Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Thoughts on Privacy in Health Care in the Wake of Facebook Scrutiny

Posted on April 13, 2018 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

A lot of health IT experts are taking a fresh look at the field’s (abysmal) record in protecting patient data, following the shocking Cambridge Analytica revelations that cast a new and disturbing light on privacy practices in the computer field. Both Facebook and others in the computer field who would love to emulate its financial success are trying to look at general lessons that go beyond the oddities of the Cambridge Analytica mess. (Among other things, the mess involved a loose Facebook sharing policy that was tightened up a couple years ago, and a purported “academic researcher” who apparently violated Facebook’s terms of service.)

I will devote this article to four lessons from the Facebook scandal that apply especially to health care data–or more correctly, four ways in which Cambridge Analytica reinforces principles that privacy advocates have known for years. Everybody recognizes that the risks modern data sharing practices pose to public life are hard, even intractable, and I will have to content myself with helping to define the issues, not present solutions. The lessons are:

  • There is no such thing as health data.

  • Consent is a meaningless concept.

  • The risks of disclosure go beyond individuals to affect the whole population.

  • Discrimination doesn’t have to be explicit or conscious.

The article will now lay out each concept, how the Facebook events reinforce it, and what it means for health care.

There is no such thing as health data

To be more precise, I should say that there is no hard-and-fast distinction between health data, financial data, voting data, consumer data, or any other category you choose to define. Health care providers are enjoined by HIPAA and other laws to fiercely protect information about diagnoses, medications, and other aspects of their patients’ lives. But a Facebook posting or a receipt from the supermarket can disclose that a person has a certain condition. The compute-intensive analytics that data brokers, marketers, and insurers apply with ever-growing sophistication are aimed at revealing these things. If the greatest impact on your life is that a pop-up ad for some product appears on your browser, count yourself lucky. You don’t know what else someone is doing with the information.

I feel a bit of sympathy for Facebook’s management, because few people anticipated that routine postings could identify ripe targets for fake news and inflammatory political messaging (except for the brilliant operatives who did that messaging). On the other hand, neither Facebook nor the US government acted fast enough to shut down the behavior and tell the public about it, once it was discovered.

HIPAA itself is notoriously limited. If someone can escape being classified as a health care provider or a provider’s business associate, they can collect data with abandon and do whatever they like (except in places such as the European Union, where laws hopefully require them to use the data for the purpose they cited while collecting it). App developers consciously strive to define their products in such a way that they sidestep the dreaded HIPAA coverage. (I won’t even go into the weaknesses of HIPAA and subsequent laws, which fail to take modern data analysis into account.)

Consent is a meaningless concept

Even the European Union’s new regulations (the much-publicized General Data Protection Regulation or GDPR) allows data collection to proceed after user consent. Of course, data must be collected for many purposes, such as payment and shipping at retail web sites. And the GDPR–following a long-established principle of consumer rights–requires further consent if the site collecting the data wants to use it beyond its original purpose. But it’s hard to imagine what use data will be put to, especially a couple years in the future.

Privacy advocates have known from the beginning of the ubiquitous “terms of service” that few people read before the press the Accept button. And this is a rational ignorance. Even if you read the tiresome and legalistic terms of service (I always do), you are unlikely to understand their implications. So the problem lies deeper than tedious verbiage: even the most sophisticated user cannot predict what’s going to happen to the data she consented to share.

The health care field has advanced farther than most by installing legal and regulatory barriers to sharing. We could do even better by storing all health data in a Personal Health Record (PHR) for each individual instead of at the various doctors, pharmacies, and other institutions where it can be used for dubious purposes. But all use requires consent, and consent is always on shaky grounds. There is also a risk (although I think it is exaggerated) that patients can be re-identified from de-identified data. But both data sharing and the uses of data must be more strictly regulated.

The risks of disclosure go beyond individuals to affect the whole population

The illusion that an individual can offer informed consent is matched by an even more dangerous illusion that the harm caused by a breach is limited to the individual affected, or even to his family. In fact, data collected legally and pervasively is used daily to make decisions about demographic groups, as I explained back in 1998. Democracy itself took a bullet when Russian political agents used data to influence the British EU referendum and the US presidential election.

Thus, privacy is not the concern of individuals making supposedly rational decisions about how much to protect their own data. It is a social issue, requiring a coordinated regulatory response.

