Privacy and Security TidBits

Computers, Privacy and Data Protection International Conference: European Data Protection, In Good Health? Part 1

According to its mission statement, the annual conference “Computers, Privacy and Data Protection” in Brussels aims to create a bridge between policy makers, academics, practitioners and activists, and aims to become Europe’s most important forum for the discussion of data protection and privacy issues.

The conference was held on the occasion of the annual Data Protection Day on January 28, celebrated in Europe to commemorate the signing of Convention 108 in 1981, and coopted in 2009 in the US as the annual “Data Privacy Day“, even though the US is not a signatory to convention 108.

The theme of the convention was: “European Data Protection: In Good Health?” and the first day of the three day conference was indeed entirely devoted to eHealth privacy issues.

The catalyst for this choice was the acceptance on March 15 2010 by the member states of the Barcelona Declaration “European co-operation on eHealth.”

In the EU, there is no specific legislation targeting healthcare data, because these data are already covered by the comprehensive Data Protection Directive.

Some member states, like Finland, Sweden, Denmark, Estonia and France have enacted specific eHealth legislation.

In the US, healthcare data are protected, on the Federal level, by HIPAA.

Deborah Peel from Patient Privacy Rights deplored how in the US, HIPAA basically allows Health Plans, Healthcare Clearing Houses and Healthcare Providers who transmit health information in electronic form (the so-called “covered entities”) to decide how to use Protected Health Information (PHI) without the patient’s consent.

She estimated the number of “covered entities” who have access to US health records and who are allowed to transfer them at 4 million.

As a consequence, there is a huge market for health records in the US, and apparently 35% of Fortune 500 companies have admitted using purchased medical records for hiring and promotion purposes.

Moreover, even the minimal privacy safeguards that are provided by HIPAA are not being enforced by HHS.

Deborah cited an interesting case currently before the U.S. Supreme Court, which agreed to decide whether state laws prohibiting “data mining” companies from marketing information about doctors’ drug prescriptions violate free speech rights.

(Author’s note: Hippocrates must be rolling over in his grave. Part of the Hippocratic oath says: “What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep myself holding such things shameful to be spoken about.” )

The numerous EU panels identified and discussed many of the issues in eHealth privacy today:

– Patient-Doctor confidentiality should remain a key factor. If patients lose trust in the confidentiality of their condition, they will refrain from seeking proper medical care, especially for certain conditions with stigmas stiill attached to them, like aids or many psychiatric disorders.

– The security of eHealth data should be guaranteed.

– The access rights of patients to their medical records should be clear and enforced.

– The ownership of medical records should be clarified: Is the owner the patient, the doctor, is there joint ownership, no ownership? Polls indicate that as to the question of ownership of medical data, the majority votes in favor of patients being the rightful owners of their medical data.

– Informed consent by patients for transfer of medical data to third parties.

– The right of patients to determine who gets access to their data.

-The need to find the right balance between patients’ right of control over their PHI and the obvious health benefits of sharing PHI:

The benefits of sharing patients’ PHI among seperate healthcare providers and different treating hospitals are evident: better coordination of healthcare and more efficient and personalized treatments for the patients.

Finding a solution to better semantic interoperability between healthcare providers without sacrificing privacy was identified as one of the key issues of the day.

For example, in France, a patient has a right to mask his data and also a right to mask the fact that the data were masked. While this is a nice exercise in self-determination by the patient, it also results in a total lack of trust in eHealth records by the healthcare providers.

Many organizations such as  epSOS , IDRC, EHTEL, and ENISA are involved in research to find solutions for these problems.

Privacy by Design, Privacy Enhancing Technologies and more recently, Transparency Enhancing Tools (TETs) were often cited as possibly providing solutions to what many believe is an information governance issue.

-The dangers, as well as the benefits of sharing private health data on online social networking sites like  patientslikeme were emphasized and the implications of doctors emailing and texting their patients on their mobile phones were pointed out. Today, an iPhone ECG /EKG electrode can be attached to the iPhone for $100, measure a person’s ECG/EKG and send the results to the physician’s office via WIFI. Tele-health and e-prescriptions are a reality.

Health data posted or sent online are being data mined by marketers and data brokers and, just like the sale of off-line health data bases, these practices pose serious risks to the credit worthiness, employment chances and insurability of patients.

As David Garwood, director of EHTEL, so eloquently stated: “We are becoming digital maps, bits and bytes, to be sold to the highest bidder…The system has to work for the benefit of the patient rather than than the patient working for the benefit of the system.”

I believe Hippocrates would have agreed.