I strongly oppose this kind of law. HIPAA is a massive burden on medical and research organizations of all sizes, I've personally spent hundreds of hours navigating both human and technical bureaucracy related to HIPAA and I wouldn't wish that on my worst enemy.
Ultimately however the worst part of these laws is that they are so harmful to research in the long run. With easy and ready access to medical data we could be decades ahead of where we are today. There are legitimate concerns about health privacy (especially for women in the US) but the upside is just so much larger than the harms. It could be 10x less costly and time consuming to do both epidemiology and longitudinal intervention studies if we only had access to data. We could be directly tackling disease causal factors in ways that researchers today only dream of. It really is tens of thousands of lives lost each year that could have been saved if we could only have moved faster toward interventions.
I believe medical records should be open and laws should address how people use the data, not trying to make something so valuable to all humanity secret from the beginning. For example you can download my genetic code here: https://www.openhumans.org/member/iandanforth/
Doctor-patient confidentiality is important so that the doctor can act in your best interest (yes, yes, very funny) with full information. Very many things doctors need to be aware of to diagnose conditions have significant social stigma. Examples include alcoholism, mental disorders, substance abuse, genital status, sexual status, pregnancy status, the list goes on. The average person is reluctant to share this information to begin with, with good reason, as it goes into a permanent record. If such a record were public…
No, even for longitudinal studies, even with “anonymized” data, the risk is too great for any individual, and to society in general. Ideopathic and non-causal diseases should have some buy-in from patients; a standard waiver might be useful for research use of data. (I’ve signed one.) But in general, no, the restrictions are worth it.
Nowadays, seeking abortion/family planning could -literally- result in being jailed, and forced to give birth.
Mental health is a big deal. For better or for worse, if your employer/licensing org is aware of any mental health issues, then they could adjust how they treat you.
Crappy bosses could use your history as a way to discredit or manipulate you. That's exactly what the CIA does, whenever someone blows a whistle on them.
Some medical conditions can be interpreted by different people, in intensely negative ways. For example, at one time, being left-handed, meant that you were possessed by the devil.
Often sexual orientation/behavior is a part of your medical history.
But I'm suuuuure that no one would ever use this information in a questionable way.
Look at the "mug shot protection racket" sites. These sites leverage personal information that has been made public, as a way to force you to pay them to remove it (and then immediately republish it in another venue).
I guarantee that a number of folks on this very site, run those sites, and sincerely believe there's nothing wrong with it.
No. Just because "I have nothing to hide," does not mean that I get to force others to divulge intensely personal stuff.
In some jurisdictions, this not always the case. One example is the "Good Samaritan" law in California[0] which provides some protection patients seeking medical treatment for an overdose.
Yet they leak my medical records to debt collectors every single time, for debts that aren't even mine (when insurance refuses to pay for what they should).
I hear you, but those debts are actually yours. When you get treatment, you're assuming responsibility for the bill. The insurance company is technically reimbursing you, not assuming your debt.
That's certainly the bullshit narrative the billing department vampires want to push on you (the whole medical system revolves around punting responsibility on to someone else). But very rarely when you receive medical services is an actual contract being formed. Contracts require defined consideration, and some arbitrary numbers pulled out of a hat after the fact doesn't meet that bar.
Why would you proactively sue a provider over a billing issue? You mean a lawsuit from the provider, trying to substantiate the debt they claim you owe?
I've no doubt that there is some assortment of corrupt laws bought by the medical industry that have enabled these blatantly abusive billing practices. But until shakedown victims actually force the issue and publicize it, then those corrupt laws continue to avoid scrutiny.
I could not agree more. This problem absolutely ruins lives. I've seen people who've suffered terrible injuries beg not to be taken to the hospital because it would result in devastating financial consequences.
> I expect insurance companies to honor their contracts.
I agree with this as well. But that's a separate issue than who is legally responsible for the debt.
Doctors almost never act with full information. Doctors don't even want full information. It wastes their time. If you come to a new doctor they will make you fill out a stack of forms where you inaccurately self-report your medical history and then they will toss that in the rubbish bin. If you so much as dare to suggest that a doctor should transfer your old medical records from one place to another, they will vehemently object and question why you would want to do such a thing. In fact it is far easier to sign a release of medical records and authorize their release, than it is to cajole any given Records Department into accepting the transfer of records in any format, much less a machine-readable format that would be useful.
I believe it is a liability for doctors to know a true medical history, and anything not already being treated can be ignored and re-diagnosed later, which of course is an ideal situation for the insurance and the new provider, because you can charge all over again for those diagnostics.
Case in point, I had two EKGs performed on me, one in urgent care and one in the hospital. It was not too long before I was going in for surgery, and a prerequisite was a "12-lead EKG" readout, so naturally the hospital tried to force me to undergo a new one at enormous cost and inconvenience, and I balked, because I already had two perfectly good readouts in hand. They eventually relented, but it was incredibly difficult for them to admit that the test results were valid and acceptable, and this is all part of the scam, to charge as many times as possible for anything that wasn't performed here and now by us.
Likewise with psychiatry and therapists; I've been through multiple clinics and dozens of counselors, and of course each one produces a mountain of case notes. So I always offer and suggest that I sign a release and have all the prior case notes transferred over so that they get to know me better. The answer is always "no". They want to know nothing beyond what is in the intake forms, that they will spend 5 minutes reading. Then we will start my therapy over from Square One with a stranger and I get to recount all my feelings and life experiences over and over and over again, on my dime.
Nevertheless, it is still of the utmost importance that you continually sign authorizations for release and that you requisition all available records from all your providers. Authorize all providers to release information to your friends and family. They will hang up the phone if there is no release on file. Renew those authorizations on time, every time; your provider will not remind you. Release all records to yourself on a regular basis, especially after a hospitalization or major incident. You will want good records, just for your own examination, and also if there is ever a dispute or litigation about something, your attorney will appreciate those records too.
People will die as a result of their medical privacy being stripped away, when they forgo care in fear of the effect that stigma has or fear of losing their job due to their medical needs being to expensive or being prosecuted from having a miscarriage or drug use, etc.
It's not as black and white as that. People also have died because of the abuse of medical data. There is real, genuine harm either way.
And I'm not saying I wouldn't be willing to share. I have consented to such things before. But it should be my decision how much risk I'm willing to shoulder.
> I'm not willing to let tens or hundreds of thousands of people die because of social stigma
How about a comprise then? What if we made it so that you could get unrestricted medical record access for any patient for whom you are willing to to guarantee (under severe financial penalty) will not die?
the amount of people who think that social stigma cant be changed is beyond me.
This is one of those cases where when we open things up we realize that just about everyone has or does things that are stigmatized and we have no choice but to stop stigmatizing them, the secrecy and shame are self-reinforcing.
Yeah I also wish it wasn't stigmatized for teenagers to go on birth control to control PCOS or whatever, but I sure as fuck am against some random state government putting together "research panels" or whatever of such people without their informed consent.
You are probably like me. To me there is no medical information of any kind that could embarrass or "stigmatize" me or anyone else.
But the vast majority of people are paralyzed by fear that someone might find out they have hemorrhoids.
Others live in a delusional state of paranoia where "duh gubmint" will use the info against them not realizing that any entity, governmental or otherwise, willing to do so will just ignore privacy laws anyways.
> To me there is no medical information of any kind that could embarrass or "stigmatize" me or anyone else.
The problem isn't being embarrassed. The problem is suffering real world consequences for certain types of medical treatment, such as problems getting work, renting housing, etc.
> I keep hearing about all of these nightmare scenarios, dreamed up by paranoiacs.
Not at all. These are all things that used to be pretty common. That's why medical privacy laws were enacted.
> Fix THOSE problems instead of killing people.
That would be ideal, yes. But nobody has figured out a way to do that.
BTW, I don't think your phrasing is helpful to your cause. It implies it's a black-and-white issue when in reality it's a very complex issue with a ton of nuance.
People die as a result of the lack of medical privacy too, after all.
> the entities inflicting these consequences don't care about medical privacy anyways, right?
No, they don't. But they do care about the huge fines and other legal consequences they risk by not adhering to the law.
> Very many things doctors need to be aware of to diagnose conditions have significant social stigma... the risk is too great for any individual
Very many things doctors need to be aware of, because the patients life depends on it, are left out when patients move between specialists and physicians, which happens all of the time.
Outbreaks of viral and bacterial illnesses result in thousands of people independently chasing diagnoses and treatment, because the system doesn't share information that could be used to piece together and get ahead of it. Every time my kid gets sick at school, I get to play a game of "What is it? Do we see a Doctor? How much money should we spend?". Lets pretend we know nothing about this and go see a Doctor who hasn't seen anyone else in school, who may provide antibiotics they may or may not need or worse.
Effective prevention methods and early detection of bad treatment are discarded because its so difficult to investigate and connect the dots between interventions and outcomes.
Patient privacy is important, but the system we have today is nothing less than a tragedy. Real damage in emotional, physical, and economic is happening on a grand scale every day in this country. We shouldn't pretend HIPPA is a good thing, or the current system is doing a good job. Its not. We need to radically transform how we operate, and much more open and connected medical records is certainly a part of that transformation.
HIPPAA doesn't just cover, say, the spread of tuberculosis. It also bars things like collecting a panel of homosexuals, transgenders, women who are on birth control or have abortions, people seeking treatment for schizophrenia or a personality disorder or addiction, or just fat poor smucks that don't adequately treat their diabetes. Any number of highly stigmatized things or things that Palantir would love to own to sell to a private company.
I would start freaking the fuck out if my primary care physician gets to sell my diagnosis for money to Facebook, and I don't give a rat's ass if some 3 year old could've been cured of epilepsy if my doctor was able to do so. HIPPAA prevents my doctor from doing so and I'm glad for it.
What I'm saying is, the protections it provides are overstated, and the damage it does is (greatly) understated. I am not saying lets discard privacy protections all together. I am saying lets not let bad implementations of good intentions convince us to be ok with an extremely expensive system that is not very useful and results in a great deal of physical and economic harm.
> I would start freaking the fuck out if my primary care physician gets to sell my diagnosis for money to Facebook,
To play Devil's advocate, do you think Facebook doesn't know who is gay and who has diabetes? If Target can figure out when you're pregnant, Google can certainly figure out on which day you plan to go the abortion clinic. This information is already out there and used in ways we don't like. So maybe we should consider re-working HIPPA so the information can be used by the good guys instead.
If anything your Devil's advocate is that it should apply to way, way more people than just healthcare providers, and I would thoroughly agree with that. Facebook messages have already been used to arrest women for abortions, which should be huge violation of someone's privacy and totally verboten.
You cannot say the protections it provides are overstated if you are not the people who were victimized by a lack of such protections in the first place. I do not want the "good guys" collecting panels on jews. I certainly don't want the "good guys" collecting panels of info on trans kids without involvement from parents. The idea there is a "good guys" in this scenario is ridiculous. The idea that it might save lives is a cold comfort to the status of my minor child's birth control prescription status being accessible to the government.
> Who are these "good guys" you speak so highly of
Anyone who wants to use the records to improve healthcare. There are plenty of these folks in the medical field, based on my time in medical school and brief stint in a medical research group.
I would also include anyone involved in your direct care, i.e. the front-desk personal at the various doctors offices we visit, who have no way of easily obtaining your medical history if you aren't already in their system.
When providers fail to obtain medical histories for new patients that's not due to any legal restrictions. In most cases they simply haven't bothered to implement the open interoperability industry standards which make it easy to exchange such data, or haven't joined networks that facilitate such exchange. For example, the majority of physicians still don't have a publicly listed DirectTrust Direct Secure Messaging address even though they could have one at a very low cost.
> Anyone who wants to use the records to improve healthcare.
This is so nebulous. Anyone can claim they want to improve healthcare. The removal of abortion access has also been repeatedly been justified as improving healthcare. The Tuskeegee experiments (where they just let black men live with a curable, debilitating disease and continually lied to them about their suffering, some of them to their graves) was justified as improving healthcare. "Wanting to improve healthcare" does not preclude people from horrifically unethical behavior. Get better standards if you want to be accessing the private information of people without their consent.
