By Melanie Platten
12/8/2013
Before you go to fill a prescription, you might be interested to know who has access to see your health information and what exactly pharmacies are doing with all that data.
“All 55,000 [U.S.] pharmacies sell our prescription history and records to drug companies, insurance companies etc. at the end of each day,” said Dr. Debbie Peel, founder of the non-profit advocacy group, Patient Privacy Rights.
Peel and other patient privacy advocates fear that based on the National Committee on Vital and Health Statistics 2006 definition of privacy, patients literally have no rights.
“It’s defined as, ‘an individual’s right to control the acquisition, uses or disclosures of his or her identifiable health data,’ you can’t look at that and think current policy reflects that,” said Peel.
But not everyone agrees. Dr. Dick Johannes, head of clinical research at CareFusion, argues that certain safe harbor standards are in place to ensure that any health information that’s used is only done so with strict limitations. “Companies that use your information have to comply with the 1996 Health Insurance Portability and Accountability Act or HIPAA. Your information has to be de-identified and it’s generally used to benefit patients, not harm them.”
An incredible amount of good can come from all this information, if used the right way, argued Johannes. For example, automated dispensing cabinets are a way for physicians to automatically administer and electronically monitor medication dosage to patients, and are currently used in most U.S.hospitals today. “Those devices have information and data on exactly what medications were given to which patients and to whom,” Johannes said. “Think of all the possibilities that can come from being able to analyze and interpret that data, you’d have a pretty good idea of which medications worked and which didn’t.”
But despite burgeoning examples of the benefits of creating easy access to patient information for data scientists and health researchers, some still feel that ultimately the patient should own the right to control the data and who uses it. “Why should doctors and large corporations hold all the cards about the patients’ own data? It doesn’t seem right,” said Cecilia Gerard, employee at health care startup, Involvecare.
Additionally, people often give away their personal health information unknowingly, allowing companies to store and collect a lifetime’s worth of valuable information, said Peel.
Carol Skordas, first-year student at Harvard Business School, said she consented to allowing certain pieces of her health information to be accessed and tracked when she purchased the Basis Watch, an electronic tracking device that syncs with her mobile phone and helps monitor her daily fitness.
Basis is just one of many health-related IT companies that track consumers’ health information. Similarly, the company PillPack, a health IT startup founded in Cambridge, proposes an alternative solution to frequent trips to the pharmacy by delivering all of patients’ monthly prescriptions in a simple small pack, right to their door.
TJ Parker, CEO and founder of PillPack, argued that the company only uses patient data collected in aggregate. “Any information that is used to generate insight is depersonalized so it doesn’t correlate to you personally.” Parker added “the company doesn’t sell any patient data, de-identified or otherwise.” However the company’s online terms of use privacy policy explicitly states that the company can use personal information to sell to third-party vendors under certain conditions.
Companies like PillPack that have begun tracking people’s health information know they are sitting on a gold mine, said Peel. “The data mining industry is a multi-billion dollar industry, and companies treat the information as a corporate asset. In industry conferences, the information is talked about that way.”
So, are the risks worth the rewards? “Maybe,” said Involvecare employee, Gerard. “It’s a personal choice, and people have to weigh the value of the application or service over the value of their privacy.”
Currently, ownership of health data for administrative and clinical databases is a matter of state law in the absence of overarching federal legislation. This creates confusion, even among industry insiders. “One of the big questions right now in health care data is, who actually owns the information? ” said Johannes. ” Some would argue that patients own it; some would argue that hospitals or EHR companies own it. It’s something that is still being very much determined.”
But even if patient data ownership were tightly defined, it doesn’t necessarily mean all concerns around patient data use would be resolved, according to a recent article in the Harvard Journal of Law and Technology. In Barbara J. Evans’ “Much Ado About Data Ownership”, the University of Houston law professor argues that laws like HIPAA and The Common Rule, provide the same sorts of restrictions on patient data safety that would be provided if the patients actually owned their data. In other words, the state would have eminent domain power to appropriate the health information no matter what, if they thought it served public use.
In the meantime, industry insiders seem resigned to a wait-and-see game. “Although I don’t believe it will happen in my lifetime,” Johannes said, “Ideally, I’d like to see the industry get to the point where the data itself is ubiquitous. The data would become the commodity and what you did with it, would determine the value-add.”
American Health Information Management Association, guidelines and tips for providers and patients on how to take control of health information records.
