Skip to main content
×
Home

How Should Health Data Be Used?: Privacy, Secondary Use, and Big Data Sales

Abstract:
Abstract:

Electronic health records, data sharing, big data, data mining, and secondary use are enabling exciting opportunities for improving health and healthcare while also exacerbating privacy concerns. Two court cases about selling prescription data, the Sorrell case in the U.S. and the Source case in the U.K., raise questions of what constitutes “privacy” and “public interest”; they present an opportunity for ethical analysis of data privacy, commodifying data for sale and ownership, combining public and private data, data for research, and transparency and consent. These interwoven issues involve discussion of big data benefits and harms and touch on common dualities of the individual versus the aggregate or the public interest, research (or, more broadly, innovation) versus privacy, individual versus institutional power, identification versus identity and authentication, and virtual versus real individuals and contextualized information. Transparency, flexibility, and accountability are needed for assessing appropriate, judicious, and ethical data uses and users, as some are more compatible with societal norms and values than others.

Copyright
References
Hide All

Notes

1. Laura Wexler’s comments as a respondent at “The Critical Life of Information,” a conference at Yale University, April 11, 2014, outlined dualities related to big data; see http://wgss.yale.edu/sites/default/files/files/Critical%20Life%20of%20Information%20Program%20spreads.pdf (last accessed 19 Aug 2014) for conference information.

2. Jost TS. Readings in Comparative Health Law and Bioethics. 2nd ed.Durham, NC: Carolina Academic Press; 2007.

3. Institute of Medicine (IOM). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press; 2009, at 78.

4. See note 3, IOM 2009, at 79.

5. Jones P. Permission-based marketing under Canada’s new privacy laws. Franchise Law Journal 2004;24(2):267303.

6. Walden I. Anonymising personal data. International Journal of Law and Information Technology 2002;10(2):224–37.

7. Srinivas N, Biswas A. Protecting patient information in India: Data privacy law and its challenges. NUJS Law Review 2012;5(3):411–24.

8. Kaplan B. Selling health data: De-identification, privacy, and speech. Cambridge Quarterly of Healthcare Ethics 2015;24(3):256–71.

9. United States Government, Department of Health and Human Services, Office for Civil Rights. Summary of the HIPAA Privacy Rule; available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ (last accessed 30 June 2013).

10. United States Government, Department of Health and Human Services, Office for Civil Rights. Standards for Privacy of Individually Identifiable Health Information; available at http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm (last accessed 19 Jan 2014).

11. United States Government, Department of Health and Human Services, HSS Press Office, New rule protects patient privacy, secures health information 2013 Jan 17; available at http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-health-information.html (last accessed 1 Jan 2016). See also United States Government, Department of Health and Human Services, Office of the Secretary. 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA Rules; final rule. Federal Register 2013 Jan 25:5565–702; available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf (last accessed 2 July 2014).

12. European Union. EU Directive 95/46/EC—The Data Protection Directive; available at http://www.dataprotection.ie/docs/EU-Directive-95-46-EC--Chapter-2/93.htm (last accessed 23 Mar 2014).

13. European Commission, Directorate General for Justice and Consumers. Agreement on Commission's EU data protection reform will boost Digital Single Market 2015 Dec 15; available at http://europa.eu/rapid/press-release_IP-15-6321_en.htm (last accessed 5 Jan 2016). See also European Commission, Directorate General for Justice and Consumers. Reform of EU data protection rules; available at http://ec.europa.eu/justice/data-protection/reform/index_en.htm (last accessed 5 Jan 2016).

14. Rossi B. Countdown to the EU General Data Protection Regulation: 5 steps to prepare. Information Age 2015 Mar 24; available at http://www.information-age.com/it-management/risk-and-compliance/123459219/countdown-eu-general-data-protection-regulation-5-steps-prepare (last accessed 13 May 2015).

