Although healthcare varies across the world, we all recognize that our medical records are highly personal. These documents detail some of our most intimate and potentially upsetting moments. We trust our healthcare providers with this data. Partly because we don’t have a choice and because we believe it helps us get the best treatment possible.
However, as across the internet, some in the medical industry hope to monetize our data. But, unless you opt-out from all professional healthcare, you don’t get to choose whether this information exists. After all, it’s not like you can click a button and delete your medical history.
Though, it does make you wonder, if we can’t usefully consent to share this data, should healthcare providers be able to sell or share our medical records at all?
Why Are Medical Records Confidential?
When you become ill or need medical advice, you usually turn to your doctor as the first point of call. This may seem obvious, as medical professionals are trained to help with the body, ill health, and medicine. But there’s another reason too; privacy. Many people feel that they can’t discuss intimate matters with friends or family. For several complex societal and historical reasons, some people worry that illness might be considered embarrassing or shameful.
Healthcare is also an individual and group concern. The COVID-19 pandemic has highlighted the two-fold importance of medical intervention; if someone becomes infected with a virus, they may become seriously unwell themselves. If left untreated, they may also pass the virus on to other people, including friends, family, and coworkers. Consequently, it’s crucial that people talk openly to healthcare professionals without worrying about how their situation might be perceived.
As disease and illness don’t happen in isolation, there may be circumstances where it’d be helpful or vital to share some information about the patient and their condition. This might be a central database to monitor disease outbreaks, prevent harm, or comply with legal obligations. It’s essential that patients feel informed about how their data is shared and trust their doctor, hospital, and other healthcare professionals to be careful with this extremely sensitive information.
Which Laws Protect Your Medical Privacy?
Until the development of modern medicine in the 20th century, if you went to see a doctor, they may not keep any records. If they did, they would be single physical copies, only available to the professionals themselves. Now, we collect more data than ever before and through increasingly automated means. For instance, if you need to have blood tests, your healthcare provider will help arrange an appointment for someone to collect the sample.
Then, your blood will be sent to a laboratory to be tested. As most hospitals or doctor’s offices don’t have their own testing facilities, these are operated by third parties. So, even in this particular instance, it’s easy to see how data about your health and wellbeing is generated in multiple places before being collated by your healthcare provider. While you may trust your doctor, you cannot always make an informed decision about who interacts with your medical data.
However, to get treated, this sharing of data is sometimes necessary. So, you may trust your healthcare providers to maintain confidentiality and protect your privacy. Still, there also needs to be some mechanism to ensure that your data is securely stored and not shared without your consent. Lawmakers worldwide have attempted to tackle this issue, and in many countries, there is some degree of legal protection for your medical data.
In the US, the situation varies by state, as each regional legislature has its own set of laws around patient data. However, in 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This federal law allowed all patients visibility of their Personal Health Information (PHI) and to request to have incorrect data amended and various other privacy-focused rights.
Then, in 2009, President Barack Obama enacted the American Recovery and Reinvestment Act of 2009 (ARRA), which included the Health Information Technology for Economic and Clinical Health Act (HITEC). Subtitle D of HITEC relates specifically to privacy provisions for Electronic Health Records (EHR). HITEC improved past legislation and included guidance on how third parties should handle patient data and the penalties for non-compliance with HIPAA and HITEC.
Who Could Use Your Medical Data?
So while there might be laws in place to legally protect your data, that’s not always the same as what happens in practice. The nation’s insurance-funded healthcare system further complicates the situation. You may have a relationship with your doctor, but your choice of an insurance provider may shift over time. These companies are also for-profit businesses, so it would make sense that they might want to reduce or otherwise restrict the most costly services.
But, to make this kind of decision, the insurance companies need data. They can collect data about your healthcare needs from providers and past medical history. However, they often combine this with other datasets. For example, in 2018, ProPublica investigated the personal information that insurance companies gather on you. They found that data brokers were working closely with insurance companies, sharing people’s education levels, net worth, family structure and race, and potentially their social media posts.
While HIPPA and HITEC protect medical data, this doesn’t apply to other data, so these companies are increasingly looking to link existing information to your healthcare records. The problem isn’t limited to insurance providers either. In the UK, universal healthcare is provided by the state. The National Health Service (NHS) is funded by taxation and isn’t subject to the same commercial pressures as other healthcare systems.
However, when the NHS needs to share data with third parties, the situation can get quite complicated. In 2016, it was revealed that the NHS was sharing patient data with DeepMind, an artificial intelligence company owned by Google. The belief was that AI could automate or improve some healthcare decisions and lead to better overall outcomes. However, there was never informed consent from the patients involved about this data sharing, and the agreement was found to have broken the law.
A few years later, DeepMind transferred these contracts to Google Health, a similar Google subsidiary. Although it’s not entirely clear what access Google Health has to patient data, according to New Scientist, it seems to have a broader remit than the previously analytical-focused DeepMind work. For a good reason, many people are wary of Google’s data-hungry practices. This concern increased after Google purchased Fitbit, as the company now owns a range of fitness data linked to your account.
The Need for Informed Consent
The DeepMind contracts were found to break the law for several reasons, but one of the main concerns was that there was no informed consent from patients. As we know, confidentiality and trust are core parts of healthcare. Suppose people start to be wary of medical institutions or the companies they work alongside. In that case, they may not seek treatment or could even become cynical and distrustful of all medical care.
While misinformation about healthcare, and medicines and vaccines, in particular, have been prevalent for decades, the COVID-19 pandemic showed how widespread this distrust of medical institutions has become. For example, some people believe that the COVID-19 vaccines contain microchips manufactured by Bill Gates, the co-founder of Microsoft. Similarly, some also thought that 5G networks were used to spread the coronavirus.
The consequences of data mismanagement, opaque or unclear collection practices and secret data-sharing agreements are likely to foster further distrust. However, whether a global pandemic or an individual illness, people need to feel comfortable sharing information privately with their healthcare providers. The advances we’ve made over the past century could be at risk if people lose confidence in the medical system.
Conversely, data sharing may improve health outcomes in ways we could never have expected. Large combined datasets could allow researchers to spot trends and track interventions. If a country like the US could gather high-quality medical data, they could share the insights between countries with fewer resources and make global health outcomes more equal.
However, individual patients must be appropriately informed about what data they are sharing, what it’ll be used for, and how they can access their data.
Would You Share Your Medical Records?
Large datasets can reduce costs, improve health outcomes, and speed up the development of complex treatments. As healthcare records increasingly digital across the world, it becomes easier to share this data with other researchers, countries, and companies.
The benefits of this collaborative approach could be enormous. Although, it doesn’t have to compromise your individual privacy. The companies sharing data without your informed consent are actively destroying trust in the world’s healthcare systems.
This is a considerable risk for society as we may gather the data and not make full use of it. Even worse, it could create a hostile, distrustful attitude towards healthcare providers and leave us all more vulnerable.
However, we can use technology to avoid preventable illnesses. For instance, privacy-focused contact tracing apps are instrumental in breaking the transmission of disease.