I strongly oppose this kind of law. HIPAA is a massive burden on medical and research organizations of all sizes, I've personally spent hundreds of hours navigating both human and technical bureaucracy related to HIPAA and I wouldn't wish that on my worst enemy.
Ultimately however the worst part of these laws is that they are so harmful to research in the long run. With easy and ready access to medical data we could be decades ahead of where we are today. There are legitimate concerns about health privacy (especially for women in the US) but the upside is just so much larger than the harms. It could be 10x less costly and time consuming to do both epidemiology and longitudinal intervention studies if we only had access to data. We could be directly tackling disease causal factors in ways that researchers today only dream of. It really is tens of thousands of lives lost each year that could have been saved if we could only have moved faster toward interventions.
I believe medical records should be open and laws should address how people use the data, not trying to make something so valuable to all humanity secret from the beginning. For example you can download my genetic code here: https://www.openhumans.org/member/iandanforth/
Doctor-patient confidentiality is important so that the doctor can act in your best interest (yes, yes, very funny) with full information. Very many things doctors need to be aware of to diagnose conditions have significant social stigma. Examples include alcoholism, mental disorders, substance abuse, genital status, sexual status, pregnancy status, the list goes on. The average person is reluctant to share this information to begin with, with good reason, as it goes into a permanent record. If such a record were public…
No, even for longitudinal studies, even with “anonymized” data, the risk is too great for any individual, and to society in general. Ideopathic and non-causal diseases should have some buy-in from patients; a standard waiver might be useful for research use of data. (I’ve signed one.) But in general, no, the restrictions are worth it.
Yet they leak my medical records to debt collectors every single time, for debts that aren't even mine (when insurance refuses to pay for what they should).
Doctors almost never act with full information. Doctors don't even want full information. It wastes their time. If you come to a new doctor they will make you fill out a stack of forms where you inaccurately self-report your medical history and then they will toss that in the rubbish bin. If you so much as dare to suggest that a doctor should transfer your old medical records from one place to another, they will vehemently object and question why you would want to do such a thing. In fact it is far easier to sign a release of medical records and authorize their release, than it is to cajole any given Records Department into accepting the transfer of records in any format, much less a machine-readable format that would be useful.
I believe it is a liability for doctors to know a true medical history, and anything not already being treated can be ignored and re-diagnosed later, which of course is an ideal situation for the insurance and the new provider, because you can charge all over again for those diagnostics.
Case in point, I had two EKGs performed on me, one in urgent care and one in the hospital. It was not too long before I was going in for surgery, and a prerequisite was a "12-lead EKG" readout, so naturally the hospital tried to force me to undergo a new one at enormous cost and inconvenience, and I balked, because I already had two perfectly good readouts in hand. They eventually relented, but it was incredibly difficult for them to admit that the test results were valid and acceptable, and this is all part of the scam, to charge as many times as possible for anything that wasn't performed here and now by us.
Likewise with psychiatry and therapists; I've been through multiple clinics and dozens of counselors, and of course each one produces a mountain of case notes. So I always offer and suggest that I sign a release and have all the prior case notes transferred over so that they get to know me better. The answer is always "no". They want to know nothing beyond what is in the intake forms, that they will spend 5 minutes reading. Then we will start my therapy over from Square One with a stranger and I get to recount all my feelings and life experiences over and over and over again, on my dime.
Nevertheless, it is still of the utmost importance that you continually sign authorizations for release and that you requisition all available records from all your providers. Authorize all providers to release information to your friends and family. They will hang up the phone if there is no release on file. Renew those authorizations on time, every time; your provider will not remind you. Release all records to yourself on a regular basis, especially after a hospitalization or major incident. You will want good records, just for your own examination, and also if there is ever a dispute or litigation about something, your attorney will appreciate those records too.
> Very many things doctors need to be aware of to diagnose conditions have significant social stigma... the risk is too great for any individual
Very many things doctors need to be aware of, because the patients life depends on it, are left out when patients move between specialists and physicians, which happens all of the time.
Outbreaks of viral and bacterial illnesses result in thousands of people independently chasing diagnoses and treatment, because the system doesn't share information that could be used to piece together and get ahead of it. Every time my kid gets sick at school, I get to play a game of "What is it? Do we see a Doctor? How much money should we spend?". Lets pretend we know nothing about this and go see a Doctor who hasn't seen anyone else in school, who may provide antibiotics they may or may not need or worse.
Effective prevention methods and early detection of bad treatment are discarded because its so difficult to investigate and connect the dots between interventions and outcomes.
Patient privacy is important, but the system we have today is nothing less than a tragedy. Real damage in emotional, physical, and economic is happening on a grand scale every day in this country. We shouldn't pretend HIPPA is a good thing, or the current system is doing a good job. Its not. We need to radically transform how we operate, and much more open and connected medical records is certainly a part of that transformation.
Absolutely not. Healthcare is already oppressively expensive in the US and now you want companies to be able to commercialize and exploit my private health information for profit? And they don’t even have to pay for it so they can sell me the cure they developed using information from my private health information?
America needs to be a radically different place for me to be okay with what you want.
It would be interesting if all research and advances based on PHI were automatically public domain. Sort of like the GPL - any derivatives, treatment discoveries, etc. must also be open. There would probably be too many loopholes to cover effectively, but it's a thought.
Give me a surefire, 100% guarantee that my data won't be misused against me or anyone else, under severe penalty to you personally if your guarantee fails. Then we can talk.
i cant give you that guarantee today. I can't guarantee the government or your healthcare provider isn't misusing your data.
In fact a surefire guarantee essentially doesn't exist. But what exactly are you afraid of? How does someone weaponize your information? Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
You're correct in pointing out that people are inherently selfish, however one major purpose of collective government is to do those things which are necessary and not always in-line with selfish motivations. Just as most Americans would be horrified to have their salary posted publicly for fear of stigma, jealousy, reprisals etc, Norway has demonstrated that those fears are unfounded, and salary data doesn't even have the opportunity to save thousands and thousands of lives.
I understand your perspective, and respectfully disagree. The reason HIPAA exists is because of a long history of the abuse of people's medical records. Companies should not have access to my records without my explicit informed consent. They have shown time and time again that they can't be trusted with sensitive data. That's at least equally true for tech companies.
I'd be OK with a system that gave researchers access to my medical history only if they obtained actual, informed, and un-coerced consent. No "In order to use this medical service you must consent...", no "Please click Agree on this 38-page terms of service (which also sneakily agrees to consent)". No "I provide consent to each and every so-called researcher who wants access to my health history."
An actual written request for consent from a research institution, telling me exactly what data they intend to access, how they will access it, how many people will have access, for how long, and what they will do with the data / results after they are done. One that I can at my option sign and send back, or trash.
I'd in all likelihood say yes! But as a patient, I deserve the right to say yes or no. "Lives might be lost" is simply not justification for obtaining it.
This doesn't seem that unreasonable to me. It balances the need for research with the patient's need for privacy.
Why am I not surprised that the top voted comment on Hacker News is one that ignorantly states only one side of an issue which just happens to benefit corporations at the expense of everyone else? HN can always be trusted to present the pro-corporate, anti-human take.
"Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions."[1]
That's what's on the HHS website, and that's a mild example of what was happening prior to HIPAA. Health information was being used to out gays and HIV patients, discover people's race, bypass due process, stalk women, etc. With data being weaponized against individuals more and more, we have good reason to believe that this would be worse in 2023 if these laws didn't exist, not better.
Yes, I'm aware of the burden that this puts on medical research. Behaving ethically is hard sometimes--get over it. You don't get a free pass to use people's private data without their consent. You might claim that you're only going to use that data for good, but the fact that you think bypassing people's basic human rights is acceptable shows that you don't have a working moral compass. You can't be trusted to only use people's data for good.
The fact that you wrote three paragraphs on this topic and didn't even mention the rights of the patient shows me I don't want you to have access to my medical data, let alone having authority to make decisions about who else can see my medical data. You're not a person who will make that decision ethically and responsibly.
> With easy and ready access to medical data we could be decades ahead of where we are today.
That's just bullshit.
Also, given the state of medical research methodology, you could just as well argue that it would yield even more unreliable studies, each adding confusion to our knowledge.
I get where you're coming from but the problems are orthogonal.
Let's say that each research study spends 10% of its time on recruitment and another 5-10% of its time on compliance. (Real numbers can be much higher).
Open medical data would reduce both these efforts, so every study, regardless of quality now goes more quickly and/or is less expensive. This is the primary benefit.
Now you're pointing out that extremely open data can lead to rapid and perhaps erroneous analysis. This is true, but it would also lead to rapid and accurate analysis. My point is that everything speeds up and compliance regulations around data handling are far less impactful on study quality than are protocols around experiment design.
I don't have time to type an essay but I have been in this field for years and it's simply true.
Please trust the opinions of people who have tried to do this work. There are many people trying to advance medical research in good faith who can attest to the insane inefficiencies of working with medical data.
> I believe medical records should be open and laws should address how people use the data, not trying to make something so valuable to all humanity secret from the beginning.
I believe exactly that about not medical records but medical procedures. If the doctors force me to share my medical records with the world of spammers and scammers I would rather choose to be a doctor for myself. But I see a little bit of problem when medical books are hard to download and medical drugs are very expensive because of so-called intellectual property. Medical industry relies too much on just obeying to all the doctor tells to do, blindly and brainlessly.
Do you really believe that my medical records bond to my personal data are more important knowledge to society than how to do drugs which can save anybody?
Please give me your full address, all your passwords & associated emails & phone number please, I pinky swear I won't misuse these in any way and will only do research with this information about the security of people's houses & accounts!
that would solve a lot of problems, probably a lot more than making health data public. otherwise keeping your data off the record becomes just another bussiness model.
> HIPAA is a massive burden on medical and research organizations of all sizes
That is the point. It is supposed to be burdensome. It is supposed to be difficult and cumbersome to do anything with anybody's medical data.
I don't want to dismiss your comment entirely, because I understand the frustration around the good that the data could do but in the wrong hands it could be truly disasterous. I do not want Meta or Google anywhere near my medical data (and they're already pretty close in a lot of ways). I do not want my medical information used to enrich shareholders and that is the first thing that will happen; not improved research.
It should be easier for people to opt-in to sharing their medical data with a wide range of organisations if they choose but right now they never get a choice. It's either "we're making a law so we can give this data away" or not.
> the upside is just so much larger than the harms
I also don't agree with this as a blanket statement. For many people, including women in the US as you pointed out (amongst many other groups), the harms are criminalisation and imprisonment. The harm here, for the individual, far outweighs any potential benefit.
> It should be easier for people to opt-in to sharing their medical data
This seems like a good compromise moving forward. Add a section on whatever HIPAA forms you already need to sign that gives you the chance to opt in to use of anonymized data for medical research purposes.
I think for this to work, the law would need to clearly define how records must be anonymized, and provide penalties both for poor anonymization and for not clearly communicating to patients that this sharing is optional.
I know that you probably meant Google (the search engine), but Google (the company) is already in your medical data: https://cloud.google.com/healthcare
I reject the framing. It's about responsibility vs selfishness and fear. Medical information is a byproduct of something you do anyway that can save lives. It is our responsibility to make it available. If you want to opt out, fine, but basic decency demands that as a society we get over our collective hangups and make this information available.
> Ultimately however the worst part of these laws is that they are so harmful to research in the long run. With easy and ready access to medical data we could be decades ahead of where we are today.
You are saying that you'd like to take my personal data and make money from it without compensating me. My records are mine and they are private and it should stay this way.
I used to have the same philosophy having also spent hundreds of hours dealing with the bureaucracy both technical and human of HIPAA and the need to have more data to improve health outcomes for people.
I then went through the process of applying for disability insurance and dealt with the quagmire of them wanting access to all of my mental health records. Not a summary of my mental health diagnoses, but ALL of the individual progress notes. I refused them having those records and ended up having to waive any disability coverage due to mental health issues I was facing. That type of data I just didn't trust this insurance company to keep the data safe, especially as the paperwork stated they would share the data with all of their affiliates and partners with no recourse on my part to restrict what was shared. At that point, I realized that there are VERY good reasons why we don't just allow all of our medical data to be open.
This reads an awful lot like we could eliminate all crime with a sufficiently strong police and surveillance state, or eliminate all obesity by attaching activity trackers to everyone and having the government ration only as much food as you actually need. Both true, but humans inherently value things other than health and longevity, such as freedom and privacy. Governments that are not dictatorship have to manage these competing demands from citizens. Otherwise, you could probably maximize health outcomes by allowing research facilities to just all operate like Unit 731. Sure, you might kill a few million people, but you're doing it to save trillions in the future.
Btw. I read somewhere "they" already have a lot of data.
> With easy and ready access to medical data we could be decades ahead
So make it ! On premises. Pay for helping in that. Do not pay for storage and cpu in clouds ! And don't be naive about what good and progress "they" can
bring to medicine. They will promise then stall as much as possible and you will be paying for not deleting your precious data. Or accessing your own data :> And watching like your data are published and sold on black markets...
Couldn't agree more. Until you work in the healthcare field, you don't realize how much time and energy is wasted following HIPAA protocols. The doctor can receive your results, know your results, and still force you to come in because they can't tell you your results over the phone per protocol.
Europe gets to use their free and open medical data freely for research. The US gatekeeps that information. It's a huge competitive advantage for Europe.
There is nothing in HIPAA which prevents doctors from telling patients their results over the phone. They might not be able to leave voice mail with those results unless you specifically consented to that. They can also ask the patient for additional information during a phone call to verify it's really them and not someone else who answered the phone. For particularly sensitive test results, like say an HIV diagnosis, doctors might sometimes ask the patient to come for an in person visit so that they can explain everything in context and arrange an appropriate treatment plan.
Sometimes people blame HIPAA for all sorts of random stuff which has no connection to the actual law.
how will you make sure potential employers or insurance companies do not use that knowledge against individuals? What about social stigma? Victims of abuse/rape might be even less likely to come forward if the medical data is made public. I think before advocating to break down walls we should learn why they were raised to begin with, before countless people are hurt one way or the other.
If medical records are open by default then there will be a dark research market that easily operates outside the purview of the law. Medical data, hell most data about people should be hidden by default. Your idea is wildly naive and you ought to read about chestertons fence.
I've always thought this about HIPPA as well, having worked in the healthcare field years ago. I imagine some "hero" leaking an enormous healthcare dataset after anonymizing some info and furthering research. Too bad I never had access to that.
There is nothing legally stopping healthcare organizations from asking patients for informed consent to share their anonymized data with researchers. The government even provides clear guidelines for de-identification.
As a patient, I feel like HIPAA has been used by care providers to bully me into giving away my rights and data on pain of not getting care. It's a train wreck.
"but the upside is just so much larger than the harms"
Without the privacy, the world would be a different place and the people in power in that world would have no interest in advancing anything that doesn't directly give themselves more power. There would be no well funded scientist outside of the military.
It’s wild, the world before HIPAA was even more walled off and data just didn’t flow at all. It was still a world of paper records widely at that point. Where we are with HIPAA is so much better, but still plenty of room to improve with delegated access.
The alarm around possible exploitation due to public medical data far exceeds the ground reality. At the same time, it has stifled progress in the field leading to more deaths than we should have to tolerate.
Big Tech is not a thing, just like big-sensors was not a thing. Electric sensing became a thing in the 1900s, and the medical community benefitted from the machines built because of them. Tech is similarly a tool that has become available to all fields over the last 30 years. By treating big-tech as a bogeyman, we end up anthropomorphizing an inanimate marker of of progress in our time. It's Scientific cartelized Amish-ness.
My controversial & intentionally provocative opinion for a while has been : "Doctors are evil". The more I read about it, the more I feel like there is an ounce of truth there.
In Germany they decided to make the EPA (electronic medical record) opt-out starting by 2024. Managed by "gematik GmbH", a company with limited liability. Because why should the entity responsible for all medical records have some liability. It is a joke, a bad one.
> I think it doesn't really matter in what form the government appears. It's still the government and so its rules apply.
If it's a "limited company", that means it's liability is limited to shareholder capital. It's going to have to have an awful lot of capital if it's going to be able to compensate the entire population for mishandling their data.
Also, if it's a limited company, then the shareholders can sell their shares; the company can change hands, often to owners in a different jurisdiction.
A limited company is not an arm of the government, and I can't hold a limited company accountable in the same way I can the government; especially if my personal data has left the jurisdiction.
I honestly think the the taboo-nature of medical records kills people in significant numbers.
More-so than anything else, the focus should be on preventing pre-existing conditions from being able to affect individuals negatively than adding hoops for the individual to access their own gated personal records (Moving between hospital systems today can be an absolute nightmare in the states).
This is actually a bigger problem in the UK (no longer in the EU).
NHS England has been trying repeatedly to make huge amounts of NHS data available to various kinds of commercial "partners". It started with supplying the Society Of Actuaries with the records of a million patients. For £3,000! Actuaries, of course, are primarily employed by insurance companies - not the kind of people I want having access to my medical data.
We were given the chance to opt out; you had to get and complete the official form from your GP, and go to the clinic and hand it in. But it turned out that only covered your GP's records; hospital records were subject to a different opt-out. You had to ask for a form from your local Health Trust, complete that, and mail it in. None of this was electronic or online.
Then there was a new plan, all your old opt-outs were obsoleted, and you had to go through the whole rigmarole again.
The UK has the finest collection of medical data in the world; a population of 70 million, and a consolidated health service dating back 80 years. No other country has this. I have no problem with that data being used by the NHS to improve existing treatments and develop new treatments. But handing it over for peanuts to J. Arthur Random really isn't on.
There are evidently civil servants in NHS England who are fanatical about sharing NHS data for commercial profit, even if that profit doesn't accrue to the NHS.
The article doesn't mention whether those are anonymised records. A PDF from the references expands on that:
> Pseudonymisation and anonymisation are not enough: health data is so specific
that re-identification can be trivial. Often a person’s social media or financial history, both widely available on today’s data markets, is sufficient to identify medical events that can easily lead to reidentifying supposedly pseudonymised or even anonymised datasets.
I agree with the sibling comment that we need more open data if (iff?) we want to increase the pace of medical research. But it seems to be a tough cookie to crack.
You cannot really anonymised records like these. You can identify most people from only their post code, gender and date of birth (using just public data sources). So stripping names out is meaningless...
You're really underestimating the depth of anonymization in medicine. Birth dates are considered PII. Treatment dates are PII. Record numbers are PII. Locations "narrower than a state" are PII. Even ages over 85ish are PII because there tend to be very few people that old at a particular facility.
For my W2 job, I broker the commercial sale of "real world evidence". It's usually hospital, insurance and pharmaceutical claims data. The buyer is largely big pharma. They want it for things like monitoring a patient's journey and adverse events related to their drugs. There's use-cases in clinical development and pre-market as well.
As archaic as HIPAA is, the tools that we have today to obfuscate PHI (e.g. tokenization) respect the individual's privacy. The major cloud infrastructure providers are all HITRUST certified and ready to sign BAAs to keep everyone accountable.
I think we're in a good place right now for innovation with healthcare data. Multi-modal (think genome + claims + social determinants of health) are starting to become a thing. As a population, we'll benefit from more targeted therapies.
Technology is catching up with the swaths of data that has been amassed since the 2000's. I hope for more innovation vs. shackling it with uninformed regulation.
I am also opposed to this kind of petition on the grounds that it inhibits standardization of file formats. I work at a startup and we work with medical records from a number of different hospitals. So much code is dedicated to just dealing with the spaghetti.
A major roadblock for our startup is getting medical information integrated into our system. It's difficult to compete with the IBMs and Epics of the world when we don't have a million developer hours to dedicate to writing plugins for every vendor. It's not just us struggling with crappy data management - it confuses hospital staff, too. Our customers are frustrated when we tell them things like "you gave us <XYZ obscure file type> which doesn't contain the information we need; do you have <ABC obscure file type> instead?". MRI scans (DICOMs) are particularly gnarly.
Even the IBMs and Epics of the world struggle to not make crappy software. How do you present a relevant medical record to a doctor at the exact right time they need it? There is so much data to sift through that medical information frequently slips through the cracks when patients transfer hospitals or their hospital merges with another.
If there isn't a standard way to query an electronic health record then companies are incentivized to just throw data at an LLM to parse it (which is exactly what we're moving towards). Trying to build AI-type solutions will just make these companies even more data-hungry and result in a less reliable solution.
I'm not opposed to continuing to hold startups/big tech accountable for keeping personal health information private and secure.
I think theres a general need to dig more into differential privacy and how data can be effectively anonymized for research purposes if its done right.
Readit News
Ultimately however the worst part of these laws is that they are so harmful to research in the long run. With easy and ready access to medical data we could be decades ahead of where we are today. There are legitimate concerns about health privacy (especially for women in the US) but the upside is just so much larger than the harms. It could be 10x less costly and time consuming to do both epidemiology and longitudinal intervention studies if we only had access to data. We could be directly tackling disease causal factors in ways that researchers today only dream of. It really is tens of thousands of lives lost each year that could have been saved if we could only have moved faster toward interventions.
I believe medical records should be open and laws should address how people use the data, not trying to make something so valuable to all humanity secret from the beginning. For example you can download my genetic code here: https://www.openhumans.org/member/iandanforth/
No, even for longitudinal studies, even with “anonymized” data, the risk is too great for any individual, and to society in general. Ideopathic and non-causal diseases should have some buy-in from patients; a standard waiver might be useful for research use of data. (I’ve signed one.) But in general, no, the restrictions are worth it.
some are illegal - think threating drug overdose
I believe it is a liability for doctors to know a true medical history, and anything not already being treated can be ignored and re-diagnosed later, which of course is an ideal situation for the insurance and the new provider, because you can charge all over again for those diagnostics.
Case in point, I had two EKGs performed on me, one in urgent care and one in the hospital. It was not too long before I was going in for surgery, and a prerequisite was a "12-lead EKG" readout, so naturally the hospital tried to force me to undergo a new one at enormous cost and inconvenience, and I balked, because I already had two perfectly good readouts in hand. They eventually relented, but it was incredibly difficult for them to admit that the test results were valid and acceptable, and this is all part of the scam, to charge as many times as possible for anything that wasn't performed here and now by us.
Likewise with psychiatry and therapists; I've been through multiple clinics and dozens of counselors, and of course each one produces a mountain of case notes. So I always offer and suggest that I sign a release and have all the prior case notes transferred over so that they get to know me better. The answer is always "no". They want to know nothing beyond what is in the intake forms, that they will spend 5 minutes reading. Then we will start my therapy over from Square One with a stranger and I get to recount all my feelings and life experiences over and over and over again, on my dime.
Nevertheless, it is still of the utmost importance that you continually sign authorizations for release and that you requisition all available records from all your providers. Authorize all providers to release information to your friends and family. They will hang up the phone if there is no release on file. Renew those authorizations on time, every time; your provider will not remind you. Release all records to yourself on a regular basis, especially after a hospitalization or major incident. You will want good records, just for your own examination, and also if there is ever a dispute or litigation about something, your attorney will appreciate those records too.
Dead Comment
Very many things doctors need to be aware of, because the patients life depends on it, are left out when patients move between specialists and physicians, which happens all of the time.
Outbreaks of viral and bacterial illnesses result in thousands of people independently chasing diagnoses and treatment, because the system doesn't share information that could be used to piece together and get ahead of it. Every time my kid gets sick at school, I get to play a game of "What is it? Do we see a Doctor? How much money should we spend?". Lets pretend we know nothing about this and go see a Doctor who hasn't seen anyone else in school, who may provide antibiotics they may or may not need or worse.
Effective prevention methods and early detection of bad treatment are discarded because its so difficult to investigate and connect the dots between interventions and outcomes.
Patient privacy is important, but the system we have today is nothing less than a tragedy. Real damage in emotional, physical, and economic is happening on a grand scale every day in this country. We shouldn't pretend HIPPA is a good thing, or the current system is doing a good job. Its not. We need to radically transform how we operate, and much more open and connected medical records is certainly a part of that transformation.
America needs to be a radically different place for me to be okay with what you want.
In fact a surefire guarantee essentially doesn't exist. But what exactly are you afraid of? How does someone weaponize your information? Everyone in my life already knows about my health conditions, i speak openly about them in my personal life, my business life and online there have been zero consequences to this.
Or more importantly, the harms are to me, and the upsides are to you, so who cares?
An actual written request for consent from a research institution, telling me exactly what data they intend to access, how they will access it, how many people will have access, for how long, and what they will do with the data / results after they are done. One that I can at my option sign and send back, or trash.
I'd in all likelihood say yes! But as a patient, I deserve the right to say yes or no. "Lives might be lost" is simply not justification for obtaining it.
This doesn't seem that unreasonable to me. It balances the need for research with the patient's need for privacy.
"Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions."[1]
That's what's on the HHS website, and that's a mild example of what was happening prior to HIPAA. Health information was being used to out gays and HIV patients, discover people's race, bypass due process, stalk women, etc. With data being weaponized against individuals more and more, we have good reason to believe that this would be worse in 2023 if these laws didn't exist, not better.
Yes, I'm aware of the burden that this puts on medical research. Behaving ethically is hard sometimes--get over it. You don't get a free pass to use people's private data without their consent. You might claim that you're only going to use that data for good, but the fact that you think bypassing people's basic human rights is acceptable shows that you don't have a working moral compass. You can't be trusted to only use people's data for good.
The fact that you wrote three paragraphs on this topic and didn't even mention the rights of the patient shows me I don't want you to have access to my medical data, let alone having authority to make decisions about who else can see my medical data. You're not a person who will make that decision ethically and responsibly.
[1] https://www.hhs.gov/hipaa/for-professionals/faq/188/why-is-t...
That's just bullshit.
Also, given the state of medical research methodology, you could just as well argue that it would yield even more unreliable studies, each adding confusion to our knowledge.
Let's say that each research study spends 10% of its time on recruitment and another 5-10% of its time on compliance. (Real numbers can be much higher).
Open medical data would reduce both these efforts, so every study, regardless of quality now goes more quickly and/or is less expensive. This is the primary benefit.
Now you're pointing out that extremely open data can lead to rapid and perhaps erroneous analysis. This is true, but it would also lead to rapid and accurate analysis. My point is that everything speeds up and compliance regulations around data handling are far less impactful on study quality than are protocols around experiment design.
Please trust the opinions of people who have tried to do this work. There are many people trying to advance medical research in good faith who can attest to the insane inefficiencies of working with medical data.
I believe exactly that about not medical records but medical procedures. If the doctors force me to share my medical records with the world of spammers and scammers I would rather choose to be a doctor for myself. But I see a little bit of problem when medical books are hard to download and medical drugs are very expensive because of so-called intellectual property. Medical industry relies too much on just obeying to all the doctor tells to do, blindly and brainlessly.
Do you really believe that my medical records bond to my personal data are more important knowledge to society than how to do drugs which can save anybody?
That is the point. It is supposed to be burdensome. It is supposed to be difficult and cumbersome to do anything with anybody's medical data.
I don't want to dismiss your comment entirely, because I understand the frustration around the good that the data could do but in the wrong hands it could be truly disasterous. I do not want Meta or Google anywhere near my medical data (and they're already pretty close in a lot of ways). I do not want my medical information used to enrich shareholders and that is the first thing that will happen; not improved research.
It should be easier for people to opt-in to sharing their medical data with a wide range of organisations if they choose but right now they never get a choice. It's either "we're making a law so we can give this data away" or not.
> the upside is just so much larger than the harms
I also don't agree with this as a blanket statement. For many people, including women in the US as you pointed out (amongst many other groups), the harms are criminalisation and imprisonment. The harm here, for the individual, far outweighs any potential benefit.
This seems like a good compromise moving forward. Add a section on whatever HIPAA forms you already need to sign that gives you the chance to opt in to use of anonymized data for medical research purposes.
I think for this to work, the law would need to clearly define how records must be anonymized, and provide penalties both for poor anonymization and for not clearly communicating to patients that this sharing is optional.
Thier corporate records are none of your business
if we are gonna have no privacy, it should go both ways - companies lose privacy too
You are saying that you'd like to take my personal data and make money from it without compensating me. My records are mine and they are private and it should stay this way.
I then went through the process of applying for disability insurance and dealt with the quagmire of them wanting access to all of my mental health records. Not a summary of my mental health diagnoses, but ALL of the individual progress notes. I refused them having those records and ended up having to waive any disability coverage due to mental health issues I was facing. That type of data I just didn't trust this insurance company to keep the data safe, especially as the paperwork stated they would share the data with all of their affiliates and partners with no recourse on my part to restrict what was shared. At that point, I realized that there are VERY good reasons why we don't just allow all of our medical data to be open.
And the people could be in big trouble because this data was stolen or is used against them.
On top of that it isn't even guaranteed that we were decades ahead.
Many of the big data promises didn't work out. Remember IBM's Watson?
>but the upside is just so much larger than the harms.
How do you know?
> With easy and ready access to medical data we could be decades ahead
So make it ! On premises. Pay for helping in that. Do not pay for storage and cpu in clouds ! And don't be naive about what good and progress "they" can bring to medicine. They will promise then stall as much as possible and you will be paying for not deleting your precious data. Or accessing your own data :> And watching like your data are published and sold on black markets...
Europe gets to use their free and open medical data freely for research. The US gatekeeps that information. It's a huge competitive advantage for Europe.
Sometimes people blame HIPAA for all sorts of random stuff which has no connection to the actual law.
It's clear which takes priority over the other.
https://www.hhs.gov/hipaa/for-professionals/privacy/special-...
You misspelled "villain" there. If that were to happen, I'd 100% be calling for them to spend as much time in prison as possible.
Without the privacy, the world would be a different place and the people in power in that world would have no interest in advancing anything that doesn't directly give themselves more power. There would be no well funded scientist outside of the military.
Other people's medical records, you mean?
