Law in the Internet Society
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

Misappropriation of Medical Data

-- By NishaChandra - 06 Dec 2019

Medical data is data that is collected about a person’s state of health. It can include information about hospitalizations, symptoms, treatment plans, and medications. This data, traditionally collected by medical professionals, is now typically stored as electronic health records (EHRs), which can be uploaded onto an electronic health information exchange (eHIE). EHRs can be accessed by approved users instantly and be shared across organizations, which helps doctors understand patients’ histories and medical needs. Unfortunately, as sharing medical data has become easier, entities outside the healthcare system have started collecting this data and using it for their own ends. Absent an overhaul of our healthcare system, the only solution may be updating outdated privacy laws.

Tech's Interest in Health Data

Increasingly, technology corporations are collecting health data, both with and without people’s knowledge. In some cases, people are willingly handing over their data. For instance, millions have downloaded period-tracker smartphone applications, which can store information about users’ contraception methods, period cycles, and symptoms. Users of these trackers and other similar services are willingly providing their most intimate data in return for reducing anxieties about their health. In other cases, people don’t know that corporations have access to their health data or never consented to it. The Maya period tracker, for instance, was recently found to be sharing its users’ medical data with Facebook. Google has similarly accessed health data without patients’ knowledge through Project Nightingale, a partnership with the health care provider Ascension. Through this project Google has the health records for millions of Ascension patients, and it claims its goal is to use machine-learning to help providers make better healthcare decisions.

While medical providers ostensibly collect medical data to streamline the provision of medical care, technology corporations may have more profit-based motives and care less about the privacy of this data. Health information, for example, can be used by corporations to suggest purchase options through targeted marketing. A company which learns that you’re struggling to conceive might then show you ads for fertility clinics. Through this type of marketing companies can influence the behavior of users. Health data can also be sold; Facebook is interested in collecting health data in part because of the lucrative practice of selling it to pharmaceutical and insurance companies. Unfortunately for users, health data in the hands of these types of companies will inevitably lead to discrimination based on that data. Insurers may start making health insurance coverage decisions based on the data they’re buying from these behavior-collectors. A previous prescription for depression medication noted on a patient’s medical record may lead to a denial of health insurance in the future due to “pre-existing conditions”. One day soon, companies will use the health data they’ve collected or bought to make decisions that affect every facet of people's lives &#8211: decisions about who to rent to, who to give a loan to, and who to hire.

Sharing Under HIPAA

Patients’ consent plays a very small role in the dissemination of health data. Healthcare providers are bound by the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected health information by certain entities. While best practices dictate that patients should be asked to consent to the sharing of their health data, HIPAA provides a very low baseline of conduct and does not require this consent before exchanging health information through an eHIE. Some states have laws that are more protective than HIPAA of patients; but many of these laws only pertain to the disclosure of sensitive diagnoses such as HIV.

As a general rule, under HIPAA healthcare systems can legally share de-identified health information with their business partners even without patients’ consent as long as the use is for healthcare functions. This provision applies to many of the ways technology companies are collecting health data. As long as the company receiving the data isn’t operating as a de-facto health care system, its use of data is under a lower level of scrutiny. For example, a hospital could share medical information with Amazon for research if it stripped the data of personally identifying information like names and birthdates. Once the medical data has been de-identified, it is no longer protected under HIPAA. This means that Amazon could legally take the data it has received from a healthcare system for “healthcare functions” and try to link it to its existing data on specific users, which in affect undoes the de-identification and allows Amazon to know specific health information about its users

Patients are attempting to push back against this sharing of their medical data. A group of patients has sued the University of Chicago Medical Center for sharing patient data with Google without stripping out dates. In theory, Google could use information it has about users’ locations to match the medical data with specific users and then use this enhanced knowledge about users for marketing purposes. Unfortunately, since the data didn't contain identifying patient information, it appears that this type of sharing is legal under the current regime.

While patients can try to protect their medical data by only using healthcare providers who do not store data in EHRs or who pledge not to share data with outside corporations, many do not have this level of autonomy over their healthcare. Patients on Medicare, for instance, only have access to a limited number of providers. Consent requirements are not the answer either; no patient can truly consent to the ways corporations might use their health data. Ultimately, patients may only be able to fully protect themselves against sharing of their medical information by demanding updates to HIPAA. HIPAA was signed into law in 1996, before most could conceive of how companies would come to use personal data. Changes to the law to require affirmative, informed consent from patients before their health data is stored and to prohibit data sharing may be the only way to stop these companies from misappropriating medical data further.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r4 - 03 Feb 2020 - 19:35:08 - NishaChandra
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM