Law in the Internet Society

View   r4  >  r3  ...
NishaChandraSecondEssay 4 - 03 Feb 2020 - Main.NishaChandra
Line: 1 to 1
 
META TOPICPARENT name="SecondEssay"

It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

Changed:
<
<

Getting Tech Companies Away From Our Medical Data

>
>

Misappropriation of Medical Data

 -- By NishaChandra - 06 Dec 2019
Changed:
<
<
Medical data is data that is collected about a person’s state of health. It can include information about hospitalizations, symptoms, allergies, treatment plans, medications, lab reports, and progress notes. This form of data was traditionally collected by clinics, hospitals, and public health authorities and has been stored in recent years as electronic health records (EHRs), which can be uploaded onto a third-party electronic health information exchange (eHIE). EHRs can be accessed by approved users instantly and be updated in real-time, making them a helpful tool for doctors to understand their patients’ history and subsequent medical needs. They can also be shared across providers in different health care systems, ensuring that clinicians have a full picture of a patient’s records.
>
>
Medical data is data that is collected about a person’s state of health. It can include information about hospitalizations, symptoms, treatment plans, and medications. This data, traditionally collected by medical professionals, is now typically stored as electronic health records (EHRs), which can be uploaded onto an electronic health information exchange (eHIE). EHRs can be accessed by approved users instantly and be shared across organizations, which helps doctors understand patients’ histories and medical needs. Unfortunately, as sharing medical data has become easier, entities outside the healthcare system have started collecting this data and using it for their own ends. Absent an overhaul of our healthcare system, the only solution may be updating outdated privacy laws.
 
Changed:
<
<

Tech's Interest In Health Data

>
>

Tech's Interest in Health Data

 
Changed:
<
<
But increasingly, technology corporations are collecting this health data. In some cases, people are willingly handing over that data. There exists a multitude of mobile phone applications where users can import information about their health. One such application, the Maya period tracker application, has over 5 million downloads on the Google Play Store. This application can store information about users’ use of contraception, period cycles, and associated symptoms. In other cases, people don’t know that corporations have access to their health data or never consented to it. The Maya period tracker, for instance, was recently found to be sharing its users’ medical data with Facebook. Additionally, Google has accessed health data without patient’s consent through Project Nightingale, a partnership with the health care provider Ascension. Through this project Google has the health records for millions of Ascension patients, and it claims the goal is to use machine-learning algorithms to make better healthcare decisions.
>
>
Increasingly, technology corporations are collecting health data, both with and without people’s knowledge. In some cases, people are willingly handing over their data. For instance, millions have downloaded period-tracker smartphone applications, which can store information about users’ contraception methods, period cycles, and symptoms. Users of these trackers and other similar services are willingly providing their most intimate data in return for reducing anxieties about their health. In other cases, people don’t know that corporations have access to their health data or never consented to it. The Maya period tracker, for instance, was recently found to be sharing its users’ medical data with Facebook. Google has similarly accessed health data without patients’ knowledge through Project Nightingale, a partnership with the health care provider Ascension. Through this project Google has the health records for millions of Ascension patients, and it claims its goal is to use machine-learning to help providers make better healthcare decisions.
 
Changed:
<
<
While medical providers collect and store medical data to streamline the provision of medical care, technology corporations may have more profit-based motives and may be less concerned with maintaining the privacy of this data. Health information, for example, can be used to suggest purchase options through targeted marketing. A company which knows that you’re struggling to conceive might show you ads for fertility clinics or self-help books. Through this type of marketing companies influences the behavior of users. Health data can also be sold; Facebook is interested in collecting health data in part because of the lucrative practice of selling this data to pharmaceutical and insurance companies. Unfortunately for users, health data in the hands of these companies will inevitably lead to discrimination based on that data. Insurers may start making health insurance coverage decisions based on the data they’re buying from these behavior-collectors. A previous prescription for depression medication noted on a patient’s medical record may lead to them being denied health insurance in the future due to “pre-existing conditions”. One day soon, companies will use this data to make decisions that affect every facet of people's lives – decisions about who to rent to, who to give a loan to, and who to hire.
>
>
While medical providers ostensibly collect medical data to streamline the provision of medical care, technology corporations may have more profit-based motives and care less about the privacy of this data. Health information, for example, can be used by corporations to suggest purchase options through targeted marketing. A company which learns that you’re struggling to conceive might then show you ads for fertility clinics. Through this type of marketing companies can influence the behavior of users. Health data can also be sold; Facebook is interested in collecting health data in part because of the lucrative practice of selling it to pharmaceutical and insurance companies. Unfortunately for users, health data in the hands of these types of companies will inevitably lead to discrimination based on that data. Insurers may start making health insurance coverage decisions based on the data they’re buying from these behavior-collectors. A previous prescription for depression medication noted on a patient’s medical record may lead to a denial of health insurance in the future due to “pre-existing conditions”. One day soon, companies will use the health data they’ve collected or bought to make decisions that affect every facet of people's lives &#8211: decisions about who to rent to, who to give a loan to, and who to hire.
 
