Privacy and Confidentiality

3/26/2010

Looking through the Looking Glass
 A periodic discussion of privacy issues has re-appeared on the mailing list of the American College of Medical Informatics. Here are some thoughts on that topic.

I think it's useful to remember a distinction that the NRC "For the Record" study (led by Paul Clayton in 1997) made between privacy and confidentiality. As many have pointed out, the only way to assure privacy is essentially to drop out of the system altogether. 

Confidentiality, which is what people usually mean, is the controlled sharing of information, in which a patient has already agreed to some compromise of privacy (say, to tell their medical conditions to their doctor), but wants to assure that others do not have access to that information.  I know of no way to guarantee strong controls over how such information is used, once disclosed to anyone.  Certainly they cannot be purely technical, because we can't prevent the doctor, in the above case, from simply telling others outside the control of any technical means (short of mind control or some such science fiction ideas).  Therefore, controls on sharing have to be based on policy and enforced by sanctions, though technology can surely help to reduce the chances of inadvertent disclosure, help to prevent and detect unauthorized access, and make it harder to leak information on a large scale.

Unfortunately, we as a society do not have consensus on the conditions under which sharing of patient information can be deemed reasonable and can thus be done without lots of work.  The "solution" of demanding patient consent for all sharing is generally impractical, and in any case patients are effectively coerced into accepting institutional policies when they seek medical care. HIPAA exempts from controls any use of the data for treatment and normal business operations, including quality improvement studies and accreditation.  IRB's have generally agreed to allow unconsented access to data that have been de-identified, despite well-known results that show that de-identification is often a highly imperfect defense against a skillful and determined adversary.  And government organizations such as law enforcement and homeland security have invoked various other substantial reasons why they must have access to confidential data even despite a patient's desire to prevent them from having it. I agree with much of what has been written in this discussion about the fact that researchers are most heavily impacted by rules to enforce confidentiality, despite very little evidence that their actions are a significant source of risk.  Since the institution of HIPAA, various work-arounds have been developed that make research access to precious data possible, but it is still quite a long and difficult task at many institutions to obtain permission, develop and apply technical means to remove identifiers and otherwise reduce disclosure risk, etc. As a result, energy that could go into productive exploration of the data goes instead into worries about how to obtain data access with due regard to confidentiality-protecting mechanisms.

As a patient, I would not favor public posting of all medical records, though that would certainly make research far easier.  Finding the appropriate balance between these poles needs to be done, and will not be easy. Because different people have very different levels of sensitivity, we will almost certainly have to develop policies that include some degree of patient control, even though this makes implementation much more difficult, introduces potentially severe selection biases, and requires educating each patient about the risks and benefits of permitting their data to be used in research. As a society, we could strive to find some common arrangements in which researchers would be allowed certain kinds of access to certain types of data routinely.  But finding such compromises is hugely difficult and will itself entail a great deal of education of the public.
Back to Blog

Accessibility