15. Solove DJ. A taxonomy of privacy. University of Pennsylvania Law Review 2006;154(3):477560.

16. Ohm P. Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review 2010;57:1701–77, at 270.

17. Taylor MJ. Health research, data protection, and the public interest in notification. Medical Law Review 2011;19(2):267303.

18. See note 17, Taylor 2011, at 303.

19. Kaplan B. Patient health data privacy. In: Yanisky-Ravid S, ed. The Challenges of the Digital Era: Privacy, Information and More. New York: Fordham University Press; forthcoming.

20. See note 8, Kaplan 2015.

21. See note 16, Ohm 2010.

22. See note 19, Kaplan forthcoming.

23. Beyleveld D, Histed E. Betrayal of confidence in the Court of Appeal. Medical Law International 2000;4:277311.

24. Koontz L. What is privacy? In: Koontz L, ed. Information Privacy in the Evolving Healthcare Environment. Chicago: Healthcare Information and Management Society (HIMSS); 2013:1–20.

25. See note 19, Kaplan forthcoming.

26. See note 8, Kaplan 2015.

27. World Medical Association. International Code of Medical Ethics; available at http://www.wma.net/en/30publications/10policies/c8/index.html (last accessed 2 May 2014).

28. World Medical Association. Declaration of Helsinki—Ethical Principles for Medical Research Involving Human Subjects; available at http://www.wma.net/en/30publications/10policies/b3/ (last accessed 2 May 2014).

29. World Medical Association. Declaration on Ethical Considerations Regarding Health Databases; available at http://www.wma.net/en/30publications/10policies/d1/ (last accessed 2 May 2014).

30. See note 29, WMA 2014.

31. See note 2, Jost 2007.

32. Malin BA, El Emam K, O’Keefe CM. Biomedical data privacy: Problems, perspectives, and recent advances. JAMIA (Journal of the American Medical Informatics Association) 2013;20(1):26.

33. See note 23, Beyleveld, Histed 2000, at 296.

34. Dunkel YF. Medical privacy rights in anonymous data: Discussion of rights in the United Kingdom and the United States in light of the Source Informatics cases. Loyola of Los Angeles International and Comparative Law Review 2001;23(1):4180.

35. See note 7, Srinivas, Biswas 2012.

36. See note 5, Jones 2004.

37. Powell J, Fitton R, Fitton C. Sharing electronic health records: The patient view. Informatics in Primary Care 2006;14(1):55–7.

38. Schers H, van den Hoogen H, Grol R, van den Bosch W. Continuity of information in general practice: Patient views on confidentiality. Scandinavian Journal of Primary Health Care 2003;21(1):21–6.

39. See note 23, Beyleveld, Histed 2000.

40. See note 32, Malin et al. 2013.

41. See note 34, Dunkel 2001, at 70.

42. Choy C, Hudson Z, Pritts J, Goldman J. Exposed Online: Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protection to Internet Users. Health Privacy Project, Institute for Healthcare Research and Policy, Georgetown University: Pew Internet and American Life Project; 2001, at 4; available at http://www.pewinternet.org/files/old-media/Files/Reports/2001/PIP_HPP_HealthPriv_report.pdf.pdf (last accessed 11 May 2015).

43. See note 12, EU 2014.

44. McGraw D. Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data. JAMIA (Journal of the American Medical Informatics Association) 2013;20(1):2934.

45. Curfman GD, Morrissey S, Drazen JM. Prescriptions, privacy, and the First Amendment. New England Journal of Medicine 2011;364(21):2053–5.

46. Tien L. Online behavioral tracking and the identification of Internet users. Paper presented at: From Mad Men to Mad Bots: Advertising in the Digital Age [conference]. The Information Society Project at the Yale Law School. New Haven, CT; 2011.

47. Benitez K, Malin B. Evaluating re-identification risks with respect to the HIPAA Privacy Rule. JAMIA (Journal of the American Medical Informatics Association) 2010;17(2):169–77.