Big Tech is not a thing, just like big-sensors was not a thing. Electric sensing became a thing in the 1900s, and the medical community benefitted from the machines built because of them. Tech is similarly a tool that has become available to all fields over the last 30 years. By treating big-tech as a bogeyman, we end up anthropomorphizing an inanimate marker of of progress in our time. It's Scientific cartelized Amish-ness.
My controversial & intentionally provocative opinion for a while has been : "Doctors are evil". The more I read about it, the more I feel like there is an ounce of truth there.
They don't even say how to opt-out.
I think it doesn't really matter in what form the government appears. It's still the government and so its rules apply.
If it's a "limited company", that means it's liability is limited to shareholder capital. It's going to have to have an awful lot of capital if it's going to be able to compensate the entire population for mishandling their data.
Also, if it's a limited company, then the shareholders can sell their shares; the company can change hands, often to owners in a different jurisdiction.
A limited company is not an arm of the government, and I can't hold a limited company accountable in the same way I can the government; especially if my personal data has left the jurisdiction.
This is apparently the German equivalent to an LLC.
Pretty sure you misunderstood what "limited liability" means. Pretty much all organizations today have the same legal status: https://en.m.wikipedia.org/wiki/Limited_liability
Thats exactly the issue
More-so than anything else, the focus should be on preventing pre-existing conditions from being able to affect individuals negatively than adding hoops for the individual to access their own gated personal records (Moving between hospital systems today can be an absolute nightmare in the states).
NHS England has been trying repeatedly to make huge amounts of NHS data available to various kinds of commercial "partners". It started with supplying the Society Of Actuaries with the records of a million patients. For £3,000! Actuaries, of course, are primarily employed by insurance companies - not the kind of people I want having access to my medical data.
We were given the chance to opt out; you had to get and complete the official form from your GP, and go to the clinic and hand it in. But it turned out that only covered your GP's records; hospital records were subject to a different opt-out. You had to ask for a form from your local Health Trust, complete that, and mail it in. None of this was electronic or online.
Then there was a new plan, all your old opt-outs were obsoleted, and you had to go through the whole rigmarole again.
The UK has the finest collection of medical data in the world; a population of 70 million, and a consolidated health service dating back 80 years. No other country has this. I have no problem with that data being used by the NHS to improve existing treatments and develop new treatments. But handing it over for peanuts to J. Arthur Random really isn't on.
There are evidently civil servants in NHS England who are fanatical about sharing NHS data for commercial profit, even if that profit doesn't accrue to the NHS.
> Pseudonymisation and anonymisation are not enough: health data is so specific that re-identification can be trivial. Often a person’s social media or financial history, both widely available on today’s data markets, is sufficient to identify medical events that can easily lead to reidentifying supposedly pseudonymised or even anonymised datasets.
I agree with the sibling comment that we need more open data if (iff?) we want to increase the pace of medical research. But it seems to be a tough cookie to crack.
As archaic as HIPAA is, the tools that we have today to obfuscate PHI (e.g. tokenization) respect the individual's privacy. The major cloud infrastructure providers are all HITRUST certified and ready to sign BAAs to keep everyone accountable.
I think we're in a good place right now for innovation with healthcare data. Multi-modal (think genome + claims + social determinants of health) are starting to become a thing. As a population, we'll benefit from more targeted therapies.
Technology is catching up with the swaths of data that has been amassed since the 2000's. I hope for more innovation vs. shackling it with uninformed regulation.
A major roadblock for our startup is getting medical information integrated into our system. It's difficult to compete with the IBMs and Epics of the world when we don't have a million developer hours to dedicate to writing plugins for every vendor. It's not just us struggling with crappy data management - it confuses hospital staff, too. Our customers are frustrated when we tell them things like "you gave us <XYZ obscure file type> which doesn't contain the information we need; do you have <ABC obscure file type> instead?". MRI scans (DICOMs) are particularly gnarly.
Even the IBMs and Epics of the world struggle to not make crappy software. How do you present a relevant medical record to a doctor at the exact right time they need it? There is so much data to sift through that medical information frequently slips through the cracks when patients transfer hospitals or their hospital merges with another.
If there isn't a standard way to query an electronic health record then companies are incentivized to just throw data at an LLM to parse it (which is exactly what we're moving towards). Trying to build AI-type solutions will just make these companies even more data-hungry and result in a less reliable solution.
I'm not opposed to continuing to hold startups/big tech accountable for keeping personal health information private and secure.
https://towardsdatascience.com/understanding-differential-pr...