersmedia.com/content/QUA-292963/States-hospital-data-for-sale-puts-privacy-in-jeopardy (last accessed 14 June 2013).
94. Brief for the New England Journal of Medicine, the Massachusetts Medical Society, the National Physicians Alliance, and the American Medical Students Association as Amici Curiae Supporting Petitioners, William H. Sorrell v. IMS Health, Inc. et al., 2010 U.S. Briefs 779 (No. 10-779), 2011 U.S. S. Ct. Briefs LEXIS 299.
95. Holtzman, DH. Privacy Lost: How Technology Is Endangering Your Privacy. San Francisco: Jossey-Bass; 2006, at 195.Google Scholar
96. See, for example, RPC Health Data Store. CMS MedPAR Hospital Data File; available at http://www.healthdatastore.com/cms-medpar-hospital-data-file.aspx (last accessed 13 Sept 2013).
97. [Winston JS]. States’ hospital data for sale puts patient privacy in jeopardy; 2013 June 7; available at https://www.annualmedicalreport.com/states-hospital-data-for-sale-puts-patient-privacy-in-jeopardy/ (last accessed 19 Jan 2014).
98. Bady A. World without walls—privacy laws should be recrafted for the data fusion age. Technology Review 2011;114(6):66–71.
99. United States Government, Department of Justice. Fusion Center Guidelines: Developing and Sharing Information and Intelligence in a New Era; 2006; available at http://www.it.ojp.gov/documents/fusion_center_guidelines.pdf (last accessed Mar 2012).
101. United States Government, Department of Health and Human Services, Centers for Medicare and Medicaid Services. Agreement for Use of Centers for Medicare & Medicaid Services (CMS) Data Containing Unique Identifiers, Form CMS-R-0235, OMB No. 0938-0734; available at http://www.cms.gov/Medicare/CMS-Forms/CMS-Forms/downloads//cms-r-0235.pdf (last accessed 13 Sept 2013).
102. Hebda, T, Czar, P. Handbook of Informatics for Nurses and Healthcare Professionals. 4th ed.Upper Saddle River, NJ: Pearson/Prentice Hall; 2009, at 321.Google Scholar
103. See note 68, Donnelly 2014.
105. McGraw Hill General and Human Biology Case Studies. Gene Banks versus Privacy Invasion; available at http://www.mhhe.com/biosci/genbio/casestudies/sellinggenes.mhtml (last accessed 2 May 2014).
106. Brief for the Association of Clinical Research Organizations as Amici Curiae Supporting Respondents, William H. Sorrell v. IMS Health, Inc., et al., 2011 WL 2647130 (2011) (No. 10-779), (2011).
108. See note 105, McGraw Hill 2014.
110. Gillham, WW. Genes, Chromosomes, and Disease: From Simple Traits, to Complex Traits, to Personalized Medicine. Upper Saddle River, NJ: Pearson Education, published as FT Press Science; 2011, at 18–19.Google Scholar
111. Amgen. Amgen to Acquire deCODE Genetics, a Global Leader in Human Genetics; available at www.amgen.com/media/media_pr_detail.jsp?releaseID=1765710 (last accessed 2 May 2014).
115. See note 19, Kaplan forthcoming.
116. Evans, BJ. Much ado about data ownership. Harvard Journal of Law & Technology 2011;25(1):69–130.Google Scholar
117. For example, GE Data Visualization uses information “based on 7.2 million patient records from GE’s proprietary database”; available at http://visualization.geblogs.com/visualization/network/ (last accessed 27 Sept 2013). GE Healthcare’s Healthcare IT Solutions—available at http://www3.gehealthcare.com/en/Products/Categories/Healthcare_IT?gclid=CIKQ4Z6P7LkCFcE7OgodTDIAPQ and http://www3.gehealthcare.com/en/Products/Categories/Healthcare_IT/Knowledge_Center (last accessed 27 Sept 2013)—includes patient records and patient portals.
118. Sittig DF, Singh H. Legal, ethical, and financial dilemmas in electronic health record adoption and use. Pediatrics 2011 Apr;127(4):e1042–7.
119. Moore J, Tholemeier R. Whose data is it anyway? The Health Care Blog; 2013 Nov 20; available at http://thehealthcareblog.com/blog/2013/11/20/whose-data-is-it-anyway-2/ (last accessed 3 Feb 2014).
120. Goodman, KW, Berner, E, Dente, MA, Kaplan, B, Koppel, R, Rucker, D, et al. Challenges in ethics, safety, best practices, and oversight regarding HIT vendors, their customers, and patients: A report of an AMIA special task force. JAMIA (Journal of the American Medical Informatics Association) 2011;18(1):77–81.CrossRefGoogle ScholarPubMed
121. Hall, MA. Property, privacy, and the pursuit of interconnected electronic health records. Iowa Law Review 2010;95:631–63.Google Scholar
125. Atherley G. The public-private partnership between IMS Health and the Canada Pension Plan. Fraser Forum 2011:5–7.
129. Data mining case tests boundaries of medical privacy. CMAJ 2011;183(9):E509–10.
134. Goodman KW. Ethics, information technology, and public health: New challenges for the clinician-patient relationship. Journal of Law, Medicine and Ethics 2010 Spring:58–63.
136. See note 19, Kaplan forthcoming.
137. See note 134, Goodman 2010.
139. See note 19, Kaplan forthcoming.
140. Roland D. UK to get 200 high-tech factory jobs making “swallowable sensors.” The Telegraph 2014 Mar 10; available at http://www.telegraph.co.uk/finance/10687395/UK-to-get-200-high-tech-factory-jobs-making-swallowable-sensors.html (last accessed 17 July 2014).
141. See note 24, Koontz 2013.
144. See note 12, EU 2014.
145. Rodrigues, RJ, Wilson, P, Schanz, SJ. The Regulation of Privacy and Data Protection in the Use of Electronic Health Information: An International Perspective and Reference Source on Regulatory and Legal Issues Related to Person-Identifiable Health Databases. Washington, DC: World Health Organisation (WHO); 2001.Google Scholar