48. See note 16, Ohm 2010.

49. See note 8, Kaplan 2015.

50. Sorrell v. IMS Health, Inc., et al., 131 S. Ct. 2653 (2011).

51. R v. Department of Health, Ex Parte Source Informatics Ltd. [C.A. 2000] 1 All ER 786. See also R v. Department of Health, Ex Parte Source Informatics Ltd. European Law Report 2000;4:397–414.

52. See note 8, Kaplan 2015.

53. See note 7, Srinivas, Biswas 2012.

54. See note 5, Jones 2004.

55. Baxter AD. IMS Health v. Ayotte: A new direction on commercial speech cases. Berkeley Technology Law Journal 2010;25:649–70.

56. Pasquale F. Restoring transparency to automated authority. Journal on Telecommunications and High Technology Law 2011;9:235–54.

57. Rodwin MA. Patient data: Property, privacy, and the public interest. American Journal of Law and Medicine 2010;36:586618, at 589.

58. Hall MA, Schulman KA. Ownership of medical information. JAMA 2009;301(12):1282–4.

59. Gooch GR, Rohack JJ, Finley M. The moral from Sorrell: Educate, don’t legislate. Health Matrix 2013;23(1):237–77.

60. NHS European Office. Data Protection; 2015 Mar 24; available at http://www.nhsconfed.org/regions-and-eu/nhs-european-office/influencing-eu-policy/data-protection (last accessed 15 May 2015).

61. See note 14, Rossi 2015.

62. O’Donoghue C. EU research group condemns EU regulation for restricting growth in life sciences sector; 2014; available at http://www.globalregulatoryenforcementlawblog.com/2014/02/articles/data-security/eu-research-group-condemns-eu-regulation-for-restricting-growth-in-life-sciences-sector/ (last accessed 23 Mar 2014).

63. Farrar J. Sharing NHS data saves lives; EU obstruction will not. The Telegraph 2014 Jan 14; available at http://www.telegraph.co.uk/health/nhs/10569467/Sharing-NHS-data-saves-lives-EU-obstruction-will-not.html (last accessed 23 Mar 2014).

64. European Public Health Alliance. [Update] General Data Protection Regulation; available at http://www.epha.org/5926 (last accessed 23 Mar 2014).

65. NHS Confederation. EU ministers table changes to data privacy; 2015 Mar 13; available at http://nhsconfed.org/news/2015/03/eu-ministers-table-changes-to-data-privacy-laws (last accessed 14 May 2015).

66. See note 13, European Commission 2015.

67. Doctorow C. UK set to sell sensitive NHS records to commercial companies with no meaningful privacy protections—UPDATED; 2014 Feb 4; available at http://boingboing.net/2014/02/04/uk-set-to-sell-sensitive-nhs-r.html (last accessed 5 Feb 2014).

68. Donnelly L. Hospital records of all NHS patients sold to insurers. The Telegraph 2014 Feb 23; available at http://www.telegraph.co.uk/health/healthnews/10656893/Hospital-records-of-all-NHS-patients-sold-to-insurers.html (last accessed 24 July 2014).

69. See note 68, Donnelly 2014.

70. NHS Choices. Your records: Better information means better care; available at http://www.nhs.uk/nhsengland/thenhs/records/healthrecords/pages/care-data.aspx (last accessed 24 July 2014).

71. See note 70, NHS Choices 2014.

72. Ramesh R. NHS patient data to be made available for sale to drug and insurance firms. The Guardian 2014 Jan 19; available at http://www.theguardian.com/society/ 2014/jan/19/nhs-patient-data-available-companies-buy (last accessed 24 July 2014).

73. Institute of Medicine. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: National Academies; 2009; available at http://www.iom.edu/∼/media/Files/Report%20Files/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy-Improving-Health-Through-Research/HIPAA%20report%20brief%20FINAL.pdf (last accessed 22 Jan 2014).

74. Open Humans Network. Open Humans Network wins Knight News Challenge: Health Award; available at http://openhumans.org/ (last accessed 1 July 2014).