That is totally wrong. There is nothing in HIPAA which would prevent healthcare providers from reporting infectious disease outbreaks to public health agencies. In fact, under some circumstances they are actually required to report.
> There is nothing in HIPAA which would prevent healthcare providers from reporting infectious disease outbreaks to public health agencies.
I see. So if three patients visit three separate physicians (with three separate healthcare systems) with the same illness (outbreak), these records may be aggregated to detect the outbreak? I was under the impression this kind of thing was not possible, or very difficult / limited, and would require some kind of patient authorization, and that HIPAA played a role in this.
(I expect this exists for known serious things like Ebola, but was thinking more directly about things like strep or typical viruses in a school. It seems like the outbreak information is put together after the fact, or after it gets grossly bad)
> For some reason, people who are deeply ignorant about what the law actually does also seem to get the acronym wrong.
Probably that HIPPA reads more like a word than HIPAA.
Absolutely not. Healthcare is already oppressively expensive in the US and now you want companies to be able to commercialize and exploit my private health information for profit? And they don’t even have to pay for it so they can sell me the cure they developed using information from my private health information?
America needs to be a radically different place for me to be okay with what you want.
It would be interesting if all research and advances based on PHI were automatically public domain. Sort of like the GPL - any derivatives, treatment discoveries, etc. must also be open. There would probably be too many loopholes to cover effectively, but it's a thought.
So are you being paid to comment? It amazes me how many people are motivated without profit to insist that nobody is motivated by anything other than profit.
Obviously funding is needed: funding which already comes from government in many cases. It's just that now that research funding gets handed to execs who then use the data to make more money, and only have to use the data to help people if it happens to coincide with their business strategy. Having the data public just means that the people working on it are motivated more by helping people and less by acquiring data to leverage for profit, which is a feature not a bug.
We have Government funding available for such purposes; a better connected and more open PHI system would reduce barriers and costs for these kinds of endeavors.
We would still need controlled trials, which would continue to work similarly to today. But those would be perhaps less expensive as a result, reducing research costs and turn around times.
Give me a surefire, 100% guarantee that my data won't be misused against me or anyone else, under severe penalty to you personally if your guarantee fails. Then we can talk.
i cant give you that guarantee today. I can't guarantee the government or your healthcare provider isn't misusing your data.
In fact a surefire guarantee essentially doesn't exist. But what exactly are you afraid of? How does someone weaponize your information? Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
Well that's really the point, ain't it. You can't even meet the bare frakking minimum for this to be workable.
> Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
Would you mind listing them out? Also, some vital info like date, place of birth, name, family medical history? Who was your mom and dad? Grandparents? Got any siblings/cousins? Also, go ahead and measure your bp, heartrate, blood sugar levels, and post those here as well, might be useful to know those too. Oh, reminds me, gonna need to see your hepatic and renal panels as well, you never know when that sort of information about you might come in handy.
I mean, now that we've interacted, I'm in your life too, and I'd like to know all these medical facts about you.
Edit:
> How does someone weaponize your information?
A lot of other people have posted some of the terrible consequences that can result, but let me give you a more inane one that might actually be a little easier to connect with.
Blood types are not evenly distributed, especially when it comes to blood banks. Some blood types, and especially if your have an uncommon Rh factor might be harder to get. So just imagine if your health insurance was more less expensive just based on your blood type -- something that you will probably need to know (and will thus be available to your insurer) at some point in your life, and probably relatively sooner than later. How'd you like to pay hundreds or thousands more for health insurance based on your blood type alone (because there won't be any discounts for the common ones, just penalties for the rare ones.) Or worse, being denied coverage for a surgery because the blood you'd need transfused during it would be 'too expensive'.
> i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
Not everyone is comfortable speaking openly about their health issues and not everyone is in a situation where they will be free from consequences if they do.
If you really can't imagine a way that someone might weaponize detailed health information, you have no business suggesting how laws should be changed around the matter.
Like throws you in prison because you were pregnant and now you are not, and the state concludes you must have had an abortion which just recently become illegal where you live?
>Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
“It doesn’t matter to me therefore it shouldn’t matter to anyone else. My experience is universal and correct.”
Show baby diapers ads because Google knows I'm pregnant. Increase the price of baby furnitures because Amazon knows I'm pregnant. Decline a job interview because LinkedIn knows I'm alcoholic. Tell me what parties I might be interested in because Facebook knows I have cancer. Refuse a ride because Uber knows I'm not vaccinated.
None of this situations is far fetched, and none of those situations is something positive.
Companies only care about profits, not the betterment of society as you seem to believe. I am very happy there is no way for them to know more than they need about my private life.
> my business life and online there have been zero consequences to this.
because those laws were in place. Do you believe companies have been behaving nicely because they care about you ?
> Refuse a ride because Uber knows I'm not vaccinated.
> None of this situations is far fetched, and none of those situations is something positive.
Not only is that type of a situation not far fetched, it was the reality throughout Canada as recently as 2021 and 2022.
"Also effective October 30, travellers departing from Canadian airports, and travellers on VIA Rail and Rocky Mountaineer trains, will be required to be fully vaccinated in order to travel."
Given Canada's large geographic area, access to domestic air and rail travel is extremely important.
That type of unjustifiable discrimination also applied to other services/venues/events, too, such as restaurants.
What's even more nonsensical is how those policies remained in place even when it was blatantly obvious that the so-called "vaccines" involved didn't seem to prevent infection and didn't seem to prevent transmission, even among the so-called "fully vaccinated".
The very negative social and economic consequences of those awful policies far outweighed the non-existent "benefits".
If some good did come out of this, it's that at least a larger segment of the Canadian population realizes the importance of privacy, especially of medical records.
This is so easy to recognize that I have to wonder if you've ever met a less-privileged person than yourself.
1. A fully functioning, treatment-compliant schizophrenic is now at risk of being passed up for jobs or promotions because their medical history is up to be bought by employers.
2. A local concerned citizen will be much more afraid of protesting or publicly being against a politician if the politician can buy their history of getting PreP, an HIV preventative drug that is popular in the homosexual community.
3. A religious private school starts to buy the medical history of their young girls, and reveal which girls are taking birth control, had had an abortion, etc. by expulsing them from the school.
Or simply put: You first. Put up your hemorrhoid surgery photos up on your LinkedIn.
I guess you're not an alcoholic? That's information that potential employers would be glad to pay for. In the days of paper records, doctors would write "C2H4OH" on your record, as a semi-coded message to other doctors.
Estimates vary, but I understand that close to 25% of the UK population is alcohol-dependent to some degree. Deterring people from seeking treatment seems "unhelpful" from the POV of general social benefit.
> How does someone weaponize your information?
Increase your health insurance prices based on more detailed knowledge of conditions? Deny you health insurance entirely?
Oh sure, but you know, I also probably benefited a little bit from the Tuskegee Syphilis experiments, and heck, if nuclear war ever comes, the things learned from keeping Hisashi Ouchi alive after his radiation expose, will probably help too.
The primary issue with this was the lack of ethical research, not the privacy of medical records. In fact the opposite argument could be made, with a more open and connected system, we could likely glean such information without the trial in the first place.
If you view letting infections play out in people because "We view black people as sub-human" is or can be equivalent to sharing medical records for patient care, research, or outbreak surveillance, and that there isn't a meaningful distinction between those categories, it is unlikely we could have a productive conversation on the topic.
In the nightmare scenario proposed by GP, of everyone's medical records being open to the public, I would simply stop consuming all medical services. So no.
You're correct in pointing out that people are inherently selfish, however one major purpose of collective government is to do those things which are necessary and not always in-line with selfish motivations. Just as most Americans would be horrified to have their salary posted publicly for fear of stigma, jealousy, reprisals etc, Norway has demonstrated that those fears are unfounded, and salary data doesn't even have the opportunity to save thousands and thousands of lives.
I understand your perspective, and respectfully disagree. The reason HIPAA exists is because of a long history of the abuse of people's medical records. Companies should not have access to my records without my explicit informed consent. They have shown time and time again that they can't be trusted with sensitive data. That's at least equally true for tech companies.
I'd be OK with a system that gave researchers access to my medical history only if they obtained actual, informed, and un-coerced consent. No "In order to use this medical service you must consent...", no "Please click Agree on this 38-page terms of service (which also sneakily agrees to consent)". No "I provide consent to each and every so-called researcher who wants access to my health history."
An actual written request for consent from a research institution, telling me exactly what data they intend to access, how they will access it, how many people will have access, for how long, and what they will do with the data / results after they are done. One that I can at my option sign and send back, or trash.
I'd in all likelihood say yes! But as a patient, I deserve the right to say yes or no. "Lives might be lost" is simply not justification for obtaining it.
This doesn't seem that unreasonable to me. It balances the need for research with the patient's need for privacy.
And more importantly, _who_ the people are. Yeah, I want full legal names. I want someone to name in a lawsuit if things go wrong or my data is leaked. I want personal legal culpability from everyone interacting with that data.
Whenever I used medical services in the past and filled a form with a question if my data "could be used for research in anonymous form" I answered: Yeah, sure!
Thanks to the likes of Facebook, Google and their ilk starting to stick their filthy paws into the most private medical data some years ago my answer now is always a resounding HELL, NO!
I always feel bad about it, because it really shouldn't be that way, but thanks to the slimy shenanigans of the tech brothership I just don't see a viable alternative to that answer.
What bugs me is my urge to explain to the poor admin to who I'm handing the form the why this is out of the question.
> Thanks to the likes of Facebook, Google and their ilk starting to stick their filthy paws into the most private medical data some years ago my answer now is always a resounding HELL, NO!
I made the exact same change in my behavior as well. I already felt that I was making a sacrifice by exposing my data to the likes of drug companies and such. Exposing my data to the likes of a FAANG-style company is simply a nonstarter.
Yes, I agree entirely. If it's been coerced in any way, or if any aspect is not fully disclosed in a way that I can understand, then it is not "informed consent".
Why am I not surprised that the top voted comment on Hacker News is one that ignorantly states only one side of an issue which just happens to benefit corporations at the expense of everyone else? HN can always be trusted to present the pro-corporate, anti-human take.
"Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions."[1]
That's what's on the HHS website, and that's a mild example of what was happening prior to HIPAA. Health information was being used to out gays and HIV patients, discover people's race, bypass due process, stalk women, etc. With data being weaponized against individuals more and more, we have good reason to believe that this would be worse in 2023 if these laws didn't exist, not better.
Yes, I'm aware of the burden that this puts on medical research. Behaving ethically is hard sometimes--get over it. You don't get a free pass to use people's private data without their consent. You might claim that you're only going to use that data for good, but the fact that you think bypassing people's basic human rights is acceptable shows that you don't have a working moral compass. You can't be trusted to only use people's data for good.
The fact that you wrote three paragraphs on this topic and didn't even mention the rights of the patient shows me I don't want you to have access to my medical data, let alone having authority to make decisions about who else can see my medical data. You're not a person who will make that decision ethically and responsibly.
> With easy and ready access to medical data we could be decades ahead of where we are today.
That's just bullshit.
Also, given the state of medical research methodology, you could just as well argue that it would yield even more unreliable studies, each adding confusion to our knowledge.
I get where you're coming from but the problems are orthogonal.
Let's say that each research study spends 10% of its time on recruitment and another 5-10% of its time on compliance. (Real numbers can be much higher).
Open medical data would reduce both these efforts, so every study, regardless of quality now goes more quickly and/or is less expensive. This is the primary benefit.
Now you're pointing out that extremely open data can lead to rapid and perhaps erroneous analysis. This is true, but it would also lead to rapid and accurate analysis. My point is that everything speeds up and compliance regulations around data handling are far less impactful on study quality than are protocols around experiment design.
For all intents and purposes, once IRB approval for a study is obtained, medical records ARE ALREADY OPEN to researchers for the purpose of recruitment.
I believe open medical data would have absolutely zero effect on the amount of time spent on recruitment.
Source: Me. I work with clinical trials data management in a medical research institution pulling hospital-side clinical data and patient schedules into systems on the research-side specifically for the purpose of recruitment.
I don't have time to type an essay but I have been in this field for years and it's simply true.
Please trust the opinions of people who have tried to do this work. There are many people trying to advance medical research in good faith who can attest to the insane inefficiencies of working with medical data.
I have also been in this field for years and the allure of "open medical data" magically accelerating medical research very much does NOT feel true to me.
Skip the essay but at least give me three or four sentences why I should feel differently?
> I believe medical records should be open and laws should address how people use the data, not trying to make something so valuable to all humanity secret from the beginning.
I believe exactly that about not medical records but medical procedures. If the doctors force me to share my medical records with the world of spammers and scammers I would rather choose to be a doctor for myself. But I see a little bit of problem when medical books are hard to download and medical drugs are very expensive because of so-called intellectual property. Medical industry relies too much on just obeying to all the doctor tells to do, blindly and brainlessly.
Do you really believe that my medical records bond to my personal data are more important knowledge to society than how to do drugs which can save anybody?
Please give me your full address, all your passwords & associated emails & phone number please, I pinky swear I won't misuse these in any way and will only do research with this information about the security of people's houses & accounts!
that would solve a lot of problems, probably a lot more than making health data public. otherwise keeping your data off the record becomes just another bussiness model.
> HIPAA is a massive burden on medical and research organizations of all sizes
That is the point. It is supposed to be burdensome. It is supposed to be difficult and cumbersome to do anything with anybody's medical data.
I don't want to dismiss your comment entirely, because I understand the frustration around the good that the data could do but in the wrong hands it could be truly disasterous. I do not want Meta or Google anywhere near my medical data (and they're already pretty close in a lot of ways). I do not want my medical information used to enrich shareholders and that is the first thing that will happen; not improved research.
It should be easier for people to opt-in to sharing their medical data with a wide range of organisations if they choose but right now they never get a choice. It's either "we're making a law so we can give this data away" or not.
> the upside is just so much larger than the harms
I also don't agree with this as a blanket statement. For many people, including women in the US as you pointed out (amongst many other groups), the harms are criminalisation and imprisonment. The harm here, for the individual, far outweighs any potential benefit.
> It should be easier for people to opt-in to sharing their medical data
This seems like a good compromise moving forward. Add a section on whatever HIPAA forms you already need to sign that gives you the chance to opt in to use of anonymized data for medical research purposes.
I think for this to work, the law would need to clearly define how records must be anonymized, and provide penalties both for poor anonymization and for not clearly communicating to patients that this sharing is optional.
Yep. I'm all for a better version of informed consent.
"Can we provide your medical details in full to the following organisations?"
"Can we provide an anonymised version of your record to them?"
Yes. No.
Abide by those wishes. It's pretty simple.
Unfortunately big tech companies see the fines for handling data poorly as a cost of doing business, and not the punishment it was designed as. Until that changes, the status quo can't change.
I know that you probably meant Google (the search engine), but Google (the company) is already in your medical data: https://cloud.google.com/healthcare
I'm in the UK and if it transpired that Google (the company) had routine access to NHS medical data, I'd be very upset and complaining to the information commissioners office.
interestingly health data is a huge problem in the UK. In that the NHS trusts have extremely valuable information on a population wide basis and do next to nothing with it.
Does google/a private company have to do it? No, but at a minimum the UK govt needs to make significantly better use of this data for research purposes. a 100x increase in medical research spending and a new more agile public medical research body would probably be enough
The UK govt has proven that when it tries, it can do digital services _pretty well_.
The concern here isn't the government using the data for the betterment of society, it's the government handing over health data wholesale to companies whose sole purpose is to generate profit by exploiting data.
Ask for consent. If I say you can't use my medical data, then you can't use it.
I reject the framing. It's about responsibility vs selfishness and fear. Medical information is a byproduct of something you do anyway that can save lives. It is our responsibility to make it available. If you want to opt out, fine, but basic decency demands that as a society we get over our collective hangups and make this information available.
Are you a researcher? I find it alarming to hear this kind of talk, especially after so many have raised the very serious issues that can arise from this being public.
It is not our responsibility to make this public. Your logic is similar to the gov trying to get access to all exchanges over the web to scrape them for terrorism and violent behavior. Maybe take a step back and think about the harms that would come out of this?
There's a group of individuals that have been lobbying the US government that if we got rid of HIPPA, then we could cure every disease on the planet with all that medical data they could now harvest.
I don't mind aggregate data, or anonymized where I'm "Patient b15-2gty", which is what you seem to be talking about, but I do mind "here's all the data about patient Martin Tournoij, for everyone to read".
I wouldn't want any future employers to see my medical data for example, as they may use this to discriminate (theoretically anyway; my medical history thus far is essentially non-existent).
Also: in the late 90s my mother worked for the city to digitize a lot of social security records and such. She had a good friend who had trouble walking (crutches, wheelchair); the story she told was that she was hit by a car, but my mother read her records during her job and found out she had simply fallen and was never hit by a car. Much drama ensued. I have no idea why anyone would lie about that and I'm fuzzy on the details as I was about 12-13 at the time, but fundamentally I think people should have the right to lie about things like this, if they so choose, for whatever reason.
Mapping “Patient b15-2gty” back to your real name has been trivial for decades.
My first job involved a one hour lecture about how people had repeatedly accidentally deanonymized and accidentally leaked data at other institutions, leading to divorces and worse.
We had somewhere between 10 to 100 bytes of entropy on each patient, and it would have been enough for any of their acquaintances to map back to real names and also severely violate privacy.
> I don't mind aggregate anonymized data where I'm "Patient b15-2gty
If you're ""Patient b15-2gty", then the data isn't aggregate. Aggregated data means that there are no individual data points at all, only aggregated ones, so there is no need for any sort of individual identifiers.
If there's any sort of individual identifier, then the data cannot be effective anonymized. If the data is aggregated, and the original records that were included in the aggregate figures is deleted, then I think that's adequately anonymized and I would have no problem with it.
Short of that, though, "anonymization" is a thing that doesn't actually exist.
I don't agree about anonymization; "true" anonymity is probably impossible in most areas of life, even for simple things like a walk in the forest as there's always something a significantly advanced sleuth can use.[1] There are no "true" one-way hashes either – you can always brute-force). It's about it being too infeasible to actually do that.
Blaming individuals for not trusting medical and tech companies that have repeatedly abused private information is a strange take.
Instead of taking the information by force (which health care conditioned on opt in certainly is), we should figure out how to build a trustworthy medical research and care industry.
For instance: They could only make this information available to universities, and ensure the results of the research were public domain.
Or, they could create separation of concerns for companies involved. If google wants to store medical data, then they have to spin off their ad business.
> demands that as a society we get over our collective hangups
What you're calling "collective hangups" are, in fact, real and serious risks. I am distressed at how many people have forgotten (or perhaps were never aware) of the real abuse and harm that was happening with the sharing of medical data before legal protections were enacted. Heck, those harms still happen now, but to a reduced degree.
> Ultimately however the worst part of these laws is that they are so harmful to research in the long run. With easy and ready access to medical data we could be decades ahead of where we are today.
You are saying that you'd like to take my personal data and make money from it without compensating me. My records are mine and they are private and it should stay this way.
I used to have the same philosophy having also spent hundreds of hours dealing with the bureaucracy both technical and human of HIPAA and the need to have more data to improve health outcomes for people.
I then went through the process of applying for disability insurance and dealt with the quagmire of them wanting access to all of my mental health records. Not a summary of my mental health diagnoses, but ALL of the individual progress notes. I refused them having those records and ended up having to waive any disability coverage due to mental health issues I was facing. That type of data I just didn't trust this insurance company to keep the data safe, especially as the paperwork stated they would share the data with all of their affiliates and partners with no recourse on my part to restrict what was shared. At that point, I realized that there are VERY good reasons why we don't just allow all of our medical data to be open.
This reads an awful lot like we could eliminate all crime with a sufficiently strong police and surveillance state, or eliminate all obesity by attaching activity trackers to everyone and having the government ration only as much food as you actually need. Both true, but humans inherently value things other than health and longevity, such as freedom and privacy. Governments that are not dictatorship have to manage these competing demands from citizens. Otherwise, you could probably maximize health outcomes by allowing research facilities to just all operate like Unit 731. Sure, you might kill a few million people, but you're doing it to save trillions in the future.
Btw. I read somewhere "they" already have a lot of data.
> With easy and ready access to medical data we could be decades ahead
So make it ! On premises. Pay for helping in that. Do not pay for storage and cpu in clouds ! And don't be naive about what good and progress "they" can
bring to medicine. They will promise then stall as much as possible and you will be paying for not deleting your precious data. Or accessing your own data :> And watching like your data are published and sold on black markets...
Couldn't agree more. Until you work in the healthcare field, you don't realize how much time and energy is wasted following HIPAA protocols. The doctor can receive your results, know your results, and still force you to come in because they can't tell you your results over the phone per protocol.
Europe gets to use their free and open medical data freely for research. The US gatekeeps that information. It's a huge competitive advantage for Europe.
There is nothing in HIPAA which prevents doctors from telling patients their results over the phone. They might not be able to leave voice mail with those results unless you specifically consented to that. They can also ask the patient for additional information during a phone call to verify it's really them and not someone else who answered the phone. For particularly sensitive test results, like say an HIV diagnosis, doctors might sometimes ask the patient to come for an in person visit so that they can explain everything in context and arrange an appropriate treatment plan.
Sometimes people blame HIPAA for all sorts of random stuff which has no connection to the actual law.
how will you make sure potential employers or insurance companies do not use that knowledge against individuals? What about social stigma? Victims of abuse/rape might be even less likely to come forward if the medical data is made public. I think before advocating to break down walls we should learn why they were raised to begin with, before countless people are hurt one way or the other.
If medical records are open by default then there will be a dark research market that easily operates outside the purview of the law. Medical data, hell most data about people should be hidden by default. Your idea is wildly naive and you ought to read about chestertons fence.
I've always thought this about HIPPA as well, having worked in the healthcare field years ago. I imagine some "hero" leaking an enormous healthcare dataset after anonymizing some info and furthering research. Too bad I never had access to that.
There is nothing legally stopping healthcare organizations from asking patients for informed consent to share their anonymized data with researchers. The government even provides clear guidelines for de-identification.
As a patient, I feel like HIPAA has been used by care providers to bully me into giving away my rights and data on pain of not getting care. It's a train wreck.
"but the upside is just so much larger than the harms"
Without the privacy, the world would be a different place and the people in power in that world would have no interest in advancing anything that doesn't directly give themselves more power. There would be no well funded scientist outside of the military.
It’s wild, the world before HIPAA was even more walled off and data just didn’t flow at all. It was still a world of paper records widely at that point. Where we are with HIPAA is so much better, but still plenty of room to improve with delegated access.
The alarm around possible exploitation due to public medical data far exceeds the ground reality. At the same time, it has stifled progress in the field leading to more deaths than we should have to tolerate.
Big Tech is not a thing, just like big-sensors was not a thing. Electric sensing became a thing in the 1900s, and the medical community benefitted from the machines built because of them. Tech is similarly a tool that has become available to all fields over the last 30 years. By treating big-tech as a bogeyman, we end up anthropomorphizing an inanimate marker of of progress in our time. It's Scientific cartelized Amish-ness.
My controversial & intentionally provocative opinion for a while has been : "Doctors are evil". The more I read about it, the more I feel like there is an ounce of truth there.
In Germany they decided to make the EPA (electronic medical record) opt-out starting by 2024. Managed by "gematik GmbH", a company with limited liability. Because why should the entity responsible for all medical records have some liability. It is a joke, a bad one.
> I think it doesn't really matter in what form the government appears. It's still the government and so its rules apply.
If it's a "limited company", that means it's liability is limited to shareholder capital. It's going to have to have an awful lot of capital if it's going to be able to compensate the entire population for mishandling their data.
Also, if it's a limited company, then the shareholders can sell their shares; the company can change hands, often to owners in a different jurisdiction.