Discrimination doesn’t have to be explicit or conscious

We have seen that data can be used to draw virtual red lines around entire groups of people. Data analytics, unless strictly monitored, reproduce society’s prejudices in software. This has a particular meaning in health care.

Discrimination against many demographic groups (African-Americans, immigrants, LGBTQ people) has been repeatedly documented. Very few doctors would consciously aver that they wish people harm in these groups, or even that they dismiss their concerns. Yet it happens over and over. The same unconscious or systemic discrimination will affect analytics and the application of its findings in health care.

A final dilemma

Much has been made of Facebook’s policy of collecting data about “friends of friends,” which draws a wide circle around the person giving consent and infringes on the privacy of people who never consented. Facebook did end the practice that allowed Global Science Research to collect data on an estimated 87 million people. But the dilemma behind the “friends of friends” policy is how inextricably it embodies the premise behind social media.

Lots of people like to condemn today’s web sites (not just social media, but news sites and many others–even health sites) for collecting data for marketing purposes. But as I understand it, the “friends of friends” phenomenon lies deeper. Finding connections and building weak networks out of extended relationships is the underpinning of social networking. It’s not just how networks such as Facebook can display to you the names of people they think you should connect with. It underlies everything about bringing you in contact with information about people you care about, or might care about. Take away “friends of friends” and you take away social networking, which has been the most powerful force for connecting people around mutual interests the world has ever developed.

The health care field is currently struggling with a similar demonic trade-off. We desperately hope to cut costs and tame chronic illness through data collection. The more data we scoop up and the more zealously we subject it to analysis, the more we can draw useful conclusions that create better care. But bad actors can use the same techniques to deny insurance, withhold needed care, or exploit trusting patients and sell them bogus treatments. The ethics of data analysis and data sharing in health care require an open, and open-eyed, debate before we go further.

Health IT Continues To Drive Healthcare Leaders’ Agenda

Posted on October 23, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study laying out opportunities, challenges and issues in healthcare likely to emerge in 2018 demonstrates that health IT is very much top of mind for healthcare leaders.

The 2018 HCEG Top 10 list, which is published by the Healthcare Executive Group, was created based on feedback from executives at its 2017 Annual Forum in Nashville, TN. Participants included health plans, health systems and provider organizations.

The top item on the list was “Clinical and Data Analytics,” which the list describes as leveraging big data with clinical evidence to segment populations, manage health and drive decisions. The second-place slot was occupied by “Population Health Services Organizations,” which, it says, operationalize population health strategy and chronic care management, drive clinical innovation and integrate social determinants of health.

The list also included “Harnessing Mobile Health Technology,” which included improving disease management and member engagement in data collection/distribution; “The Engaged Digital Consumer,” which by its definition includes HSAs, member/patient portals and health and wellness education materials; and cybersecurity.

Other hot issues named by the group include value-based payments, cost transparency, total consumer health, healthcare reform and addressing pharmacy costs.

So, readers, do you agree with HCEG’s priorities? Has the list left off any important topics?

In my case, I’d probably add a few items to list. For example, I may be getting ahead of the industry, but I’d argue that healthcare AI-related technologies might belong there. While there’s a whole separate article to be written here, in short, I believe that both AI-driven data analytics and consumer-facing technologies like medical chatbots have tremendous potential.

Also, I was surprised to see that care coordination improvements didn’t top respondents’ list of concerns. Admittedly, some of the list items might involve taking coordination to the next level, but the executives apparently didn’t identify it as a top priority.

Finally, as unsexy as the topic is for most, I would have thought that some form of health IT infrastructure spending or broader IT investment concerns might rise to the top of this list. Even if these executives didn’t discuss it, my sense from looking at multiple information sources is that providers are, and will continue to be, hard-pressed to allocate enough funds for IT.

Of course, if the executives involved can address even a few of their existing top 10 items next year, they’ll be doing pretty well. For example, we all know that providers‘ ability to manage value-based contracting is minimal in many cases, so making progress would be worthwhile. Participants like hospitals and clinics still need time to get their act together on value-based care, and many are unlikely to be on top of things by 2018.

There are also problems, like population health management, which involve processes rather than a destination. Providers will be struggling to address it well beyond 2018. That being said, it’d be great if healthcare execs could improve their results next year.

Nit-picking aside, HCEG’s Top 10 list is largely dead-on. The question is whether will be able to step up and address all of these things. Fingers crossed!