75. Christakis NA, Fowler JH. Social network visualization in epidemiology. Norwegian Journal of Epidemiology 2009;19(1):516.

76. Christakis NA, Fowler JH. Social network sensors for early detection of contagious outbreaks. PLoS ONE 2010;5(9):e12948.

77. Velasco E, Agheneza T, Denecke K, Kirchner G, Eckmanns T. Social media and Internet-based data in global systems for public health surveillance: A systematic review. The Milbank Quarterly 2014;93(1):733.

78. Andrews L. I Know Who You Are and I Saw What You Did: Social Networks and the Death of Data Privacy. New York: Free Press; 2011, at 1–3.

79. Angwin J. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. New York: Times Books, Henry Holt; 2014, at 33–4.

80. Geissbuhler A, Safran C, Buchan I, Bellazzi R, Labkoff S, Eilenberg K, et al. Trustworthy reuse of health data: A transnational perspective. International Journal of Medical Informatics 2013;83(1):19.

81. See note 7, Srinivas, Biswas 2012.

82. See note 17, Taylor 2011.

83. Bambauer JR. Is data speech? Stanford Law Review 2014;66:57–120.

84. Zarsky TZ. The privacy/innovation conundrum. Lewis & Clark Law Review 2015;19(1); available at http://ssrn.com/abstract=2596822 (last accessed 19 May 2015).

85. Dvorak K. Med identity theft continues to rise; 2015 Feb 23; available at http://www.fiercehealthit.com/story/med-identity-theft-continues-rise/2015-02-23?utm_medium=nl&utm_source=internal (last accessed 14 May 2015).

86. Avila J, Marshall S. Your medical records may not be private: ABC News Investigation. ABC News 2012 Sept 13; available at http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986&page=2 (last accessed 22 Mar 2014).

87. Nguyen V, Nious K, Carroll J. Your medical records could be sold on black market: NBC Investigative Unit surprises strangers with private medical details. NBC Bay Area 2013 June 18; available at http://www.nbcbayarea.com/news/local/Medical-Records-Could-Be-Sold-on-Black-Market-212040241.html (last accessed 22 Mar 2014).

88. Lawrence D. End of Windows XP support means added opportunity for hackers. Businessweek 2014 Apr 4; available at http://www.businessweek.com/articles/2014-04-04/end-of-windows-xp-support-means-added-opportunity-for-hackers (last accessed 1 July 2014).

89. Shahani A. The black market for stolen health care data. NPR; 2015 Feb 13; available at http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data (last accessed 14 May 2015).

90. See note 58, Hall, Schulman 2009.

91. See note 34, Dunkel 2001.

92. See note 47, Benitez, Malin 2010.

93. Roberston J. States’ hospital data for sale puts privacy in jeopardy. Health Leaders Media; 2013; available at http://www.healthleadersmedia.com/content/QUA-292963/States-hospital-data-for-sale-puts-privacy-in-jeopardy (last accessed 14 June 2013).

94. Brief for the New England Journal of Medicine, the Massachusetts Medical Society, the National Physicians Alliance, and the American Medical Students Association as Amici Curiae Supporting Petitioners, William H. Sorrell v. IMS Health, Inc. et al., 2010 U.S. Briefs 779 (No. 10-779), 2011 U.S. S. Ct. Briefs LEXIS 299.

95. Holtzman DH. Privacy Lost: How Technology Is Endangering Your Privacy. San Francisco: Jossey-Bass; 2006, at 195.

96. See, for example, RPC Health Data Store. CMS MedPAR Hospital Data File; available at http://www.healthdatastore.com/cms-medpar-hospital-data-file.aspx (last accessed 13 Sept 2013).

97. [Winston JS]. States’ hospital data for sale puts patient privacy in jeopardy; 2013 June 7; available at https://www.annualmedicalreport.com/states-hospital-data-for-sale-puts-patient-privacy-in-jeopardy/ (last accessed 19 Jan 2014).

