My daughters love the story of Goldilocks and the three bears. No number of different Goldilocks books or car trip retellings of her adventures with the bears sour the tale for them.
Goldilocks appeals to kids because, just like the three bears’ house, a child’s world often doesn’t fit them well. This is too big, that’s too small, or too hard, or too soft. Finding the “just right” is a real challenge.
I feel like I’ve been hearing that same story at HIMSS in discussions on access and protections on personal health data. It seems that privacy and control of medical data is a real problem. Not simply a concern, mind you, but an actual, current, pressing problem. For several years, we’ve known that the concern relating to the “hackability” and a more general perception of a lack of control over electronic health information has been a barrier to adoption of personal health record technologies and we’ve seen many data breaches that demonstrate that there is more that needs to be done to protect health information. But this is also not the source of the problem that’s being discussed.
In one, the access to data is too constrained and in the other, it’s far too available.
The constrained viewpoint comes from the communities representing genetic diseases and terminal illnesses. The challenges of getting meaningful data into the hands of researchers is very difficult, time consuming, and therefore expensive. Further complicating the debate is that certain data necessary to research, such as genetic data, by its nature makes the information personally identifiable under HIPAA. It’s an anchor dragging on the pace of medical research and treatment development. For populations where this is their only hope, no delay is acceptable.
Privacy advocates, on the other hand are up in arms about the amount of medical data that’s available through the various levels of access allowable by law today as an extension of your provider relationship or for simply for sale.
The answer suggested from both of these communities is that data should live in repositories under which patients have control over the data. Patients would have the ability to grant access only to those who they want to provide access and can provide explicit access to researchers, simplifying and streamlining medical research, reducing costs, and speeding the delivery of breakthroughs.
It’s an interesting concept, butI’m not convinced that this solves the underlying problems.
From the privacy advocate perspective, having such a repository doesn’t preclude the need for the many people who may have access to a patient’s information as a part of the overall care process. Certainly it would be nice to only allow your personal physician to see your information, but the billing staff will need to see it as will the insurance company and the business associates and your life insurance company. Consent was removed from HIPAA not because it wasn’t something that health consumers and privacy advocates wanted but rather because no provider would treat a patient who wouldn’t provide consent.
Likewise, speeding access to researchers looks good on paper, but much of the process of review for the use of human subjects or required disclosures still must happen. Although this may make it much easier for researchers to find study participants, I think we must assume that we are introducing significant selection bias into the samples through this approach. While not an insurmountable problem, these concerns will need to be addressed to ensure that the findings are clinically relevant and accepted through the medical community.
At the end of the day, the one single benefit of such a comprehensive personal health record is to provide more information to more people. Not less. The goal should be to give providers a more complete perspective on a patient’s situation or to grant access to constituencies who easily access it today.
Where is that “just right” place in the privacy and access continuum? And more importantly, when we find it, how long can we sit there before it breaks all to pieces?