Scenarios for Health Care Reform (Part 2 of 2)

Posted on May 18, 2017 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The first part of this article suggested two scenarios that could promote health care reform. We’ll finish off the scenarios in this part of the article.

Capitalism Disrupts Health Care

In the third scenario, reform is stimulated by an intrepid data science firm that takes on health care with greater success than most of its predecessors. After assembling an impressive analytics toolkit from open source software components–thus simplifying licensing–it approaches health care providers and offers them a deal they can’t refuse: analytics demonstrated to save them money and support their growth, all delivered for free. The data science firm asks in return only that they let it use deidentified data from their patients and practices to build an enhanced service that it will offer paying customers.

Some health care providers balk at the requirement to share data, but their legal and marketing teams explain that they have been doing it for years already with companies whose motives are less commendable. Increasingly, the providers are won over. The analytics service appeals particularly to small, rural, and safety-net providers. Hammered by payment cuts and growing needs among their populations, they are on the edge of going out of business and grasp the service as their last chance to stay in the black.

Participating in the program requires the extraction of data from electronic health records, and some EHR vendors try to stand in the way in order to protect their own monopoly on the data. Some even point to clauses in their licenses that prohibit the sharing. But they get a rude message in return: so valuable are the analytics that the providers are ready to jettison the vendors in a minute. The vendors ultimately go along and even compete on the basis of their ability to connect to the analytics.

Once stability and survival are established, the providers can use the analytics for more and more sophisticated benefits. Unlike the inadequate quality measures currently in use, the analytics provide a robust framework for assessing risk, stratifying populations, and determining how much a provider should be rewarded for treating each patient. Fee-for-outcome becomes standard.

Providers make deals to sign up patients for long-term relationships. Unlike the weak Medicare ACO model, which punishes a provider for things their patients do outside their relationship, the emerging system requires a commitment from the patient to stick with a provider. However, if the patient can demonstrate that she was neglected or failed to receive standard of care, she can switch to another provider and even require the misbehaving provider to cover costs. To hold up their end of this deal, providers find it necessary to reveal their practices and prices. Physician organizations develop quality-measurement platforms such as the recent PRIME registry in family medicine. A race to the top ensues.

What If Nothing Changes?

I’ll finish this upbeat article with a fourth scenario in which we muddle along as we have for years.

The ONC and Centers for Medicare & Medicaid Services continue to swat at waste in the health care system by pushing accountable care. But their ratings penalize safety-net providers, and payments fail to correlate with costs as hoped.

Fee-for-outcome flounders, so health care costs continue to rise to intolerable levels. Already, in Massachusetts, the US state that leads in universal health coverage, 40% of the state budget goes to Medicaid, where likely federal cuts will make it impossible to keep up coverage. Many other states and countries are witnessing the same pattern of rising costs.

The same pressures ride like a tidal wave through the rest of the health care system. Private insurers continue to withdraw from markets or lose money by staying. So either explicitly or through complex and inscrutable regulatory changes, the government allows insurers to cut sick people from their rolls and raise the cost burdens on patients and their employers. As patient rolls shrink, more hospitals close. Political rancor grows as the public watches employer money go into their health insurance instead of wages, and more of their own stagnant incomes go to health care costs, and government budgets tied up in health care instead of education and other social benefits.

Chronic diseases creep through the population, mocking crippled efforts at public health. Rampant obesity among children leads to more and earlier diabetes. Dementia also rises as the population ages, and climate change scatters its effects across all demographics.

Furthermore, when patients realize the costs they must take on to ask for health care, they delay doctor visits until their symptoms are unbearable. More people become disabled or perish, with negative impacts that spread through the economy. Output decline and more families become trapped in poverty. Self-medication for pain and mental illness becomes more popular, with predictable impacts on the opiate addiction crisis. Even our security is affected: the military finds it hard to recruit find healthy soldiers, and our foreign policy depends increasingly on drone strikes that kill civilians and inflame negative attitudes toward the US.

I think that, after considering this scenario, most of us would prefer one of the previous three I laid out in this article. If health care continues to be a major political issue for the next election, experts should try to direct discussion away from the current unproductive rhetoric toward advocacy for solutions. Some who read this article will hopefully feel impelled to apply themselves to one of the positive scenarios and bring it to fruition.

Scenarios for Health Care Reform (Part 1 of 2)

Posted on May 16, 2017 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

All reformers in health care know what the field needs to do; I laid out four years ago the consensus about patient-supplied data, widespread analytics, mHealth, and transparency. Our frustration comes in when trying to crack the current hide-bound system open and create change. Recent interventions by US Republicans to repeal the Affordable Care Act, whatever their effects on costs and insurance coverage, offer no promise to affect workflows or treatment. So this article suggests three potential scenarios where reform could succeed, along with a vision of what will happen if none of them take hold.

Patients Forge Their Own Way Forward

In the first scenario, a tiny group of selfer-trackers, athletes, and empowered patients start a movement that ultimately wins over hundreds of millions of individuals.

These scattered enthusiasts, driven to overcome debilitating health problems or achieve extraordinary athletic feats, start to pursue self-tracking with fanaticism. Consumer or medical-grade devices provide them with ongoing data about their progress, and an open source platform such as HIE of One gives them a personal health record (PHR).

They also take charge of their interactions with the health care system. They find that most primary care providers aren’t interested in the data and concerns they bring, or don’t have time to process those data and concerns in the depth they need, or don’t know how to. Therefore, while preserving standard relationships with primary care providers and specialists where appropriate, the self-trackers seek out doctors and other providers to provide consultation about their personal health programs. A small number of providers recognize an opportunity here and set up practices around these consultations. The interactions look quite different from standard doctor visits. The customers, instead of just submitting themselves to examination and gathering advice, steer the conversation and set the goals.

Power relationships between doctors and customers also start to change. Although traditional patients can (and often do) walk away and effectively boycott a practice with which they’re not comfortable, the new customers use this power to set the agenda and to sort out the health care providers they find beneficial.

The turning point probably comes when someone–probabaly a research facility, because it puts customer needs above business models–invents a cheap, comfortable, and easy-to-use device that meets the basic needs for monitoring and transmitting vital signs. It may rest on the waist or some other place where it can be hidden, so that there is no stigma to wearing it constantly and no reason to reject its use on fashion grounds. A beneficent foundation invests several million dollars to make the device available to schoolchildren or some other needy population, and suddenly the community of empowered patients leaps from a miniscule pool to a mainstream phenomenon.

Researchers join the community in search of subjects for their experiments, and patients offer data to the researchers in the hope of speeding up cures. At all times, the data is under control of the subjects, who help to direct research based on their needs. Analytics start to turn up findings that inform clinical decision support.

I haven’t mentioned the collection of genetic information so far, because it requires more expensive processes, presents numerous privacy risks, and isn’t usually useful–normally it tells you that you have something like a 2% risk of getting a disease instead of the general population’s 1% risk. But where genetic testing is useful, it can definitely fit into this system.

Ultimately, the market for consultants that started out tiny becomes the dominant model for delivering health care. Specialists and hospitals are brought in only when their specific contributions are needed. The savings that result bring down insurance costs for everyone. And chronic disease goes way down as people get quick feedback on their lifestyle choices.

Government Puts Its Foot Down

After a decade of cajoling health care providers to share data and adopt a fee-for-outcome model, only to witness progress at a snail’s pace, the federal government decides to try a totally different tack in this second scenario. As part of the Precision Medicine initiative (which originally planned to sign up one million volunteers), and leveraging the ever-growing database of Medicare data, the Office of the National Coordinator sets up a consortium and runs analytics on top of its data to be shared with all legitimate researchers. The government also promises to share the benefits of the analytics with anyone in the world who adds their data to the database.

The goals of the analytics are multi-faceted, combining fraud checks, a search for cures, and everyday recommendations about improving interventions to save money and treat patients earlier in the disease cycle. The notorious 17-year gap between research findings and widespread implementation shrinks radically. Now, best practices are available to any patient who chooses to participate.

As with the personal health records in the previous scenario, the government database in this scenario creates a research platform of unprecedented size, both in the number of records and the variety of participating researchers.

To further expand the power of the analytics, the government demands exponentially greater transparency not just in medical settings but in all things that make us sick: the food we eat (reversing the rulings that protect manufacturers and restaurants from revealing what they’re putting in our bodies), the air and water that surrounds us, the effects of climate change (a major public health issue, spreading scourges such as mosquito-borne diseases and heat exhaustion), disparities in food and exercise options among neighborhoods, and more. Public awareness leads to improvements in health that lagged for decades.

In the next section of this article, I’ll present a third scenario that achieves reform from a different angle.