Wednesday, July 25, 2012

The Privacy of Your Digital Self

Everybody has a shadow. Although as a small child you may have tried, you cannot separate yourself from your shadow no matter what you do. Electronic medical records may be the first tiny step on the road to attaching yet another indivisible part to your persona, a “panoramic, high-definition, relatively comprehensive view of a patient that doctors can use to assess and manage disease”, and this, in the words of Dr. Eric Topol, is the “essence of digitizing a human being”. Dr. Abraham Verghese, named this digitized entity iPatient and expressed concern that the “iPatient threatens to become the real focus of our attention, while the real patient in the bed often feels neglected, a mere placeholder for the virtual record”. Whether you share Dr. Topol’s enthusiasm or Dr. Verghese’s worries, or experience a combination of both, your medical digital self, has been born. And nurtured by leaps and bounds in technology, it will soon grow to loom as large as your shadow at sunset.

Today’s electronic medical records contain a wealth of clinical and socio-economic data. By the time Dr. Topol’s creative destruction of medicine is well underway, electronic medical records will contain mountains of wearable sensors and monitoring devices data, along of course with your entire genome accurately sequenced and analyzed. You don’t have to be a tenured academic in search of grant funding to realize the endless possibilities created by electronic medical records data. Maybe we can find a cure for cancer, or at least figure out what causes it, and then find a cure. Since poverty is in many cases generational, maybe…. Or maybe not. Regardless of your research aspirations, the fact remains that this massive wealth of data is composed of millions (billions) of iPatients, or digitized human beings.

Unlike your childhood shadow, it seems that by erasing or masking some data elements, iPatients can be safely detached from Patients and aggregated in a fairly anonymous mass of iPatients. Assuming that this is true, and some are not so certain, two problems come to mind. First, iPatients pared down to complete anonymity make very poor subjects for serious clinical research. Second, by definition, complete genetic information cannot be anonymised. So what happens if we leave out serious clinical research and futuristic genetic profiles? Is there anything we can do with the simple, not so accurate and rarely complete, data provided by today’s anonymous iPatients? Well, we could do another study to see if we still have geographical variations in care and costs. We could fund the 127th study to figure out that poor people are sicker and sicker people have larger costs and poor and sick people have the highest costs, particularly amongst the elderly. We could get a bit more pragmatic and figure out where grocery stores should stock beer and where Napa Valley wine would sell better. Or we could satisfy our needs to reform our brethren and figure out where we can get the best bang for every buck spent on billboard space for antiabortion ads. Certainly, socially benevolent institutions may be able to find a myriad other uses for our aggregated iPatients, and medical records data adds a lot of “color” to the cut and dry claims data we are now using for similar purposes. But how do we go about aggregating our iPatients? Should all iPatients be available to whoever wants to use them, for whichever purpose?

Currently, iPatients are beginning to form in databases owned and maintained by Health Information Technology (HIT) vendors. The law of the land governing the travels and gatherings of iPatients is HIPAA and it says that each one of us has the right to view our iPatient (seriously?) and to some degree consent to any travel plans made by our physicians or hospitals for our iPatients. iPatients who have been altered in certain ways to facilitate some level of anonymity are beyond our control. That’s the law. The practice of the law is a bit more interesting. First, the language of the HIPAA consent is broad enough to allow health care providers to do anything they wish to do with our iPatient for the purpose of “health care operations”, which can include medical care, washing windows and turning a blind eye to iPatient trafficking. A HIPAA consent form is part of Patient registration in every health care provider settings, but is this really “informed consent”? Do Patients know for example that your contract with your HIT vendor allows that vendor to make copies of supposedly anonymised iPatients and “share” them with whomever they wish? Do you know that? Do Patients really understand the difference between a HIPAA covered entity and a commercial app provider who is not bound by any type of anonymity restrictions upon backend exportation of iPatients?

