By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Debates around the privacy of healthcare data have been raging for years. The flames were fanned to new heights after an arrangement between Google and Ascension Health was revealed. Once the immediate (not necessarily accurate) reaction of claiming that the arrangement violated HIPAA settled down, the more nuanced discussion turned to trust. Namely, who do individuals believe can or will appropriately hold and maintain sensitive and private information.
Before getting further into the discussion around trust, defining the concept will be helpful. A dictionary definition of trust is “one in which confidence is placed” (Merriam-Webster Dictionary). When someone or something is trusted, there is a belief that the person or thing will respect and act in the interests of the one providing the information, object, or other item. Along with the trust is a belief that self-interest may be placed to the side.
In light of the definition, how does trust apply to healthcare data and healthcare generally? To obtain healthcare services, an individual must necessarily share very personal and intimate information that the individual sharing may not tell anyone else. Inherent in the sharing is the belief that the information will remain private, which means trusting that the healthcare clinician or other entity or person who receives the information will not share beyond expected boundaries or for other purposes. While that is a short summary of some expectations, the list of arguably representative of individual views on what will (or should) happen to the information.
Potentially running contrary to the trust placed in the healthcare system, it is possible for healthcare information to be used and disclosed in many instances and for a variety of purposes without an individual knowing. The permitted uses and disclosures are included within HIPAA (which is the subject of many misconceptions) and can be viewed as intended to not interfere with normal business operations. Despite the permissive ability to use healthcare data under HIPAA, healthcare clinicians and organizations are still often viewed as having the best interests of an individual forefront of mind. The inherent belief that healthcare organizations will protect information may be rooted in the desire to have a system that is designed to help individuals.
However, the healthcare industry is not just composed of clinicians, hospitals, or other care delivery entities. Behind many of the care delivery entities are numerous vendors and companies providing support. As should be understood, those companies can and do handle healthcare information for the care delivery entities, all under the ambit of HIPAA. Such relationships have existed for years. However, a growing change is the interest of companies not traditionally in the healthcare field to tap into what is viewed as a financially lucrative market.
The desire to get into the game is where Google, Amazon, Microsoft, and other so-called big technology companies enter the picture. In considering everyday life, it is hard to argue that big technology companies have not greatly influenced almost every aspect of life. Technology is hard to miss at that point in time. With that technology and innovation comes the desire to gather every increasing amounts of data to feed further innovation and development. Where do the companies get all of that data? From users.
Users may not be fully aware of what data are being collected though. Increasingly, individuals want to know that answer and are not starting to object to buried terms enabling the collection of unlimited amounts of data. While the resistance to data collection and refining privacy is growing in everyday life, the desire to protect information has always been present in healthcare. That tension is being exacerbated by the legal ability for technology companies to work with healthcare entities and get the benefit of using individuals’ healthcare information without consent or disclosure.
If the current legal framework allows the use, why is there a divide between those companies that individuals object to receiving that data and others that may never be known but do not raise the same ire? To some degree, the answer may lie in interactions with those companies in other settings. As suggested, big technology companies interact with individuals in all areas of life, which leads to a view that those companies are only interested in data for the sake of the data. Conversely, if a technology company is focused solely on healthcare and trying to address an issue for the healthcare industry, then the motives for wanting data may be viewed as less concerning or objectionable. In both scenarios, the same laws and compliance obligations apply.
Despite the same potential baseline, public reception will not be the same. Some of the primary differences would appear to be the scope of operations, preconceived views of the applicable companies, and the size of the applicable companies. As noted, smaller healthcare-focused companies do not seem to draw negative attention or individual ire (or at least ire that is so publicly vented). On the opposite side are companies like Google where it is assumed that data are only being obtained for improper reasons. Full protection, inappropriate use, or anything in between could easily occur at any entity though. Working through immediate reactions and thoughtfully considering the basis of concerns or even how to construct an ideal scenario would be more productive. Taking the time to encourage and pursue an open, honest, and transparent discourse has the potential to produce better results across the board for all.
There is no doubt that technology and its rapid expansion have shifted the foundations of trust and privacy. As the understanding of those concepts evolves, it is essential to work through how to preserve the interests of everyone in a legal, ethical, and moral manner. Only in that way can many of the logjams be removed and, optimistically, all involved and work collaboratively for the benefit of all.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.