Despite there being patients who struggle to get access to their complete health records, their data often is shared with insurance companies, pharmacies and big tech without them even knowing, according to Kenneth Mandl, MD, and Eric Perakslis, PhD.
In a June 5 perspective article published in The New England Journal of Medicine, Dr. Mandl, director of the computational health informatics program at Boston Children's Hospital, and Dr. Perakslis, chief science and digital officer of Durham, N.C.-based Duke Clinical Research Institute, explored the issues surrounding patient data privacy and sharing.
Drs. Mandl and Perakslis wrote that some EHR companies incorporate patient data into services like clinical decision support or matching patients to clinical trials. While HIPAA regulates how patient data can be shared and must be protected, this data no longer falls under the regulations when it has been de-identified, or stripped of names, dates of birth, addresses and other identifying information.
Even with de-identification, patients can be re-identified "fairly readily" from datasets, for marketing and other purposes, using computational methods, the co-authors wrote.
Here are four recommendations by Drs. Mandl and Perakslis for healthcare providers to better preserve patient data privacy:
1. Treat de-identified data the same as HIPAA-protected information. Healthcare organizations should tell patients that their data might be used in research and possibly shared with commercial parties.
2. When sharing data with third parties, healthcare organizations should have contractual controls specifying that health data should never pass beyond certain parties. It also should be made clear that health data cannot be linked with other datasets or re-identified without the permission of the healthcare provider who originated the data.
3. Providers should not let data leave the healthcare institution and instead create methods that let external parties analyze the data while keeping the records in house. Implementing protective contracts can safeguard patients' privacy on a project-by-project basis.
4. Lawmakers should consider new consumer protections, such as a California law that makes re-identification of de-identified health data illegal as well as "right-to-erasure" policies in the European Union. Laws like these would ensure that a patient can choose to have their data erased from a dataset when the information is being used for purposes other than those originally disclosed.