Changed:
<
<

A Lack of Consent

>
>

Sharing Under HIPAA

 
Changed:
<
<
Unfortunately, patients’ consent plays a very small role in the dissemination of health data. Health care providers are bound by the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected health information by certain entities. While best practices dictate that patients are asked to consent to the sharing of their health data, HIPAA provides a very low baseline of conduct and does not require that providers get patients’ consent before exchanging health information through an eHIE. Some states have laws that are more protective than HIPAA of patients; but these laws are narrow and many only pertain to the disclosure of sensitive diagnoses such as HIV.
>
>
Patients’ consent plays a very small role in the dissemination of health data. Healthcare providers are bound by the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected health information by certain entities. While best practices dictate that patients should be asked to consent to the sharing of their health data, HIPAA provides a very low baseline of conduct and does not require this consent before exchanging health information through an eHIE. Some states have laws that are more protective than HIPAA of patients; but many of these laws only pertain to the disclosure of sensitive diagnoses such as HIV.
 
Changed:
<
<
As a general rule, in the United States healthcare systems can legally share health information with their business partners even without patients’ consent as long as the use is for the system’s healthcare functions. As long as the technology company that is receiving the data isn’t operating as a de-facto health care system in and of itself, its use of data is under a lower level of scrutiny. A hospital could share medical information with Amazon for research, for example, as long as it stripped the data of personally identifying information. And once the medical data has been de-identified it is no longer protected under HIPAA, so Amazon could legally try to link it to existing data on specific users.
>
>
As a general rule, under HIPAA healthcare systems can legally share de-identified health information with their business partners even without patients’ consent as long as the use is for healthcare functions. This provision applies to many of the ways technology companies are collecting health data. As long as the company receiving the data isn’t operating as a de-facto health care system, its use of data is under a lower level of scrutiny. For example, a hospital could share medical information with Amazon for research if it stripped the data of personally identifying information like names and birthdates. Once the medical data has been de-identified, it is no longer protected under HIPAA. This means that Amazon could legally take the data it has received from a healthcare system for “healthcare functions” and try to link it to its existing data on specific users, which in affect undoes the de-identification and allows Amazon to know specific health information about its users
 
Changed:
<
<
Patients are attempting to push back against this nonconsensual sharing of their medical data. A group of patients has sued the University of Chicago Medical Center for sharing patient data with Google without stripping out dates. In theory, Google could use information it has about users’ locations to match the medical data with specific users and then use this enhanced knowledge about their users for marketing purposes. Unfortunately, since the medical center did remove names, phone numbers, and other patient information from the records, it appears that this type of sharing is legal under the current regime. Ultimately the best way patients can protect themselves against non-consensual sharing of their medical information with technology companies is to push for updates to HIPAA. HIPAA was signed into law in the 90’s, before most could conceive of the ways that technology companies would come to use personal data. Changes to the law to require affirmative, informed consent from patients before their health data is stored or shared may be the only way to stop these companies from misappropriating our data further.
>
>
Patients are attempting to push back against this sharing of their medical data. A group of patients has sued the University of Chicago Medical Center for sharing patient data with Google without stripping out dates. In theory, Google could use information it has about users’ locations to match the medical data with specific users and then use this enhanced knowledge about users for marketing purposes. Unfortunately, since the data didn't contain identifying patient information, it appears that this type of sharing is legal under the current regime.

While patients can try to protect their medical data by only using healthcare providers who do not store data in EHRs or who pledge not to share data with outside corporations, many do not have this level of autonomy over their healthcare. Patients on Medicare, for instance, only have access to a limited number of providers. Consent requirements are not the answer either; no patient can truly consent to the ways corporations might use their health data. Ultimately, patients may only be able to fully protect themselves against sharing of their medical information by demanding updates to HIPAA. HIPAA was signed into law in 1996, before most could conceive of how companies would come to use personal data. Changes to the law to require affirmative, informed consent from patients before their health data is stored and to prohibit data sharing may be the only way to stop these companies from misappropriating medical data further.

 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.

Revision 4r4 - 03 Feb 2020 - 19:35:08 - NishaChandra
Revision 3r3 - 16 Jan 2020 - 04:45:10 - NishaChandra
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM