Health Tracking and Privacy: Where Have We Come From?
Apple HealthKit, Google Fit, electronic health records and the quantified self: We are being ushered into an age where healthcare privacy is much more complicated — and also involves much more consumer control — than ever before. But the topic of health tracking and privacy isn’t entirely new. We’ve always had concerns with privacy when it comes to healthcare – it’s just that the context has changed.
In a series of new posts, we’ll look at the nature of healthcare tracking, healthcare privacy and how they have evolved. This first post will focus on the past.
Access, Volume, Notification
When it comes to the privacy of our healthcare and the records associated with our care, there are three major factors:
- The first is difficulty of access, which usually gets the spotlight in most discussions.
- Another important factor, thanks to modern technology, is the increasing quantity of records.
- Finally, notification is a facet that isn’t always taken into consideration, but will begin to take precedence in maintaining privacy.
How does the history of medical information security play into today’s conversation and even the future? Many people don’t consider that healthcare privacy has been a paramount issue for a while now and has even been an element of our nation’s politics for many years. This is a fire that has been burning for a long time, but technology has the ability to throw gasoline onto it.
Healthcare Privacy Issues Are Far From New
Travel with me back to 1979—Ford Pintos were exploding, Three Mile Island was melting down, and NASA’s Skylab was falling. There was a lot for Americans to worry about, but the privacy of medical history didn’t top most people’s lists. Which is one reason why some of the primary handlers of your medical records were candy stripers, hospital volunteers who were usually high school students. Accessing medical records was as easy as picking up a folder; there were few barriers and no encryption. Quantity would be a challenge for anyone looking to access records, though. Notification was nonexistent. Your records could be copied and replaced, and you might never have any idea.
This pre-digital, pre-HIPAA world is exemplified by a certain time that health records did make headlines in 1979 — when the Shah of Iran, Ayatollah Ruhollah Khomeini, came to the U.S. for cancer treatment. He was, however, being sought by his conflicted home country to be put on trial. His being allowed into the country sparked the Iran hostage crisis, which lasted over a year. He had to come into the U.S. for care, and the media publicized the care he was under, nearly revealing all of his medical history under the guise that the public had the right to know.1
Technology Has Played an Integral Role for Decades
We often assume that the technological advances of recent years have created new concerns about healthcare and privacy, but 16 years ago, there were already concerns about what software would introduce to the healthcare industry. There were plans to create a global identifier — one value that could unlock all medical records for a person. While that would certainly make it easier to access full records rapidly in case of emergency, the idea introduced all of the concerns about data privacy that we’ve since become accustomed to. In 1998, Congress passed Public Law 105-277, which included Title V, section 516. In this somewhat-obscure line tucked into that year’s general legislation, they stated that no funds should be used to develop or standard created to enact a unique patient identifier. This one sentence has blocked all pushes from lobbyist and corporations from creating this global health identifier since.2
And isn’t the idea of companies buying personal information to market products a new issue, born in the online age? Not really. Nearly 20 years ago, companies that manufactured baby formula were purchasing hospital records to market to new mothers, and in response to that, legislation was proposed to control what types of information companies could buy. State and federal governments are still pushing to pass these laws.
HIPAA, or the Health Insurance Portability and Accountability Act, was passed into law in 1996. Title I discussed healthcare access, portability and renewability; however Title II is what HIPAA is most well known for. It was implemented to prevent fraud and abuse, promote reform, and act as the primary legislation for healthcare privacy. HIPAA regulates protected health information (PHI) and its handling by any and all parties. So now everyone that has access to health records is heavily regulated and monitored -- a far cry from candy stripers.
Shifting Privacy Concerns
The issue of privacy is a complex one because the term has meant different things throughout history. “Privacy” referring to personal information is still a relatively new concept, culturally speaking. While privacy of our health and personal data has always been a concern, it has recently become more of an issue than the actual information we are protecting.
We have moved from a place of relative disregard about health records to highly regulating it. Data is encrypted and transferred under incredibly rigorous standards. Technology has allowed us to limit access with precision and enables notification of when and where our information is being shared. But the biggest change is in the quantity of information that exists. Data leaks can affect hundreds of thousands of patient data. Thanks to digital systems, safeguards of the privacy of health records are complex and strong, but the flipside is that, when the system breaks down, it does so in a fantastic manner.
With the emergence of big health data and technology-enabled tracking, healthcare privacy is an important topic today. But as we have demonstrated above, it definitely isn’t a new topic to the industry or to pharmaceutical companies. Pharmaceutical companies can and should behave responsibly when it comes to respecting and protecting health data. As collective members of this industry, we all have the responsibility help strike the needed balance between privacy and access.
We’ll continue to explore health privacy in the present and the future. If you want to know where you are going, you have to know where you have been.
1McKean, K. (1979, December 24). Shah’s case strains doctor-patient privacy principle. The Spokesman-Review, p. 2.