A limited company is not an arm of the government, and I can't hold a limited company accountable in the same way I can the government; especially if my personal data has left the jurisdiction.
Leasts
on the Judgment of the First Senate of February 22, 2011
- 1 BvR 699/06 -
Mixed-economy enterprises controlled by the public sector in private-law form are subject to a direct fundamental-rights obligation in the same way as wholly state-owned public enterprises organized in private-law forms.
Limited Liability is a GREAT thing. It allows us to build businesses that serve society that we wouldn't otherwise. Would you start a company or invest in one if you could lose all your personal wealth? Few would.
Most companies are limited liability. All companies that would bid on project would be limited liability. Why do you think this project is special enough that the owners should be liable?
Also, LLC in US is kind of company. It is mostly used for small sole proprietorships and partnerships. Technically, public companies are “limited by shares” where shareholders are liable up to value of their shares. But there is no difference in terms of protecting owners from liability so they are called limited liability.
Why not? As long as they don't do anything that causes harm then the company isn't in danger. If they think it's likely they would cause harm, well then obviously they shouldn't exist.
The potential liability for any company is big enough that limited liability is necessary. No one would start company if they could lose all their assets not just ones invested in company.
Are people confused that limited liability limits the liability of the company? Because limited liability means that the liability of the owners is limited to their investment. The company can go bankrupt from losing lawsuit.
For certain things the individual owners shouldn't be shielded from liability. Medical privacy is one of those.
Otherwise you end up with people who can create as many harmful businesses as they want and just walk away when it explodes, ignoring everyone caught in the shrapnel. I'm 1000x more concerned about the effects of harmful companies than whatever friction it creates for starting new companies. Everything already moves too fast, it would be far preferable to have fewer corporations if it meant they were of higher ethical behavior.
Limited Liability is a double-edged sword. It does reduce the risk of starting a company. But it reduces some mechanisms to protect society from misbehaving companies.
I honestly think the the taboo-nature of medical records kills people in significant numbers.
More-so than anything else, the focus should be on preventing pre-existing conditions from being able to affect individuals negatively than adding hoops for the individual to access their own gated personal records (Moving between hospital systems today can be an absolute nightmare in the states).
This is actually a bigger problem in the UK (no longer in the EU).
NHS England has been trying repeatedly to make huge amounts of NHS data available to various kinds of commercial "partners". It started with supplying the Society Of Actuaries with the records of a million patients. For £3,000! Actuaries, of course, are primarily employed by insurance companies - not the kind of people I want having access to my medical data.
We were given the chance to opt out; you had to get and complete the official form from your GP, and go to the clinic and hand it in. But it turned out that only covered your GP's records; hospital records were subject to a different opt-out. You had to ask for a form from your local Health Trust, complete that, and mail it in. None of this was electronic or online.
Then there was a new plan, all your old opt-outs were obsoleted, and you had to go through the whole rigmarole again.
The UK has the finest collection of medical data in the world; a population of 70 million, and a consolidated health service dating back 80 years. No other country has this. I have no problem with that data being used by the NHS to improve existing treatments and develop new treatments. But handing it over for peanuts to J. Arthur Random really isn't on.
There are evidently civil servants in NHS England who are fanatical about sharing NHS data for commercial profit, even if that profit doesn't accrue to the NHS.
The article doesn't mention whether those are anonymised records. A PDF from the references expands on that:
> Pseudonymisation and anonymisation are not enough: health data is so specific
that re-identification can be trivial. Often a person’s social media or financial history, both widely available on today’s data markets, is sufficient to identify medical events that can easily lead to reidentifying supposedly pseudonymised or even anonymised datasets.
I agree with the sibling comment that we need more open data if (iff?) we want to increase the pace of medical research. But it seems to be a tough cookie to crack.
You cannot really anonymised records like these. You can identify most people from only their post code, gender and date of birth (using just public data sources). So stripping names out is meaningless...
You're really underestimating the depth of anonymization in medicine. Birth dates are considered PII. Treatment dates are PII. Record numbers are PII. Locations "narrower than a state" are PII. Even ages over 85ish are PII because there tend to be very few people that old at a particular facility.
I mean, you can always anonymise data by removing all the useful data.
And that is the problem here: how do you remove enough data to make it NOT personally identifiable (or close too) AND not remove so much data that the whole thing is pretty useless.
No one has really managed that yet. People who have not tried assume it is possible. But it probably isn't except maybe in very specific cases where you only need very limited data and don't care about correlations with other factors...
There are some quite high profile examples of orgs releasing anonymised data and people linking it back to the individuals:
Interestingly the UK (I am a limey brit) actually has some really good experience with this, both from NHS medical records and public studies on Civil Servants...
For my W2 job, I broker the commercial sale of "real world evidence". It's usually hospital, insurance and pharmaceutical claims data. The buyer is largely big pharma. They want it for things like monitoring a patient's journey and adverse events related to their drugs. There's use-cases in clinical development and pre-market as well.
As archaic as HIPAA is, the tools that we have today to obfuscate PHI (e.g. tokenization) respect the individual's privacy. The major cloud infrastructure providers are all HITRUST certified and ready to sign BAAs to keep everyone accountable.
I think we're in a good place right now for innovation with healthcare data. Multi-modal (think genome + claims + social determinants of health) are starting to become a thing. As a population, we'll benefit from more targeted therapies.
Technology is catching up with the swaths of data that has been amassed since the 2000's. I hope for more innovation vs. shackling it with uninformed regulation.
I am also opposed to this kind of petition on the grounds that it inhibits standardization of file formats. I work at a startup and we work with medical records from a number of different hospitals. So much code is dedicated to just dealing with the spaghetti.
A major roadblock for our startup is getting medical information integrated into our system. It's difficult to compete with the IBMs and Epics of the world when we don't have a million developer hours to dedicate to writing plugins for every vendor. It's not just us struggling with crappy data management - it confuses hospital staff, too. Our customers are frustrated when we tell them things like "you gave us <XYZ obscure file type> which doesn't contain the information we need; do you have <ABC obscure file type> instead?". MRI scans (DICOMs) are particularly gnarly.
Even the IBMs and Epics of the world struggle to not make crappy software. How do you present a relevant medical record to a doctor at the exact right time they need it? There is so much data to sift through that medical information frequently slips through the cracks when patients transfer hospitals or their hospital merges with another.
If there isn't a standard way to query an electronic health record then companies are incentivized to just throw data at an LLM to parse it (which is exactly what we're moving towards). Trying to build AI-type solutions will just make these companies even more data-hungry and result in a less reliable solution.
I'm not opposed to continuing to hold startups/big tech accountable for keeping personal health information private and secure.
I think theres a general need to dig more into differential privacy and how data can be effectively anonymized for research purposes if its done right.
Do the big tech companies self-insure for medical coverage? They'd probably have pretty good access to their employees' medical records already. Not that it's a good idea to expand that more widely, but I suspect many people have no idea how widely distributed their medical information already is.
Everybody wants privacy. But they also want treatment for whatever ails them. These things don't have to be mutually exclusive.
Lack of information is a big challenge for doctors. When I say challenge, I mean people are dying needlessly because of their doctors don't have access to critical information and this leads to bad decision making.
Here in Germany doctors are completely in the dark. Even basic information like who I am or where people live isn't being shared. Because privacy. Every doctor you talk to first needs to take down all your basic details. Address, date of birth, etc. Every medical appointment is ground hog day. They know nothing of you, your personal details, or your medical history. And German GPs don't do a lot themselves. You get referred for even the most basic things but without them sharing information. So, all the obvious things happen on a daily basis. People receiving the wrong medications. Doctors not acting because they are unaware of the history of the person in front of them. Or wasting time on diagnosing things that have already been diagnosed. Or mis-diagnosing those things.
That's the consequence of bad data.
The standard German sentiment against any digital is "I don't like this". But the consequences are that they have to suffer bad health care, a stupendously inefficient system that they pay for through really expensive insurance every month, and preventable deaths because essential data isn't being exchanged to those who need it.
And their privacy sucks anyway, because IT security is about what you expect from a sector running on ancient hardware and software. IT incompetence/ignorance is the norm. Quite a contrast with other countries I've lived in.
> Everybody wants privacy. But they also want treatment for whatever ails them. These things don't have to be mutually exclusive
If I didn't have a modicum of assurance that what happens between me and my doctor stays between me and my doctor, I would absolutely avoid going to see a doctor to the greatest extent possible.
The problem with data masking is that you don't know what data is important.
Want to see if there's a geo cluster? Oh sorry, there's no location data. Do you want to see if something affects age band 12-14 instead of 16-18? Sorry, everyone in that group is in a HIPAA bucket. Do you want to see if there's a commonality among treatment options for obese women over 65 who are diabetic in rural communities? Nope, sorry.
Do you want to determine the success rates and outcomes for different treatments in different regions for a given condition, and if they differ bu age/gender/ethnicity/place of treatment? Nope.
If there are uses that are prohibited prohibit them. Thats what the law is for.
I don't think most people appreciate that medical research moves, at minimum, 20x slower than it would with open data access. Doing the simplest possible regression across two institutional datasets is a $100,000 project involving lawyers, de-identification, consents, and a host of bureaucracy. Since most projects end in null results, most don't happen.
These laws, while well-intentioned, kill people.
If you think that's an OK tradeoff, I guess you're free to accept that. But there is very real blood on your hands, the fact that none but the most egregiously common diseases are studied. It doesn't have to be this way.
Medical research doesn't move slowly because medical records are private. Doing actual science takes alot of time, money, and effort. This is a foreign concept in the software world, where tons of engineering happens, but almost no science. Trying to growth hack one's way to medical treatments without proper testing is how people get killed.
There is ample evidence for what happens when companies in the health space are allowed to make their own rules, and it isn't better health outcomes. See thalidomide
> These laws, while well-intentioned, kill people.
So does medical fraud, and it's not well-intentioned at all.
Just sayin'.
I have almost no faith at all in the types of folks that found and run tech companies, these days.
They have proven, over, and over, and over again, that They. Just. Can't. Be. Trusted.
If the tech industry were to create an ethics board, with real enforcement teeth (like the Bar Associations, or Medical Boards), then that could be a start.
The problem is, as soon as anyone even mentions the possibility of restricting tech companies, they are taken out behind the woodshed.
I agree. It's hard for me to get excited about anything tech companies output nowadays as more than likely it will be surveillance, ad, upsell and subscription-driven with growth and profits triumphing any regards and respect for the end-user experience and privacy. I have zero reason to trust them not to abuse my health data for their own interests rather than use it for the greater good.
That is hyperbole. There is zero evidence that open access to medical data would accelerate research by 20×. Most clinical research studies are structured with defined data gathering protocols where patients give informed consent, and this works fine.
Some naive software developers and data scientists have this fantasy that if they could just data mine millions of patient charts that they could discover all sorts of medical insights that would save lives. This is almost totally false.
The real issue with using research data from multiple organizations has more to do with quality and consistency than privacy rules. Various provider organizations will record the same clinical data in different and incompatible ways, or often fail to record it at all. Researchers working with such data have to devote huge efforts to building pipelines for validation, cleansing, and normalization.
That goes both ways though. People are responding to hostage-taking actions by big tech and trying to protect themselves. There is a theoretical middle ground where data is available for research but not for abuse, but big tech typically won't allow that.
My wife's vision is to have the patients control their medical data, and opt-in share it with the researchers who recruit them for studies. I don't know what the answer is, but I think it's going to change. You are correct in that it is a huge driver of costs.
People are saying that open access to everyone's medical records would speed up research, but that's not how well-controlled and well-designed medical research works in practice. For example, if you wanted to study lung cancer causes and treatment efficacy, just mining public data would not be that beneficial. Real studies need controls, detailed patient histories, actual observational lab work (blood tests, etc.), and so on.
What this data would be used in practice? Insurance corporations would use it to identify people at greater risk of diseases and to deny them coverage (or make it difficult to obtain coverage, remove them from coverage, etc.) in order to increase their profit margins.