98. Bady A. World without walls—privacy laws should be recrafted for the data fusion age. Technology Review 2011;114(6):66–71.

99. United States Government, Department of Justice. Fusion Center Guidelines: Developing and Sharing Information and Intelligence in a New Era; 2006; available at http://www.it.ojp.gov/documents/fusion_center_guidelines.pdf (last accessed Mar 2012).

100. See note 45, Curfman et al. 2011.

101. United States Government, Department of Health and Human Services, Centers for Medicare and Medicaid Services. Agreement for Use of Centers for Medicare & Medicaid Services (CMS) Data Containing Unique Identifiers, Form CMS-R-0235, OMB No. 0938-0734; available at http://www.cms.gov/Medicare/CMS-Forms/CMS-Forms/downloads//cms-r-0235.pdf (last accessed 13 Sept 2013).

102. Hebda T, Czar P. Handbook of Informatics for Nurses and Healthcare Professionals. 4th ed.Upper Saddle River, NJ: Pearson/Prentice Hall; 2009, at 321.

103. See note 68, Donnelly 2014.

104. See note 95, Holtzman 2006, at 192.

105. McGraw Hill General and Human Biology Case Studies. Gene Banks versus Privacy Invasion; available at http://www.mhhe.com/biosci/genbio/casestudies/sellinggenes.mhtml (last accessed 2 May 2014).

106. Brief for the Association of Clinical Research Organizations as Amici Curiae Supporting Respondents, William H. Sorrell v. IMS Health, Inc., et al., 2011 WL 2647130 (2011) (No. 10-779), (2011).

107. See note 59, Gooch et al. 2013.

108. See note 105, McGraw Hill 2014.

109. Austin MA, Harding S, McElroy C. Genebanks: A comparison of eight proposed international genetic databases. Community Genetics 2003;6(1):3745.

110. Gillham WW. Genes, Chromosomes, and Disease: From Simple Traits, to Complex Traits, to Personalized Medicine. Upper Saddle River, NJ: Pearson Education, published as FT Press Science; 2011, at 18–19.

111. Amgen. Amgen to Acquire deCODE Genetics, a Global Leader in Human Genetics; available at www.amgen.com/media/media_pr_detail.jsp?releaseID=1765710 (last accessed 2 May 2014).

112. See note 109, Austin et al. 2003.

113. Annas GJ. Rules for research on human genetic variation—lessons from Iceland. New England Journal of Medicine 2000;342(24):1830–3.

114. Gulcher JR, Stefánsson K. The Icelandic Healthcare Database and informed consent. New England Journal of Medicine 2000;342(24):1827–9.

115. See note 19, Kaplan forthcoming.

116. Evans BJ. Much ado about data ownership. Harvard Journal of Law & Technology 2011;25(1):69130.

117. For example, GE Data Visualization uses information “based on 7.2 million patient records from GE’s proprietary database”; available at http://visualization.geblogs.com/visualization/network/ (last accessed 27 Sept 2013). GE Healthcare’s Healthcare IT Solutions—available at http://www3.gehealthcare.com/en/Products/Categories/Healthcare_IT?gclid=CIKQ4Z6P7LkCFcE7OgodTDIAPQ and http://www3.gehealthcare.com/en/Products/Categories/Healthcare_IT/Knowledge_Center (last accessed 27 Sept 2013)—includes patient records and patient portals.

118. Sittig DF, Singh H. Legal, ethical, and financial dilemmas in electronic health record adoption and use. Pediatrics 2011 Apr;127(4):e1042–7.

119. Moore J, Tholemeier R. Whose data is it anyway? The Health Care Blog; 2013 Nov 20; available at http://thehealthcareblog.com/blog/2013/11/20/whose-data-is-it-anyway-2/ (last accessed 3 Feb 2014).

