28 September 2012


The Office of the Privacy Commissioner in New Zealand has released Case Note 235915 [2012] NZ PrivCmr 5 regarding a hospital employee's disclosure of personal health information to a mutual friend.

The woman whose information was disclosed was undergoing treatment at her local hospital for a serious illness. Her doctor dictated a file note about that illness and the proposed treatment. The note was transcribed by a hospital employee, who had been a close friend of the woman and was able to identify her from the dictation. The OPC case note provides no indication of the size of the hospital and local community, relevant because in a small hospital serving a small community 'everyone does or is likely to know one another'

 The hospital employee subsequently disclosed information to a mutual friend. That friend contacted the woman to express concern about her ill-health.

The woman had not inform anyone apart from the health practitioner that she was ill and "was very upset that health information about her had been disclosed". The Privacy Commissioner noted that
Rule 11 of the Health Information Privacy Code 2004 prohibits a health agency from disclosing health information about an individual unless one of the specified exceptions applies. 
We did not consider that any of the exceptions were relevant and the hospital agreed. It accepted that its employee had breached rule 11, and caused emotional harm to the woman.
The woman and the hospital agreed to settle this complaint. The hospital provided an apology to the woman for the stress that had been caused to her, and also paid her some financial compensation. 
We closed our file on the basis that it had been settled.
There is no indication of the size of the compensation or of action by the hospital and its peers to prevent a recurrence of the problem.

'Protecting Patient Privacy in the Age of Big Data' by Nicolas Terry argues that
The next Administration will determine the future of privacy protection in the U.S. At first sight, much the same could have been said of all the administrations of the last five or six decades. In each case, the incoming president could have stepped up to the plate and made privacy a legislative or regulatory priority issue. Yet, none did (although a nod is due to the Clinton administration for its HIPAA rules). This time, however, the stakes are different. Failure to act during this Administration will send an almost irrefutable signal to the data collection and aggregation industries that “big data” will not be stopped or even slowed. As explained below “big data” refers to a revolution indata collection and processing that dramatically increases the privacy risks imposed on data subjects. 
This essay takes the position that, beyond its generalized threat to privacy, big data poses an exceptional group of problems for health care, its providers, researchers, and patients. Rightly or wrongly, policymakers have agreed that patient information is deserving of elevated protection compared to other data (so-­called health privacy exceptionalism). Yet, at the same time, the last two Administrations, one Republican and one Democrat, have promoted the dramatic growth of electronic medical records (EMR) with the specific aim of increasing the collection of clinical data and its broad sharing. As recently noted by the Institute of Medicine (IoM), “the U.S. health care system now is characterized by more to do, more to know, and more to manage than at any time in history.” Technology, not surprisingly, is viewed as holding the solution because “[a]dvances have made vast computational power affordable and widely available, while improvements in connectivity have allowed information to be accessible in real time virtually anywhere” affording “the potential to improve health care by increasing the reach of research knowledge, providing access to clinical records when and where needed, and assisting patients and providers in managing chronic diseases.” 
But, while policymakers are staking health care progress on big data, they seem less concerned about existential threats to the privacy of health information. The ramifications of big data are manifold. Perhaps two examples will serve to explain the thrust of this essay. First, our "medical selves" exist outside of the traditional (and HIPAA/HITECH-regulated) health domain, creating exploitable confusion as health information moves in and out of protected spaces.Second, big data positions data aggregators and miners to perform an end-­‐run around health care’s domain-­specific protections by creating medical profiles of individuals in HIPAA-­free space. After all, what is the value of HIPAA/HITECH sector-­specific protection designed to keep unauthorized data aggregators out of our medical records if big data mining allows the creation of surrogate profiles of our medical selves? 
Fortunately health information technologies (HIT) and patient privacy share a long history of bipartisan support and the next Administration will need to leverage that tradition to protect patients and their sensitive information in the face of growing data aggregation and sophisticated data mining. This battle has to be fought on three fronts. First, while HIPAA/HITECH provides increasingly robust protections against unauthorized uses of health information by a relatively narrow set of traditional health care provider data stewards, it does almost nothing to regulate the collection of health data. This is because the HIPAA Privacy Rule is a misnomer. It is not a privacy rule because it only protects against data disclosure not against data collection. It is therefore more appropriately described as a confidentiality rule. In the world of big data this is like bringing the proverbial knife to a gunfight. As a result it is time that the federal government put real limits on the collection and processing of personal information. 
Second, the U.S. has adopted a sector-­‐based approach to data protection. HIPAA, as amended by HITECH, and the “privacy” and security regulations made thereunder apply only to a narrowly constructed version of the vertical health care market. Such sector-­based approaches to regulation are frequently flawed because of poor calibration. Such is the case with health information. The health care sector and its stakeholders constitute an area considerably larger than the HIPAA-­regulated zone. As a result some health information circulates in what may be termed a HIPAA-­free zone. Further, the very concept of health sector specific regulation is flawed because health related or medically inflected data frequently circulates outside of the traditionally recognized health care sector. In both situations agreed upon health privacy exceptionalism is jeopardized.
Third, the IoM is correct that there is great value in patient information that could be extracted and used by responsible medical and public health researchers. Responsible public policy suggests that researchers should be able to request that information from patients. Many or most of the existing HIPAA and HITECH security and confidentiality protections will apply here. But neither current policy nor regulation supply the key component: a coherent choice architecture for dealing with appropriate patient decision-making regarding research use of personal or familial health data.
In suggesting legislative amelioration of these three issues this essay does not propose an exhaustive overhaul of HIPAA/HITECH. Rather, it suggests an incremental and additive approach. This includes adopting aspects of two privacy proposals recently published by the White House and the Federal Trade Commission (FTC).