In the olden days, before iPatients were born, people assumed that the Hippocratic Oath was good enough assurance to allow them to bare their bodies and souls in a doctor’s office. Today, this trust-based act is being electronically recorded and persisted for posterity. In technology circles this is called Big Data. Unlike paper and pencil manufacturers, and unlike any other industry, the new purveyors of documentation tools for the medical profession are asserting a peculiar right to the information created and stored in their tools. The iPatients are not the Patient’s property and are not the doctor’s property, and are not “property” at all, therefore they belong to the “public”. And by “public” they are referring to anyone with backend access to medical records databases, or anyone who can afford to purchase such access. You, the Patient or the doctor, are not the public. Just try to see if you can freely access a recently liberated iPatient population in any way. The idea here is that talking about iPatients as property and asserting ownership of iPatients by Patients and physicians is somehow logically flawed in view of property laws. And the idea is that the same exclusive “public” is much better equipped to decide how your iPatients should be used to your benefit, and used they must be. You should “trust” that this is indeed so. Implicitly. There is no need to “verify” or for anybody to “bring data”. You don’t need to be asked if you would like to volunteer your iPatient for research and you don’t need to be asked if it’s OK for some corporation to use your iPatient to increase profit margins and you don’t need to be asked if your iPatient can be used against you in aggregate or on an individual basis. Where once you only needed to trust your doctor, now you need to trust the “system”. [Don’t confuse this with the ongoing government campaign to facilitate “trusted” exchange of information, which is only concerned with frontend access to data.]

In 1890 Samuel Warren and Louis D. Brandeis published an article in the Harvard Law Review titled “The Right to Privacy”
… “Thus, in very early times, the law gave a remedy only for physical interference with life and property, for trespasses vi et armis. Then the "right to life" served only to protect the subject from battery in its various forms; liberty meant freedom from actual restraint; and the right to property secured to the individual his lands and his cattle. Later, there came a recognition of man's spiritual nature, of his feelings and his intellect. Gradually the scope of these legal rights broadened; and now the right to life has come to mean the right to enjoy life--the right to be let alone, the right to liberty secures the exercise of extensive civil privileges; and the term "property" has grown to comprise every form of possession-- intangible, as well as tangible.
Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right "to be let alone."
The principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality.” [emphasis added]
The iPatient is quickly becoming the repository for much of that “inviolate personality” and our “recent inventions and business methods” are practically screaming for attention to what must be done to secure an individual’s right “to be let alone”. A more recent Supreme Court opinion, written by Justice Stevens in 1977 in the case of Whalen v. Roe recognized that much, “A final word about issues we have not decided. We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files”, but stopped short of addressing the larger issue. It’s up to our elected representatives to legislate appropriately, and that time has come.

For starters, people should be made aware of all so called secondary and tertiary uses of their medical records whether anonymised or not. And people should have a choice of what types of usage they are willing to contribute medical records to. Blanket statements like “operations” are just not good enough. Recognizing, as Justice Stevens did, that “[t]he right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures”, the word "typically" must be replaced by "always", and should include backend wholesale disclosures by those who have no ownership rights to our intangible possessions. And if we must strike a balance between the public good and the privacy of our inviolate personality, we must make sure that the public referred to here is all of us, and that the good is indeed good enough, and that the balance is not calculated by corporate, political and moneyed interests, but that the balance is struck, in our customary ways, by We the People……


  1. Thank you for this piece. It is time for moving towards increased personal control of our iPatient. Quantal Semantics, Inc. proposes the use of a Personal Identity Information Bank through which the individual could have complete control of how not only their PHI is used, but also their deidentified information is used, as well as the ability to monitor that use. It is this need for control that will eventually make the PHR the primary repository of our iPatient, but then we need to trust our PHR like we trust our bank, and do we trust banks?

    1. Well, we do trust banks now, but we did not always trust them....

      Here is a two years old post on EXACTLY this analogy. Great minds...? :-)

      The EHR Circle of Trust

  2. Its exactly as you said. "ppl wanna share mundane or sometimes--very personal things about themselves to HUNDREDS of "Friends"..."
    some are self absorbed some want attention some dont know what to do with their time, and some feel the need that since they are alone , they need to share their thoughts or they could just not be able to hold those thoughts in about things and just wants to let the world know how they feel.
    however im with you, honestly i wouldnt care if my fb was deleted all of a sudden, mines just to chat with friends though