Medicine makes progress as a field through large-scale study and experimentation, much of which involves retrospective work with data or research into specific medical cases. This creates a few challenges, however; specifically, such research often demands impossibly large data sets. Tackling this amount of information takes specially designed technology.
In addition to the technical difficulties of research, any work with patient data is subject to regulation under HIPAA, including everything from claims to email to complete medical records. Even the most well-meaning doctor or research scientist can’t simply rifle through records in search of clues to today’s biggest medical puzzles.
Medical researchers need to improve their HIPAA compliance in order to realize the full power of data science for the medical field. Data science could help us develop better systems for tracking and predicting patient outcomes, for example. Luckily, with the right tools and a complete knowledge and commitment to HIPAA’s principles, researchers can change the tendency to overstep core privacy rules. Learning to navigate these regulations will take researchers a long way toward greater access and increased knowledge.
Research Run Amok
HIPAA is very clear about what kind of patient information is protected within the medical system, and the categories include almost all of it. Anything that could potentially identify a patient must only be accessible to authorized individuals or fully anonymous. This includes more than just your name, contact information, and services, but also payment information, basic emails confirming appointments or other information, and even the structure of check-in. Check-in at a medical office is supposed to be done in such a way that other patients hear and see as little information as possible.
Of course, we all know something will be revealed about who we are when we walk into a doctor’s office, even if it just means a neighbor pointing you out to a friend after sitting in the same waiting room, but the expectations are different in research science. In particular, the use of the internet as a source for medical data has been abused, violating the spirit of the law, if not the letter of it.
When we use apps that record health information or search for information online, our information is sometimes collected by those programs and bought and sold by data brokers. Since that information isn’t collected by formal medical applications or other HIPAA-regulated forms, this information can be used in ways that fail to uphold the anonymity patients expect and deserve.
In another narrative of health data science working in less than honest ways, we encounter the work of IMS Health. Although IMS is far older than HIPAA – it was founded in the 1950s – it’s also one of the largest dealers in medical dossiers. The company buys information from an array of sources, including pharmacies and electronic medical systems, and while they remove any associated patient names from their data, the company’s refusal to discuss much about their practices should raise everyone’s defenses.
Because of the state of digital technology today, it’s unsurprising that hackers or other computer savvy individuals could access patient names through IMS Health data or other similar sources. Simply stripping a small identifier is not the same as fully anonymizing a data set. This is particularly true when looking at data that includes any regional data such as zip codes or computer tracking information like IP addresses, both of which are also protected in varying ways under HIPAA. Making data anonymous is more difficult than even most researchers realize.
When Researchers Withhold
One of the final concerns data science is producing concerning HIPAA violations involves withholding information. Data scientists and researchers produce and work with massive amounts of data. For example, when patients requested information from Myriad Genetics about genetic variants found during testing, Myriad withheld those variants the company believed were harmless. While they may be correct, that wasn’t the company’s decision to make.
Patients are entitled to their complete medical information, can transfer that information between doctors, and reference their own charts and information. When medical researchers withhold information, they not only violate HIPAA, they also take a paternalistic stance towards patients, depriving them of their rights to make informed decisions about their health.
Data science that drives medical research forward will be research that offers complete and honest data to patients and complete and anonymous data to the public. HIPAA exists, not only to protect patient privacy, but to empower patients around their health. Researchers have to uphold both of those promises.