Between the widespread healthcare data breaches and Snowden‘s disclosure of widespread surveillance in America by our own government, one might be forgiven for believing there is no chance for an individual to expect any privacy when interacting with the healthcare system. Against that backdrop, I’m proposing what might be possible today and in the near future to help protect individuals’ privacy from the perspective of a healthcare delivery system, a payer and a patient.
I have been arguing for robust identity verification for most of my health information technology career. There are risks of misattributing data to an individual (e.g., “These records state you have HIV”) as well as risks of not attributing data to an individual (e.g., “I didn’t realize this CT scan showing cancer belonged to you”) when identity verification is not executed properly. Although both types of risks can be disasterous for any particular individual, I am becoming more aware of risks using maintaining identity persistently. Knowing someone’s entire healthcare history could expose that individual to algorithms that estimate future healthcare utilization or even prejudice care due to personal behaviors that have occurred in the past or even persist today. If you believe patients and/or their caregivers can manage multiple personas for healthcare (one for chronic medical conditions, another for mental health and another for high-stigma conditions), then considering new ways to partition and aggregate healthcare data may be helpful to support this user-controlled federated identity model.
Fundamentally, there has to be some consideration for securing data at rest and data in motion. For data at rest, encrypting data using user-generated key pairs for public key cryptography is the most secure way for individuals to implement while operating within our current expectations of data sharing on the Internet. Although some architectures support a certification authority for keys, Pretty Good Privacy (PGP) allows individuals to self-certify their key pairs. The “web of trust” model allows individuals to generate their own key pairs for different online interactions. Public and private keys generated using an open-source version of PGP like GNU Privacy Guard (GnuPG) can encrypt files at rest for storage as well as encrypting files prior to attaching them in secure communications. For data in motion, different email entities have different levels of fidelity to the PGP standard, jeapordizing the safety of users who rely on the encryption to keep their contents secure (e.g., EFAIL vulnerability). Users may prefer sharing encrypted files using a secure messaging platform like Signal. There are freeware versions of PGP for Windows and Mac.
After addressing the fundamentals of data encryption and transmission, there is the question of how much confidence do I as a healthcare provider need to have in believing you are who you say you are before rendering care. If I am seeing you for the first time, I will probably ask you a series of questions about your health history or review your medication list. I might also search for records using your demographic information both within the healthcare system’s electronic medical records as well as in any relevant exchanges, including the state’s prescription monitoring database. As long as the provider is not being asked to prescribe a potentially addictive substance or deliver services that cannot be reimbursed, the largest non-financial risk to a patient who does not share any information might be being exposed to a medication that induces an allergic reaction or a drug-drug interaction.
There are systems today that store prescriptions filled through pharmaceutical benefit options within medical coverage plans. Those systems currently display all medications, but those systems could just as easily display a subset of medications based on a patient’s preferences (or chosen persona). To protect the patient’s health, these systems would have to manage the patient’s drug-drug interactions electronically or through a prescribing pharmacist. From a payer perspective, an individual may have to register their different personas with the payer to make sure the member’s healthcare needs are covered regardless of the persona used.
Finally, the patient may want to consider sharing the outcomes of their healthcare decisions from a financial and quality-of-life perspective. In addition to basic demographics, the information may be more valuable to others if the patient shared their entire medical history, their health behaviors, their treatment preferences and their socioeconomic status. Each additional detail reduces the likelihood that the individual will remain anonymous, yet these details may be necessary for others to use information in ways to drive their own decision making. Processes to help individuals what level of granularity optimizes both their anonymity while providing some meaningful information to others might be the most effective way to increase an individual’s trust in the sharing their experiences with others.
Our current method of storing and sharing an individual’s personal health information seems to expose that information in ways that risk the individual’s privacy. At least one group is suggesting patients bypass HIPAA by requesting records on behalf of others to avoid the statute’s stipulations. Without a more thoughtful approach to empowering patients to protect their own privacy when interacting with payers and providers, patients may feel increasingly frustrated with their lack of agency within healthcare.