Now, you could have useful anonymized public databases, for example, imagine if everyone got regular monitoriing of body burden of heavy metals and industrial and agricultural organic chemicals, and that was cross-referenced to their incidence of cancer, liver disease, etc. This could reveal common associations between specific pollutants and various diseases that could then be studied in more detail. Similarly, this could be applied to pharmaceutical products (which sometimes do more harm than good to their users)
Of course, that kind of public health-centric database would open up corporations to liability and cause profit loss, which is why such body-burden assessments of pollutants are not part of your normal medical checkup.
If the data is rigorously anonymized, then it loses all value for the health insurance / advertising sector, who want to exclude high-cost patients from coverage and target individuals with health conditions, respectively.
Do you think Big Tech shareholders (with additional holdings in pharmaceuticals, petrochemical, agribusiness etc.) would be interested in a database of rigorously anonymized patient data intended to discover relationships between things like pesticide exposure and Parkinson's disease, or unpleaseant side effects of currently profitable pharmaceutical products?
I basically don't believe non-degenerate (psued)anonymization is possible, although that complicated af homomorphic encryption stuff makes me a little uncertain.
Big Tech, Small Tech, someone will eventually have access to our medical records and honestly it's the direction things need to go in order to have cheaper, more transparent healthcare as well as drive innovation in the space a large.
It's less about "who" and more about "how". How will we grant this access in safe and (preferably) anonymous ways.
The effort we spend protecting medical records is out of all proportion to the damage done by any leaks. I really do not understand the reasoning. And this is effort that would otherwise be used to generate other economic benefits, like food, housing, medical treatments, etc.
Another problem is that these laws (HIPAA, etc) actually CONTRIBUTE TO the leaks, because they provide a huge blackmail incentive to hackers. The penalties are so large that hackers know they can extort giant payments from companies.
Also, it's no small loss that it's so difficult to use this data for legitimate research purposes now, depriving us of all the medical gains we otherwise would have.
Certainly, I would not want my records in the newspaper - but really what's the worst outcome? Everybody finds out just how much ED medication I take?
I suspect a lot of this legislation is (as usual) motivated the the businesses that stand to gain from it. It creates a large moat around existing large businesses that can afford to cooperate. And funnels a lot of money to the consultancies and other companies that work to comply with these policies.
> The effort we spend protecting medical records is out of all proportion to the damage done by any leaks.
I disagree entirely.
> really what's the worst outcome?
Well, let's look at what's happened in the past. You could be denied employment, denied housing, denied insurance coverage, even denied essential medical treatment, for starters.
Some folks would be materially harmed by medical record release; e.g. women who have had abortions in states where it is illegal, gays in very conservative areas, passing trans people, the functional severely depressed, passing folks with autism etc
American history includes a period in the not-too-distant past where we put all people of a specific ethnicity in internment camps. So I'm gonna go with using genetic data towards those purposes probably. Maybe I could come up with even worse.
> Certainly, I would not want my records in the newspaper - but really what's the worst outcome? Everybody finds out just how much ED medication I take?
No. The worst outcome is the police arresting a random civilian because their medical record showed they were actually a fully transitioned person living as their identified gender (and thus the only way they would know is through trawling through medical records) and are therefore in violation of, say, a bathroom law. Or a law banning "crossdressing" or other shit.
It's teenagers and young women being sent to prison because there's a medical record where they were treated for excessive bleeding which lost a pregnancy, and are put in jail until their trial for abortion is up because they're too poor for bail.
It's buying up the medical data of jewish people to "prove" they're really harvesting the blood of Christian children.
The worst outcome is that individuals may have sensitive information in their medical history that could be poorly received by their social circles if it becomes public. In extreme cases, this could even lead to threats on their life.
Consider this: the same argument could be applied to our endeavor to safeguard the secrecy of voting. What is the worst outcome if everyone discovers who you voted for?
Such conclusions are inherently biased because we are unable to accurately evaluate the importance of these very existing protective measures in a civilized society.
> The worst outcome is that individuals may have sensitive information in their medical history that could be poorly received by their social circles if it becomes public.
That's far from the worst outcome. You could lose your job, be sent to prison, be denied insurance.
Yes. It was poor wording on my part trying to encompass all these situations under a generic description. But these are excellent examples of what I was trying to convey. Thanks.
Medical records are already aggregated by Big Tech companies - they are called “medical billing.”
I’d much prefer a different set of companies having access to records at scale for the purposes of improving outcomes, which they will never care about (having seen it first-hand).
They're not petty, they're trying to address a genuine problem. First, the legal definition of "PII" excludes quite a lot of acutal PII. Second, even if there's genuinely no PII attached, it's pretty trivial to reidentify the data.
For the medical data (not metadata) to be useful in models you usually need plenty of associated PII like dob, postcode area, etc. Overfit a model and it will act pretty much as a database lookup on your personal medical data. It needs to be regulated.
I do. I give a shit about any data any tech company has about me, and a thousands times more shits when it's very sensitive data such as medical records.
The fact that we have normalized that behavior to the point of having to explain the concept of not wanting to give out data like candy is so wild to me
"google" is made of many individuals. If "google" has your records, you don't know who has access to them - they effectively become "public knowledge" in a way.
You can imagine how your medical record could be used against you, I'm sure? For people that have suffered agressions, addiction, mental issues, these are all private but can be used against an individual in the public sphere.
You trust a company that has been constantly struggling with keeping employees under control and preventing malicious access of user data [0] over an institution who's business model is critically reliant on the proper handling of medical information?
It's not a random hospital - it's your hospital. There are many governmental bodies that are there only to watch Hipaa violations, and if your data is used wrongly you can sue for damages.
For things like this[0], the medical companies and google operating on the this data are being held to the same standard of protecting medical data as any other healthcare software. It would be the same is Google really made a "my health" app; although the article is talking about Google et al. getting medical data for research purposes, not a personal health app that would be gated behind Google's DC doors and multi-level access controls.
I'm no expert on these systems, but the data that's in the cloud isn't encrypted? I would've assumed that Google can not have access to the data but are giving access to server space to host it, making HIPAA violations from employees practicaly impossible? (Unless they try to get keys to unencrypt the data, but then again that's outside the scope of this discussion)
Seriously, this question seems to indicate a critical lack of common sense in the poster. You don't even need to have a desire for privacy, just a modicum of risk aversion.
Here's a simple example of what can happen with your medical data: Medical data ends up somewhere like LexisNexis -> Company looks you up before hiring -> Company sees that you have a health condition that will cost them more in health insurance costs -> Company doesn't hire you because "it's not a culture fit".
Oh, you don't have a health condition right now? Well, pray you never develop one either -- your boss will probably be able to sign up for push notifications for when there's a new diagnosis for you.
There are already real bias actualized on the name and gender of the applicant at the very first stage of company hiring. Late stage investigations credit reports, public court records, online social profiles can happen but rarely do. Companies focus on referrals and confirmed job history. I can't imagine more invasive investigations into health history. Secondly why are companies paying more for healthcare given a employee sickness. The point of insurance is that it normalize cost across the entire pool of people and must be regulated to not be prejudice of pre existing conditions.
> I can't imagine more invasive investigations into health history.
The point is they wouldn't be 'invasive'. Plug a name into a website, get a cost breakdown of how much health insurance would cost for that employee. Indeed will probably have that feature ready to go the day after it becomes legal/available. A few minutes of work for a relatively low-paid employee processing applications, or these days probably some sort of automated system doing the same.
> Secondly why are companies paying more for healthcare given a employee sickness.
They might not pay more for that single employee, but they will pay more overall. The insurance company, as much as it can, will look at how how much it's bringing in, and try to maximize that. So a company could find itself paying higher rates when they renew their health insurance contract.
Ultimately however the worst part of these laws is that they are so harmful to research in the long run. With easy and ready access to medical data we could be decades ahead of where we are today. There are legitimate concerns about health privacy (especially for women in the US) but the upside is just so much larger than the harms. It could be 10x less costly and time consuming to do both epidemiology and longitudinal intervention studies if we only had access to data. We could be directly tackling disease causal factors in ways that researchers today only dream of. It really is tens of thousands of lives lost each year that could have been saved if we could only have moved faster toward interventions.
I believe medical records should be open and laws should address how people use the data, not trying to make something so valuable to all humanity secret from the beginning. For example you can download my genetic code here: https://www.openhumans.org/member/iandanforth/
No, even for longitudinal studies, even with “anonymized” data, the risk is too great for any individual, and to society in general. Ideopathic and non-causal diseases should have some buy-in from patients; a standard waiver might be useful for research use of data. (I’ve signed one.) But in general, no, the restrictions are worth it.
some are illegal - think threating drug overdose
Mental health is a big deal. For better or for worse, if your employer/licensing org is aware of any mental health issues, then they could adjust how they treat you.
Crappy bosses could use your history as a way to discredit or manipulate you. That's exactly what the CIA does, whenever someone blows a whistle on them.
Some medical conditions can be interpreted by different people, in intensely negative ways. For example, at one time, being left-handed, meant that you were possessed by the devil.
Often sexual orientation/behavior is a part of your medical history.
But I'm suuuuure that no one would ever use this information in a questionable way.
Look at the "mug shot protection racket" sites. These sites leverage personal information that has been made public, as a way to force you to pay them to remove it (and then immediately republish it in another venue).
I guarantee that a number of folks on this very site, run those sites, and sincerely believe there's nothing wrong with it.
No. Just because "I have nothing to hide," does not mean that I get to force others to divulge intensely personal stuff.
https://www.wingerdenlaw.com/blog/2020/02/can-you-be-charged...
Listen, I'm not saying that this is ethically or morally right. I'm just saying that's the way things actually are (in the US).
I've no doubt that there is some assortment of corrupt laws bought by the medical industry that have enabled these blatantly abusive billing practices. But until shakedown victims actually force the issue and publicize it, then those corrupt laws continue to avoid scrutiny.
Also, I expect insurance companies to honor their contracts.
I could not agree more. This problem absolutely ruins lives. I've seen people who've suffered terrible injuries beg not to be taken to the hospital because it would result in devastating financial consequences.
> I expect insurance companies to honor their contracts.
I agree with this as well. But that's a separate issue than who is legally responsible for the debt.
I believe it is a liability for doctors to know a true medical history, and anything not already being treated can be ignored and re-diagnosed later, which of course is an ideal situation for the insurance and the new provider, because you can charge all over again for those diagnostics.
Case in point, I had two EKGs performed on me, one in urgent care and one in the hospital. It was not too long before I was going in for surgery, and a prerequisite was a "12-lead EKG" readout, so naturally the hospital tried to force me to undergo a new one at enormous cost and inconvenience, and I balked, because I already had two perfectly good readouts in hand. They eventually relented, but it was incredibly difficult for them to admit that the test results were valid and acceptable, and this is all part of the scam, to charge as many times as possible for anything that wasn't performed here and now by us.
Likewise with psychiatry and therapists; I've been through multiple clinics and dozens of counselors, and of course each one produces a mountain of case notes. So I always offer and suggest that I sign a release and have all the prior case notes transferred over so that they get to know me better. The answer is always "no". They want to know nothing beyond what is in the intake forms, that they will spend 5 minutes reading. Then we will start my therapy over from Square One with a stranger and I get to recount all my feelings and life experiences over and over and over again, on my dime.
Nevertheless, it is still of the utmost importance that you continually sign authorizations for release and that you requisition all available records from all your providers. Authorize all providers to release information to your friends and family. They will hang up the phone if there is no release on file. Renew those authorizations on time, every time; your provider will not remind you. Release all records to yourself on a regular basis, especially after a hospitalization or major incident. You will want good records, just for your own examination, and also if there is ever a dispute or litigation about something, your attorney will appreciate those records too.
(I'm undecided on the whole thing but this argument as stated is bad)
And I'm not saying I wouldn't be willing to share. I have consented to such things before. But it should be my decision how much risk I'm willing to shoulder.
How about a comprise then? What if we made it so that you could get unrestricted medical record access for any patient for whom you are willing to to guarantee (under severe financial penalty) will not die?
This is one of those cases where when we open things up we realize that just about everyone has or does things that are stigmatized and we have no choice but to stop stigmatizing them, the secrecy and shame are self-reinforcing.
