Protecting health data critical
By Annie Anton and Peter Swire
As our everyday lives become more connected – via smartphones, tablets and other devices – so will information about our health care. This will provide enormous benefits to patients and to the health care system, allowing innumerable breakthroughs on the way we track health and medical information and enhancing our well-being. Many of these breakthroughs will take place here in Georgia, where the state – and in particular, Atlanta – is often considered the nation’s “Health IT Capital.”
But there is a dark side to our increased connectivity. As data breaches over the last year have shown — including one at Community Health Systems, in which data for 4.5 million patients was lost — patients’ privacy and security can become more vulnerable.
With the possibility of such incidents becoming more frequent, and given that more than 200 health information technology companies employing 15,000 workers are based in Georgia — generating more than $4 billion a year, the highest health IT revenues in the country — it is no accident Atlanta will take center stage Wednesday, International Data Privacy Day, at Georgia Tech. That’s when the National Cyber Security Alliance will bring together industry leaders and experts to discuss the challenges and promises of new health care technologies.
The emerging generation of medical devices and electronic records will generate unprecedented volumes of personal medical data, much of it transmitted to the cloud, where researchers can potentially aggregate information, identify health risks and discover vital correlations and possible treatments.
Researchers have learned more detailed electronic health records are especially useful for treating chronic diseases, which drive a large portion of rising health care costs. For instance, wearable computers will enable a wider range of activities for autistic people, and they also will help those struggling with smoking cessation. These wearables gather detailed information about the wearer and sometimes those nearby.
Content analysis of social media is also beginning to show promise for spotting postpartum and other depression, often before the patient or health care provider is aware of the extent of the problem.
While it is easy to see the public health benefits of such analysis, possible privacy concerns are glaring. Medical advances will be at serious risk if we don’t create privacy and security safeguards that build trust in the devices and companies that operate them.
Since 2009, new federal financial incentives for “meaningful use” of health IT have shifted the majority of clinical records into electronic form to improve health care quality and cost efficiency. However, some of the savings must be spent on data security, as more records are now subject to attacks from hackers.
At a minimum, health care providers must comply with the federal Health Insurance Portability and Accountability Act (HIPAA) privacy rule, in effect for over a decade but strengthened in the 2009 law.
Beyond that, health care professionals will need to make ethical, practical and business decisions about what additional rules are needed for carefully handling personal health information. Patient privacy has been required ever since the Hippocratic Oath, when ancient doctors promised to keep patient information “sacred and secret within my own breast.” Though HIPAA covers traditional health care providers, many of the new data flows come from non-traditional and often unregulated sources.
Those wishing to use new forms of health data should consider the possible backlash and loss of trust if patients or the press decides a new practice is too “creepy,” or that patient data is used in unexpected ways. More generally, breaches of patient data or lack of patient trust could greatly inhibit widespread adoption of new and life-saving technologies. Few of us would trust our psychiatrist or other therapist if we thought a transcript of the session was going to be broadcast widely. The new users of health care data must thoughtfully predict what practices will succeed in gaining and retaining patient trust.
Encouraging life-saving technologies, while protecting privacy and security, are important to the nation, which devotes almost one-fifth of its economy to the health care sector. Finding best practices for this topic is especially important to our region, so Atlanta can continue to grow its leadership in the information technology of health care.
Annie Antón has written about software compliance with HIPAA and is chair of the School of Interactive Computing at Georgia Tech. Peter Swire is a privacy expert at the Georgia Tech Scheller College of Business and senior counsel at Alston & Bird LLP. Information about International Data Privacy Day in Atlanta is available at http://www.staysafeonline.org/data-privacy-day/events.