HIPAA Blog

[ Tuesday, April 20, 2021 ]

 

 

Chapter 2: The Dynamic Tension Between Privacy and Good Healthcare.

 Everyone knows that healthcare information deserves privacy.  That’s not a new idea: the Hippocratic Oath contains a specific provision to “not repeat” and “keep sacred and secret” whatever a physician learns about his patients.  In fact, there was a fair amount of questioning and pushback from participants in the healthcare industry reflecting the initial push for HIPAA: “we already practice pretty good privacy, why do we have to do this?”

 That does beg the question a bit.  Even if the vast majority of healthcare industry participants are very good in their privacy practices, there are still some that aren’t, and rules are necessary.  Most of the existing rules also impact specific roles, persons, or entities: doctors, nurses, and other licensed professionals usually have either a code of ethics or a statutory requirement to maintain privacy and confidentiality; likewise, hospitals and other licensed facilities usually are subject to specific legal privacy requirements as a part of their licensing or accreditation process.  So the industry isn’t stingy with privacy by nature, but because it’s legally demanded.

 Additionally, the industry was definitely in flux in the late 20th Century (and still is today; isn’t it always?), and there were many more industry participants entering the healthcare ecosphere, many without specific privacy rules applicable to them.  Data processors don’t generally have privacy laws applicable to them, nor do billing companies or other vendors.  Plus, having a national standard for the entire industry is a pretty compelling argument; why should the citizens of Arkansas have a different privacy standard than the citizens of Wyoming?

 (There are more reasons than this, but I’ll dig into them a little more deeply in Chapters 3 and 4.)

 But that’s not exactly the point I’d like to make here.  What I want to point out here is that all things taken to an extreme can be bad, and that includes privacy.  Can you have too much privacy?  Yes, in fact, you can. 

 Sometimes, too much privacy is just a big inconvenience.  Here’s an experiment for you: set all the privacy settings on your web browser to the most extreme level: no cookies, no popups, no location sharing, etc.  You’ll find that you have to enter information every time you access a site.  You might lose your browsing history.  It becomes very annoying to look for sites you’ve recently seen and either have to enter a password or take some other step to get in.  That’s just an example.

 But there’s a specific issue with medical privacy: if you want perfect medical privacy, then nobody should know any of your medical information.  Your high blood pressure reading is your own private information, and nobody should know it.  Not even your doctor.  Wait, how can your doctor treat you if he doesn’t have your information? 

 That’s the issue: the most extreme level of privacy would not just prevent your medical information from being used in ways you don’t want, it would also prevent it from being used in ways you DO want.  In other words, perfect privacy would eliminate your receipt of any healthcare services, other than what you can do yourself.  If you’re the only one who knows you have high blood pressure, then you’re the only one who can treat it.  Good luck with that. 

 On the other hand, if you want the absolute best healthcare, then EVERYONE should know your medical information: crowdsource your cure.  Much medical research, and many medical advancements, have occurred due to the amalgamation of enough information to identify patterns, form a hypothesis, test it, and determine the cause a disease and its cure.  Google “Broad Street Pump,” and read the story of how Dr. John Snow used a dot map to prove that a particular pump was the source of water that spread cholera through SoHo in London.  The fact that those individuals had died of cholera was PHI, but because Dr. Snow had access to it, he saved many more.

 In that vein, there’s probably someone out there in the world with your exact condition; in a realm of zero privacy, you could find out what that person was doing (and vice versa), and each of you would benefit from better healthcare. 

 In other words, perfect medical record privacy would virtually eliminate healthcare, while a perfect lack or privacy would dramatically improve healthcare.  Perfect healthcare and perfect privacy are in an oppositional tension.  Or, expressed as a continuum:

Perfect Healthcare   ß------------------------à Perfect Privacy

 Why does this matter?  If HIPAA’s privacy protections go so far as to impede good healthcare, the result is not worth it.  Instead, HIPAA’s privacy protections must be balanced against the fact that the healthcare universe needs your private information to work. 

 Does HIPAA achieve this balance?  I think it does a pretty good job.  It’s not perfect, and never will be: the balance is always shifting as circumstances change.  But structurally, at its core (as I’ll discus more in the next 3 chapters), with its built-in reasonableness and scalability requirements, HIPAA is built to do just this. 


Jeff [1:22 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template