Yeah, it almost never actually works out that way, though.
But the vast majority of people are paralyzed by fear that someone might find out they have hemorrhoids.
Others live in a delusional state of paranoia where "duh gubmint" will use the info against them not realizing that any entity, governmental or otherwise, willing to do so will just ignore privacy laws anyways.
The problem isn't being embarrassed. The problem is suffering real world consequences for certain types of medical treatment, such as problems getting work, renting housing, etc.
Fix that, then? I keep hearing about all of these nightmare scenarios, dreamed up by paranoiacs.
I submit. You are right. Fix THOSE problems instead of killing people.
I'm agreeing with you. What you said happens. We must fix that.
If things are that bad, the entities inflicting these consequences don't care about medical privacy anyways, right?
Not at all. These are all things that used to be pretty common. That's why medical privacy laws were enacted.
> Fix THOSE problems instead of killing people.
That would be ideal, yes. But nobody has figured out a way to do that.
BTW, I don't think your phrasing is helpful to your cause. It implies it's a black-and-white issue when in reality it's a very complex issue with a ton of nuance.
People die as a result of the lack of medical privacy too, after all.
> the entities inflicting these consequences don't care about medical privacy anyways, right?
No, they don't. But they do care about the huge fines and other legal consequences they risk by not adhering to the law.
Very many things doctors need to be aware of, because the patients life depends on it, are left out when patients move between specialists and physicians, which happens all of the time.
Outbreaks of viral and bacterial illnesses result in thousands of people independently chasing diagnoses and treatment, because the system doesn't share information that could be used to piece together and get ahead of it. Every time my kid gets sick at school, I get to play a game of "What is it? Do we see a Doctor? How much money should we spend?". Lets pretend we know nothing about this and go see a Doctor who hasn't seen anyone else in school, who may provide antibiotics they may or may not need or worse.
Effective prevention methods and early detection of bad treatment are discarded because its so difficult to investigate and connect the dots between interventions and outcomes.
Patient privacy is important, but the system we have today is nothing less than a tragedy. Real damage in emotional, physical, and economic is happening on a grand scale every day in this country. We shouldn't pretend HIPPA is a good thing, or the current system is doing a good job. Its not. We need to radically transform how we operate, and much more open and connected medical records is certainly a part of that transformation.
I would start freaking the fuck out if my primary care physician gets to sell my diagnosis for money to Facebook, and I don't give a rat's ass if some 3 year old could've been cured of epilepsy if my doctor was able to do so. HIPPAA prevents my doctor from doing so and I'm glad for it.
> I would start freaking the fuck out if my primary care physician gets to sell my diagnosis for money to Facebook,
To play Devil's advocate, do you think Facebook doesn't know who is gay and who has diabetes? If Target can figure out when you're pregnant, Google can certainly figure out on which day you plan to go the abortion clinic. This information is already out there and used in ways we don't like. So maybe we should consider re-working HIPPA so the information can be used by the good guys instead.
You cannot say the protections it provides are overstated if you are not the people who were victimized by a lack of such protections in the first place. I do not want the "good guys" collecting panels on jews. I certainly don't want the "good guys" collecting panels of info on trans kids without involvement from parents. The idea there is a "good guys" in this scenario is ridiculous. The idea that it might save lives is a cold comfort to the status of my minor child's birth control prescription status being accessible to the government.
Who are these "good guys" you speak so highly of? CA gov? FL gov? Federal gov? FBI? Planned Parenthood? Some church?
I'm curious about these mythical "good guys" that you, the NRA, and other people with an agenda repeatedly handwave about.
Anyone who wants to use the records to improve healthcare. There are plenty of these folks in the medical field, based on my time in medical school and brief stint in a medical research group.
I would also include anyone involved in your direct care, i.e. the front-desk personal at the various doctors offices we visit, who have no way of easily obtaining your medical history if you aren't already in their system.
https://www.hhs.gov/hipaa/for-professionals/faq/authorizatio...
When providers fail to obtain medical histories for new patients that's not due to any legal restrictions. In most cases they simply haven't bothered to implement the open interoperability industry standards which make it easy to exchange such data, or haven't joined networks that facilitate such exchange. For example, the majority of physicians still don't have a publicly listed DirectTrust Direct Secure Messaging address even though they could have one at a very low cost.
This is so nebulous. Anyone can claim they want to improve healthcare. The removal of abortion access has also been repeatedly been justified as improving healthcare. The Tuskeegee experiments (where they just let black men live with a curable, debilitating disease and continually lied to them about their suffering, some of them to their graves) was justified as improving healthcare. "Wanting to improve healthcare" does not preclude people from horrifically unethical behavior. Get better standards if you want to be accessing the private information of people without their consent.
Honestly, my problem with HIPAA is that it's not really adequate. There are too many loopholes in it. I'd like to see it strengthened quite a lot.
> much more open and connected medical records is certainly a part of that transformation.
As long as the patients those records are about are in full control over their disclosure and use.
https://www.cdc.gov/nndss/about/index.html
And it's not "HIPPA". For some reason, people who are deeply ignorant about what the law actually does also seem to get the acronym wrong.
https://www.hhs.gov/hipaa/index.html
I see. So if three patients visit three separate physicians (with three separate healthcare systems) with the same illness (outbreak), these records may be aggregated to detect the outbreak? I was under the impression this kind of thing was not possible, or very difficult / limited, and would require some kind of patient authorization, and that HIPAA played a role in this.
(I expect this exists for known serious things like Ebola, but was thinking more directly about things like strep or typical viruses in a school. It seems like the outbreak information is put together after the fact, or after it gets grossly bad)
> For some reason, people who are deeply ignorant about what the law actually does also seem to get the acronym wrong.
Probably that HIPPA reads more like a word than HIPAA.
America needs to be a radically different place for me to be okay with what you want.
Obviously funding is needed: funding which already comes from government in many cases. It's just that now that research funding gets handed to execs who then use the data to make more money, and only have to use the data to help people if it happens to coincide with their business strategy. Having the data public just means that the people working on it are motivated more by helping people and less by acquiring data to leverage for profit, which is a feature not a bug.
We would still need controlled trials, which would continue to work similarly to today. But those would be perhaps less expensive as a result, reducing research costs and turn around times.
In fact a surefire guarantee essentially doesn't exist. But what exactly are you afraid of? How does someone weaponize your information? Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
Well that's really the point, ain't it. You can't even meet the bare frakking minimum for this to be workable.
> Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
Would you mind listing them out? Also, some vital info like date, place of birth, name, family medical history? Who was your mom and dad? Grandparents? Got any siblings/cousins? Also, go ahead and measure your bp, heartrate, blood sugar levels, and post those here as well, might be useful to know those too. Oh, reminds me, gonna need to see your hepatic and renal panels as well, you never know when that sort of information about you might come in handy.
I mean, now that we've interacted, I'm in your life too, and I'd like to know all these medical facts about you.
Edit:
> How does someone weaponize your information?
A lot of other people have posted some of the terrible consequences that can result, but let me give you a more inane one that might actually be a little easier to connect with.
Blood types are not evenly distributed, especially when it comes to blood banks. Some blood types, and especially if your have an uncommon Rh factor might be harder to get. So just imagine if your health insurance was more less expensive just based on your blood type -- something that you will probably need to know (and will thus be available to your insurer) at some point in your life, and probably relatively sooner than later. How'd you like to pay hundreds or thousands more for health insurance based on your blood type alone (because there won't be any discounts for the common ones, just penalties for the rare ones.) Or worse, being denied coverage for a surgery because the blood you'd need transfused during it would be 'too expensive'.
Not everyone is comfortable speaking openly about their health issues and not everyone is in a situation where they will be free from consequences if they do.
Fire you if you've had an abortion?
Fire you if you've had gender affirmation surgery?
Refuse to hire you if you've been treated for addiction?
What if you're a public figure?
Press announces you've had cosmetic surgery.
Press announces you had an anal fissure treated.
Press tells everyone you have an STI, or your children have an STI
There are a lot of ways to weaponize medical information.
Like throws you in prison because you were pregnant and now you are not, and the state concludes you must have had an abortion which just recently become illegal where you live?
But at least there is a law against it. Loosening the rules would certainly lead to misuse - use against the patient.
“It doesn’t matter to me therefore it shouldn’t matter to anyone else. My experience is universal and correct.”
Show baby diapers ads because Google knows I'm pregnant. Increase the price of baby furnitures because Amazon knows I'm pregnant. Decline a job interview because LinkedIn knows I'm alcoholic. Tell me what parties I might be interested in because Facebook knows I have cancer. Refuse a ride because Uber knows I'm not vaccinated.
None of this situations is far fetched, and none of those situations is something positive.
Companies only care about profits, not the betterment of society as you seem to believe. I am very happy there is no way for them to know more than they need about my private life.
> my business life and online there have been zero consequences to this.
because those laws were in place. Do you believe companies have been behaving nicely because they care about you ?
> None of this situations is far fetched, and none of those situations is something positive.
Not only is that type of a situation not far fetched, it was the reality throughout Canada as recently as 2021 and 2022.
"Also effective October 30, travellers departing from Canadian airports, and travellers on VIA Rail and Rocky Mountaineer trains, will be required to be fully vaccinated in order to travel."
https://www.canada.ca/en/transport-canada/news/2021/10/manda...
Given Canada's large geographic area, access to domestic air and rail travel is extremely important.
That type of unjustifiable discrimination also applied to other services/venues/events, too, such as restaurants.
What's even more nonsensical is how those policies remained in place even when it was blatantly obvious that the so-called "vaccines" involved didn't seem to prevent infection and didn't seem to prevent transmission, even among the so-called "fully vaccinated".
The very negative social and economic consequences of those awful policies far outweighed the non-existent "benefits".
If some good did come out of this, it's that at least a larger segment of the Canadian population realizes the importance of privacy, especially of medical records.
This is so easy to recognize that I have to wonder if you've ever met a less-privileged person than yourself.
1. A fully functioning, treatment-compliant schizophrenic is now at risk of being passed up for jobs or promotions because their medical history is up to be bought by employers.
2. A local concerned citizen will be much more afraid of protesting or publicly being against a politician if the politician can buy their history of getting PreP, an HIV preventative drug that is popular in the homosexual community.
3. A religious private school starts to buy the medical history of their young girls, and reveal which girls are taking birth control, had had an abortion, etc. by expulsing them from the school.
Or simply put: You first. Put up your hemorrhoid surgery photos up on your LinkedIn.
I guess you're not an alcoholic? That's information that potential employers would be glad to pay for. In the days of paper records, doctors would write "C2H4OH" on your record, as a semi-coded message to other doctors.
Estimates vary, but I understand that close to 25% of the UK population is alcohol-dependent to some degree. Deterring people from seeking treatment seems "unhelpful" from the POV of general social benefit.
Or more importantly, the harms are to me, and the upsides are to you, so who cares?
Doesn't make them any less fucking wrong.
The primary issue with this was the lack of ethical research, not the privacy of medical records. In fact the opposite argument could be made, with a more open and connected system, we could likely glean such information without the trial in the first place.
That was a punishing read
An actual written request for consent from a research institution, telling me exactly what data they intend to access, how they will access it, how many people will have access, for how long, and what they will do with the data / results after they are done. One that I can at my option sign and send back, or trash.
I'd in all likelihood say yes! But as a patient, I deserve the right to say yes or no. "Lives might be lost" is simply not justification for obtaining it.
This doesn't seem that unreasonable to me. It balances the need for research with the patient's need for privacy.
And more importantly, _who_ the people are. Yeah, I want full legal names. I want someone to name in a lawsuit if things go wrong or my data is leaked. I want personal legal culpability from everyone interacting with that data.
I'm not. Getting pretty tired of having the meeting point of getting buttfucked and not buttfucked being buttfucked, but with lube.
You step forward.
He steps back.
"Meet me in the middle," says the unjust man.
Thanks to the likes of Facebook, Google and their ilk starting to stick their filthy paws into the most private medical data some years ago my answer now is always a resounding HELL, NO!