120. Goodman KW, Berner E, Dente MA, Kaplan B, Koppel R, Rucker D, et al. Challenges in ethics, safety, best practices, and oversight regarding HIT vendors, their customers, and patients: A report of an AMIA special task force. JAMIA (Journal of the American Medical Informatics Association) 2011;18(1):7781.

121. Hall MA. Property, privacy, and the pursuit of interconnected electronic health records. Iowa Law Review 2010;95:631–63.

122. See note 57, Rodwin 2010.

123. See note 3, IOM 2009, at 77.

124. See note 58, Hall, Schulman 2009.

125. Atherley G. The public-private partnership between IMS Health and the Canada Pension Plan. Fraser Forum 2011:5–7.

126. Miller RA, Schaffner KF, Meisel A. Ethical and legal issues related to the use of computer programs in clinical medicine. Annals of Internal Medicine 1985;102:529–36.

127. Goodman KW. Health information technology: Challenges in ethics, science and uncertainty. In: Himma K, Tavani H, eds. The Handbook of Information and Computer Ethics. Hoboken, NJ: Wiley; 2008:293309.

128. See note 127, Goodman 2008.

129. Data mining case tests boundaries of medical privacy. CMAJ 2011;183(9):E509–10.

130. See note 44, McGraw 2013.

131. See note 17, Taylor 2011.

132. See note 57, Rodwin 2010, at 617–18.

133. See note 15, Solove 2006.

134. Goodman KW. Ethics, information technology, and public health: New challenges for the clinician-patient relationship. Journal of Law, Medicine and Ethics 2010 Spring:58–63.

135. Kaplan B, Litewka S. Ethical challenges of telemedicine and telehealth. Cambridge Quarterly of Healthcare Ethics 2008;17(4):401–16.

136. See note 19, Kaplan forthcoming.

137. See note 134, Goodman 2010.

138. See note 135, Kaplan, Litewka 2008.

139. See note 19, Kaplan forthcoming.

140. Roland D. UK to get 200 high-tech factory jobs making “swallowable sensors.” The Telegraph 2014 Mar 10; available at http://www.telegraph.co.uk/finance/10687395/UK-to-get-200-high-tech-factory-jobs-making-swallowable-sensors.html (last accessed 17 July 2014).

141. See note 24, Koontz 2013.

142. See note 44, McGraw 2013.

143. See note 23, Beyleveld, Histed 2000.

144. See note 12, EU 2014.

145. Rodrigues RJ, Wilson P, Schanz SJ. The Regulation of Privacy and Data Protection in the Use of Electronic Health Information: An International Perspective and Reference Source on Regulatory and Legal Issues Related to Person-Identifiable Health Databases. Washington, DC: World Health Organisation (WHO); 2001.

I am grateful for the thoughtful contributions to the panel I organized on the Sorrell case for the 2011 American Medical Informatics Association Annual Symposium and for comments on a very early draft of some portions of this article by Paul DeMuro, JD, CPA, MBA, MBI, PhD, Broad and Cassel, Fort Lauderdale, FL; Kenneth W Goodman, PhD, FACMI, University of Miami, Miami, FL; and Carolyn Petersen, MS, MBI, Mayo Clinic, Rochester, MN. I also am grateful to privacy lawyer Joel S. Winston for sharing drafts of his reporting with me, and to the editor for helpful suggestions.

This section features original work on the ethical, legal, policy, and social aspects of the use of computing and information technology in health, biomedical research, and the health professions. For submissions, contact Kenneth Goodman at .

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Cambridge Quarterly of Healthcare Ethics
  • ISSN: 0963-1801
  • EISSN: 1469-2147
  • URL: /core/journals/cambridge-quarterly-of-healthcare-ethics
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Keywords:

Metrics

Altmetric attention score

Full text views

Total number of HTML views: 48
Total number of PDF views: 305 *
Loading metrics...

Abstract views

Total abstract views: 1171 *
Loading metrics...

* Views captured on Cambridge Core between September 2016 - 20th November 2017. This data will be updated every 24 hours.