I always feel bad about it, because it really shouldn't be that way, but thanks to the slimy shenanigans of the tech brothership I just don't see a viable alternative to that answer.
What bugs me is my urge to explain to the poor admin to who I'm handing the form the why this is out of the question.
I made the exact same change in my behavior as well. I already felt that I was making a sacrifice by exposing my data to the likes of drug companies and such. Exposing my data to the likes of a FAANG-style company is simply a nonstarter.
"Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions."[1]
That's what's on the HHS website, and that's a mild example of what was happening prior to HIPAA. Health information was being used to out gays and HIV patients, discover people's race, bypass due process, stalk women, etc. With data being weaponized against individuals more and more, we have good reason to believe that this would be worse in 2023 if these laws didn't exist, not better.
Yes, I'm aware of the burden that this puts on medical research. Behaving ethically is hard sometimes--get over it. You don't get a free pass to use people's private data without their consent. You might claim that you're only going to use that data for good, but the fact that you think bypassing people's basic human rights is acceptable shows that you don't have a working moral compass. You can't be trusted to only use people's data for good.
The fact that you wrote three paragraphs on this topic and didn't even mention the rights of the patient shows me I don't want you to have access to my medical data, let alone having authority to make decisions about who else can see my medical data. You're not a person who will make that decision ethically and responsibly.
[1] https://www.hhs.gov/hipaa/for-professionals/faq/188/why-is-t...
That's just bullshit.
Also, given the state of medical research methodology, you could just as well argue that it would yield even more unreliable studies, each adding confusion to our knowledge.
Let's say that each research study spends 10% of its time on recruitment and another 5-10% of its time on compliance. (Real numbers can be much higher).
Open medical data would reduce both these efforts, so every study, regardless of quality now goes more quickly and/or is less expensive. This is the primary benefit.
Now you're pointing out that extremely open data can lead to rapid and perhaps erroneous analysis. This is true, but it would also lead to rapid and accurate analysis. My point is that everything speeds up and compliance regulations around data handling are far less impactful on study quality than are protocols around experiment design.
I believe open medical data would have absolutely zero effect on the amount of time spent on recruitment.
Source: Me. I work with clinical trials data management in a medical research institution pulling hospital-side clinical data and patient schedules into systems on the research-side specifically for the purpose of recruitment.
Please trust the opinions of people who have tried to do this work. There are many people trying to advance medical research in good faith who can attest to the insane inefficiencies of working with medical data.
Skip the essay but at least give me three or four sentences why I should feel differently?
I believe exactly that about not medical records but medical procedures. If the doctors force me to share my medical records with the world of spammers and scammers I would rather choose to be a doctor for myself. But I see a little bit of problem when medical books are hard to download and medical drugs are very expensive because of so-called intellectual property. Medical industry relies too much on just obeying to all the doctor tells to do, blindly and brainlessly.
Do you really believe that my medical records bond to my personal data are more important knowledge to society than how to do drugs which can save anybody?
That is the point. It is supposed to be burdensome. It is supposed to be difficult and cumbersome to do anything with anybody's medical data.
I don't want to dismiss your comment entirely, because I understand the frustration around the good that the data could do but in the wrong hands it could be truly disasterous. I do not want Meta or Google anywhere near my medical data (and they're already pretty close in a lot of ways). I do not want my medical information used to enrich shareholders and that is the first thing that will happen; not improved research.
It should be easier for people to opt-in to sharing their medical data with a wide range of organisations if they choose but right now they never get a choice. It's either "we're making a law so we can give this data away" or not.
> the upside is just so much larger than the harms
I also don't agree with this as a blanket statement. For many people, including women in the US as you pointed out (amongst many other groups), the harms are criminalisation and imprisonment. The harm here, for the individual, far outweighs any potential benefit.
This seems like a good compromise moving forward. Add a section on whatever HIPAA forms you already need to sign that gives you the chance to opt in to use of anonymized data for medical research purposes.
I think for this to work, the law would need to clearly define how records must be anonymized, and provide penalties both for poor anonymization and for not clearly communicating to patients that this sharing is optional.
"Can we provide your medical details in full to the following organisations?" "Can we provide an anonymised version of your record to them?"
Yes. No.
Abide by those wishes. It's pretty simple.
Unfortunately big tech companies see the fines for handling data poorly as a cost of doing business, and not the punishment it was designed as. Until that changes, the status quo can't change.
I'm in the UK and if it transpired that Google (the company) had routine access to NHS medical data, I'd be very upset and complaining to the information commissioners office.
Does google/a private company have to do it? No, but at a minimum the UK govt needs to make significantly better use of this data for research purposes. a 100x increase in medical research spending and a new more agile public medical research body would probably be enough
The UK govt has proven that when it tries, it can do digital services _pretty well_.
The concern here isn't the government using the data for the betterment of society, it's the government handing over health data wholesale to companies whose sole purpose is to generate profit by exploiting data.
Ask for consent. If I say you can't use my medical data, then you can't use it.
If I say you can, then you can.
It's really very simple.
This is one of the many things that lead me to consider Google to be a harmful and reprehensible company.
Thier corporate records are none of your business
if we are gonna have no privacy, it should go both ways - companies lose privacy too
It is not our responsibility to make this public. Your logic is similar to the gov trying to get access to all exchanges over the web to scrape them for terrorism and violent behavior. Maybe take a step back and think about the harms that would come out of this?
I wouldn't want any future employers to see my medical data for example, as they may use this to discriminate (theoretically anyway; my medical history thus far is essentially non-existent).
Also: in the late 90s my mother worked for the city to digitize a lot of social security records and such. She had a good friend who had trouble walking (crutches, wheelchair); the story she told was that she was hit by a car, but my mother read her records during her job and found out she had simply fallen and was never hit by a car. Much drama ensued. I have no idea why anyone would lie about that and I'm fuzzy on the details as I was about 12-13 at the time, but fundamentally I think people should have the right to lie about things like this, if they so choose, for whatever reason.
My first job involved a one hour lecture about how people had repeatedly accidentally deanonymized and accidentally leaked data at other institutions, leading to divorces and worse.
We had somewhere between 10 to 100 bytes of entropy on each patient, and it would have been enough for any of their acquaintances to map back to real names and also severely violate privacy.
If you're ""Patient b15-2gty", then the data isn't aggregate. Aggregated data means that there are no individual data points at all, only aggregated ones, so there is no need for any sort of individual identifiers.
If there's any sort of individual identifier, then the data cannot be effective anonymized. If the data is aggregated, and the original records that were included in the aggregate figures is deleted, then I think that's adequately anonymized and I would have no problem with it.
Short of that, though, "anonymization" is a thing that doesn't actually exist.
I don't agree about anonymization; "true" anonymity is probably impossible in most areas of life, even for simple things like a walk in the forest as there's always something a significantly advanced sleuth can use.[1] There are no "true" one-way hashes either – you can always brute-force). It's about it being too infeasible to actually do that.
[1]: https://arstechnica.com/science/2023/05/human-genomic-bycatc...
Instead of taking the information by force (which health care conditioned on opt in certainly is), we should figure out how to build a trustworthy medical research and care industry.
For instance: They could only make this information available to universities, and ensure the results of the research were public domain.
Or, they could create separation of concerns for companies involved. If google wants to store medical data, then they have to spin off their ad business.
I don't think I'd find that sufficient.
What you're calling "collective hangups" are, in fact, real and serious risks. I am distressed at how many people have forgotten (or perhaps were never aware) of the real abuse and harm that was happening with the sharing of medical data before legal protections were enacted. Heck, those harms still happen now, but to a reduced degree.
You are saying that you'd like to take my personal data and make money from it without compensating me. My records are mine and they are private and it should stay this way.
I then went through the process of applying for disability insurance and dealt with the quagmire of them wanting access to all of my mental health records. Not a summary of my mental health diagnoses, but ALL of the individual progress notes. I refused them having those records and ended up having to waive any disability coverage due to mental health issues I was facing. That type of data I just didn't trust this insurance company to keep the data safe, especially as the paperwork stated they would share the data with all of their affiliates and partners with no recourse on my part to restrict what was shared. At that point, I realized that there are VERY good reasons why we don't just allow all of our medical data to be open.
And the people could be in big trouble because this data was stolen or is used against them.
On top of that it isn't even guaranteed that we were decades ahead.
Many of the big data promises didn't work out. Remember IBM's Watson?
>but the upside is just so much larger than the harms.
How do you know?
> With easy and ready access to medical data we could be decades ahead
So make it ! On premises. Pay for helping in that. Do not pay for storage and cpu in clouds ! And don't be naive about what good and progress "they" can bring to medicine. They will promise then stall as much as possible and you will be paying for not deleting your precious data. Or accessing your own data :> And watching like your data are published and sold on black markets...
Europe gets to use their free and open medical data freely for research. The US gatekeeps that information. It's a huge competitive advantage for Europe.
Sometimes people blame HIPAA for all sorts of random stuff which has no connection to the actual law.
It's clear which takes priority over the other.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-...
You misspelled "villain" there. If that were to happen, I'd 100% be calling for them to spend as much time in prison as possible.
Without the privacy, the world would be a different place and the people in power in that world would have no interest in advancing anything that doesn't directly give themselves more power. There would be no well funded scientist outside of the military.
Other people's medical records, you mean?
Big Tech is not a thing, just like big-sensors was not a thing. Electric sensing became a thing in the 1900s, and the medical community benefitted from the machines built because of them. Tech is similarly a tool that has become available to all fields over the last 30 years. By treating big-tech as a bogeyman, we end up anthropomorphizing an inanimate marker of of progress in our time. It's Scientific cartelized Amish-ness.
My controversial & intentionally provocative opinion for a while has been : "Doctors are evil". The more I read about it, the more I feel like there is an ounce of truth there.
They don't even say how to opt-out.
I think it doesn't really matter in what form the government appears. It's still the government and so its rules apply.
If it's a "limited company", that means it's liability is limited to shareholder capital. It's going to have to have an awful lot of capital if it's going to be able to compensate the entire population for mishandling their data.
Also, if it's a limited company, then the shareholders can sell their shares; the company can change hands, often to owners in a different jurisdiction.
A limited company is not an arm of the government, and I can't hold a limited company accountable in the same way I can the government; especially if my personal data has left the jurisdiction.
Translation using Deepl:
Leasts on the Judgment of the First Senate of February 22, 2011 - 1 BvR 699/06 - Mixed-economy enterprises controlled by the public sector in private-law form are subject to a direct fundamental-rights obligation in the same way as wholly state-owned public enterprises organized in private-law forms.
This is apparently the German equivalent to an LLC.
Pretty sure you misunderstood what "limited liability" means. Pretty much all organizations today have the same legal status: https://en.m.wikipedia.org/wiki/Limited_liability
Thats exactly the issue
GP is arguing that the entity in charge of all your medical information should not be an LLC. LLCs in general are great.
This company probably shouldn't be LLC.
Also, LLC in US is kind of company. It is mostly used for small sole proprietorships and partnerships. Technically, public companies are “limited by shares” where shareholders are liable up to value of their shares. But there is no difference in terms of protecting owners from liability so they are called limited liability.
Are people confused that limited liability limits the liability of the company? Because limited liability means that the liability of the owners is limited to their investment. The company can go bankrupt from losing lawsuit.
Otherwise you end up with people who can create as many harmful businesses as they want and just walk away when it explodes, ignoring everyone caught in the shrapnel. I'm 1000x more concerned about the effects of harmful companies than whatever friction it creates for starting new companies. Everything already moves too fast, it would be far preferable to have fewer corporations if it meant they were of higher ethical behavior.
Companies operated before the concept of Limited liability was even invented.
We have records of successfull companies from year 578, like Kongō Gumi, in Japan.
No, that's what insurance is for.
Limited Liability is a double-edged sword. It does reduce the risk of starting a company. But it reduces some mechanisms to protect society from misbehaving companies.
More-so than anything else, the focus should be on preventing pre-existing conditions from being able to affect individuals negatively than adding hoops for the individual to access their own gated personal records (Moving between hospital systems today can be an absolute nightmare in the states).
NHS England has been trying repeatedly to make huge amounts of NHS data available to various kinds of commercial "partners". It started with supplying the Society Of Actuaries with the records of a million patients. For £3,000! Actuaries, of course, are primarily employed by insurance companies - not the kind of people I want having access to my medical data.
We were given the chance to opt out; you had to get and complete the official form from your GP, and go to the clinic and hand it in. But it turned out that only covered your GP's records; hospital records were subject to a different opt-out. You had to ask for a form from your local Health Trust, complete that, and mail it in. None of this was electronic or online.
Then there was a new plan, all your old opt-outs were obsoleted, and you had to go through the whole rigmarole again.
The UK has the finest collection of medical data in the world; a population of 70 million, and a consolidated health service dating back 80 years. No other country has this. I have no problem with that data being used by the NHS to improve existing treatments and develop new treatments. But handing it over for peanuts to J. Arthur Random really isn't on.
There are evidently civil servants in NHS England who are fanatical about sharing NHS data for commercial profit, even if that profit doesn't accrue to the NHS.
> Pseudonymisation and anonymisation are not enough: health data is so specific that re-identification can be trivial. Often a person’s social media or financial history, both widely available on today’s data markets, is sufficient to identify medical events that can easily lead to reidentifying supposedly pseudonymised or even anonymised datasets.
I agree with the sibling comment that we need more open data if (iff?) we want to increase the pace of medical research. But it seems to be a tough cookie to crack.
And that is the problem here: how do you remove enough data to make it NOT personally identifiable (or close too) AND not remove so much data that the whole thing is pretty useless.
No one has really managed that yet. People who have not tried assume it is possible. But it probably isn't except maybe in very specific cases where you only need very limited data and don't care about correlations with other factors...
There are some quite high profile examples of orgs releasing anonymised data and people linking it back to the individuals:
https://www.theguardian.com/technology/2019/jul/23/anonymise...
Interestingly the UK (I am a limey brit) actually has some really good experience with this, both from NHS medical records and public studies on Civil Servants...
https://en.wikipedia.org/wiki/Whitehall_Study
As archaic as HIPAA is, the tools that we have today to obfuscate PHI (e.g. tokenization) respect the individual's privacy. The major cloud infrastructure providers are all HITRUST certified and ready to sign BAAs to keep everyone accountable.
I think we're in a good place right now for innovation with healthcare data. Multi-modal (think genome + claims + social determinants of health) are starting to become a thing. As a population, we'll benefit from more targeted therapies.
Technology is catching up with the swaths of data that has been amassed since the 2000's. I hope for more innovation vs. shackling it with uninformed regulation.
A major roadblock for our startup is getting medical information integrated into our system. It's difficult to compete with the IBMs and Epics of the world when we don't have a million developer hours to dedicate to writing plugins for every vendor. It's not just us struggling with crappy data management - it confuses hospital staff, too. Our customers are frustrated when we tell them things like "you gave us <XYZ obscure file type> which doesn't contain the information we need; do you have <ABC obscure file type> instead?". MRI scans (DICOMs) are particularly gnarly.
Even the IBMs and Epics of the world struggle to not make crappy software. How do you present a relevant medical record to a doctor at the exact right time they need it? There is so much data to sift through that medical information frequently slips through the cracks when patients transfer hospitals or their hospital merges with another.
If there isn't a standard way to query an electronic health record then companies are incentivized to just throw data at an LLM to parse it (which is exactly what we're moving towards). Trying to build AI-type solutions will just make these companies even more data-hungry and result in a less reliable solution.
I'm not opposed to continuing to hold startups/big tech accountable for keeping personal health information private and secure.
https://towardsdatascience.com/understanding-differential-pr...
Blanket bans, while sounding good, can slow down pace of innovation in an area that desperately needs more of it - esp as the world is aging.
This needs to be a combination of informed consent, clear access auditing and usage, and laws to heavily penalize misuse of this data.
Lack of information is a big challenge for doctors. When I say challenge, I mean people are dying needlessly because of their doctors don't have access to critical information and this leads to bad decision making.
Here in Germany doctors are completely in the dark. Even basic information like who I am or where people live isn't being shared. Because privacy. Every doctor you talk to first needs to take down all your basic details. Address, date of birth, etc. Every medical appointment is ground hog day. They know nothing of you, your personal details, or your medical history. And German GPs don't do a lot themselves. You get referred for even the most basic things but without them sharing information. So, all the obvious things happen on a daily basis. People receiving the wrong medications. Doctors not acting because they are unaware of the history of the person in front of them. Or wasting time on diagnosing things that have already been diagnosed. Or mis-diagnosing those things.
That's the consequence of bad data.
The standard German sentiment against any digital is "I don't like this". But the consequences are that they have to suffer bad health care, a stupendously inefficient system that they pay for through really expensive insurance every month, and preventable deaths because essential data isn't being exchanged to those who need it.
And their privacy sucks anyway, because IT security is about what you expect from a sector running on ancient hardware and software. IT incompetence/ignorance is the norm. Quite a contrast with other countries I've lived in.
If I didn't have a modicum of assurance that what happens between me and my doctor stays between me and my doctor, I would absolutely avoid going to see a doctor to the greatest extent possible.
Want to see if there's a geo cluster? Oh sorry, there's no location data. Do you want to see if something affects age band 12-14 instead of 16-18? Sorry, everyone in that group is in a HIPAA bucket. Do you want to see if there's a commonality among treatment options for obese women over 65 who are diabetic in rural communities? Nope, sorry.
Do you want to determine the success rates and outcomes for different treatments in different regions for a given condition, and if they differ bu age/gender/ethnicity/place of treatment? Nope.
If there are uses that are prohibited prohibit them. Thats what the law is for.
These laws, while well-intentioned, kill people.
If you think that's an OK tradeoff, I guess you're free to accept that. But there is very real blood on your hands, the fact that none but the most egregiously common diseases are studied. It doesn't have to be this way.
There is ample evidence for what happens when companies in the health space are allowed to make their own rules, and it isn't better health outcomes. See thalidomide
So does medical fraud, and it's not well-intentioned at all.
Just sayin'.
I have almost no faith at all in the types of folks that found and run tech companies, these days.
They have proven, over, and over, and over again, that They. Just. Can't. Be. Trusted.
If the tech industry were to create an ethics board, with real enforcement teeth (like the Bar Associations, or Medical Boards), then that could be a start.
The problem is, as soon as anyone even mentions the possibility of restricting tech companies, they are taken out behind the woodshed.
Some naive software developers and data scientists have this fantasy that if they could just data mine millions of patient charts that they could discover all sorts of medical insights that would save lives. This is almost totally false.
The real issue with using research data from multiple organizations has more to do with quality and consistency than privacy rules. Various provider organizations will record the same clinical data in different and incompatible ways, or often fail to record it at all. Researchers working with such data have to devote huge efforts to building pipelines for validation, cleansing, and normalization.
That goes both ways though. People are responding to hostage-taking actions by big tech and trying to protect themselves. There is a theoretical middle ground where data is available for research but not for abuse, but big tech typically won't allow that.
Rubbish. There's a difference between people dying because some startup can't cheaply get access to medical data, and someone being killed.
> But there is very real blood on your hands
Sounds like you work for a health-data startup? You're rather handy with the guilt-trips you're slinging around.
What this data would be used in practice? Insurance corporations would use it to identify people at greater risk of diseases and to deny them coverage (or make it difficult to obtain coverage, remove them from coverage, etc.) in order to increase their profit margins.
Now, you could have useful anonymized public databases, for example, imagine if everyone got regular monitoriing of body burden of heavy metals and industrial and agricultural organic chemicals, and that was cross-referenced to their incidence of cancer, liver disease, etc. This could reveal common associations between specific pollutants and various diseases that could then be studied in more detail. Similarly, this could be applied to pharmaceutical products (which sometimes do more harm than good to their users)
Of course, that kind of public health-centric database would open up corporations to liability and cause profit loss, which is why such body-burden assessments of pollutants are not part of your normal medical checkup.
* Hypothesis generation sped up
* Candidate participant discovery sped up - including finding controls
* large classes of analysis possible on just the data, including difference in difference and natural experiment
Do you think Big Tech shareholders (with additional holdings in pharmaceuticals, petrochemical, agribusiness etc.) would be interested in a database of rigorously anonymized patient data intended to discover relationships between things like pesticide exposure and Parkinson's disease, or unpleaseant side effects of currently profitable pharmaceutical products?
It's less about "who" and more about "how". How will we grant this access in safe and (preferably) anonymous ways.
It's both. "Who" is a very critical thing, because there are so many bad actors out there.
Another problem is that these laws (HIPAA, etc) actually CONTRIBUTE TO the leaks, because they provide a huge blackmail incentive to hackers. The penalties are so large that hackers know they can extort giant payments from companies.
Also, it's no small loss that it's so difficult to use this data for legitimate research purposes now, depriving us of all the medical gains we otherwise would have.
Certainly, I would not want my records in the newspaper - but really what's the worst outcome? Everybody finds out just how much ED medication I take?
I suspect a lot of this legislation is (as usual) motivated the the businesses that stand to gain from it. It creates a large moat around existing large businesses that can afford to cooperate. And funnels a lot of money to the consultancies and other companies that work to comply with these policies.
I disagree entirely.
> really what's the worst outcome?
Well, let's look at what's happened in the past. You could be denied employment, denied housing, denied insurance coverage, even denied essential medical treatment, for starters.
American history includes a period in the not-too-distant past where we put all people of a specific ethnicity in internment camps. So I'm gonna go with using genetic data towards those purposes probably. Maybe I could come up with even worse.
No. The worst outcome is the police arresting a random civilian because their medical record showed they were actually a fully transitioned person living as their identified gender (and thus the only way they would know is through trawling through medical records) and are therefore in violation of, say, a bathroom law. Or a law banning "crossdressing" or other shit.
It's teenagers and young women being sent to prison because there's a medical record where they were treated for excessive bleeding which lost a pregnancy, and are put in jail until their trial for abortion is up because they're too poor for bail.
It's buying up the medical data of jewish people to "prove" they're really harvesting the blood of Christian children.
Consider this: the same argument could be applied to our endeavor to safeguard the secrecy of voting. What is the worst outcome if everyone discovers who you voted for?
Such conclusions are inherently biased because we are unable to accurately evaluate the importance of these very existing protective measures in a civilized society.
That's far from the worst outcome. You could lose your job, be sent to prison, be denied insurance.
Your employer finds out that you are alcoholic?
I’d much prefer a different set of companies having access to records at scale for the purposes of improving outcomes, which they will never care about (having seen it first-hand).
You can imagine how your medical record could be used against you, I'm sure? For people that have suffered agressions, addiction, mental issues, these are all private but can be used against an individual in the public sphere.
[0] https://www.businessinsider.com/google-fired-employees-abusi...
Google is a private company with no oversight.
0: https://www.healthcaredive.com/news/google-epic-cloud-partne...
If not this is alarming, thanks for the head up
Here's a simple example of what can happen with your medical data: Medical data ends up somewhere like LexisNexis -> Company looks you up before hiring -> Company sees that you have a health condition that will cost them more in health insurance costs -> Company doesn't hire you because "it's not a culture fit".
Oh, you don't have a health condition right now? Well, pray you never develop one either -- your boss will probably be able to sign up for push notifications for when there's a new diagnosis for you.
The point is they wouldn't be 'invasive'. Plug a name into a website, get a cost breakdown of how much health insurance would cost for that employee. Indeed will probably have that feature ready to go the day after it becomes legal/available. A few minutes of work for a relatively low-paid employee processing applications, or these days probably some sort of automated system doing the same.
> Secondly why are companies paying more for healthcare given a employee sickness.
They might not pay more for that single employee, but they will pay more overall. The insurance company, as much as it can, will look at how how much it's bringing in, and try to maximize that. So a company could find itself paying higher rates when they renew their health insurance contract.
Conversely, it would be easy to make that kind of thing illegal, while concomitantly more open records access would reduce healthcare costs.