[ Tuesday, April 20, 2021 ]
Chapter 2: The Dynamic Tension Between Privacy and Good
Healthcare.
Everyone knows that healthcare information deserves
privacy. That’s not a new idea: the
Hippocratic Oath contains a specific provision to “not repeat” and “keep sacred
and secret” whatever a physician learns about his patients. In fact, there was a fair amount of
questioning and pushback from participants in the healthcare industry
reflecting the initial push for HIPAA: “we already practice pretty good
privacy, why do we have to do this?”
That does beg the question a bit. Even if the vast majority of healthcare
industry participants are very good in their privacy practices, there are still
some that aren’t, and rules are necessary.
Most of the existing rules also impact specific roles, persons, or entities:
doctors, nurses, and other licensed professionals usually have either a code of
ethics or a statutory requirement to maintain privacy and confidentiality;
likewise, hospitals and other licensed facilities usually are subject to
specific legal privacy requirements as a part of their licensing or
accreditation process. So the industry
isn’t stingy with privacy by nature, but because it’s legally demanded.
Additionally, the industry was definitely in flux in the
late 20th Century (and still is today; isn’t it always?), and there
were many more industry participants entering the healthcare ecosphere, many without
specific privacy rules applicable to them.
Data processors don’t generally have privacy laws applicable to them,
nor do billing companies or other vendors.
Plus, having a national standard for the entire industry is a pretty
compelling argument; why should the citizens of Arkansas have a different
privacy standard than the citizens of Wyoming?
(There are more reasons than this, but I’ll dig into them a
little more deeply in Chapters 3 and 4.)
But that’s not exactly the point I’d like to make here. What I want to point out here is that all
things taken to an extreme can be bad, and that includes privacy. Can you have too much privacy? Yes, in fact, you can.
Sometimes, too much privacy is just a big
inconvenience. Here’s an experiment for
you: set all the privacy settings on your web browser to the most extreme
level: no cookies, no popups, no location sharing, etc. You’ll find that you have to enter
information every time you access a site.
You might lose your browsing history.
It becomes very annoying to look for sites you’ve recently seen and
either have to enter a password or take some other step to get in. That’s just an example.
But there’s a specific issue with medical privacy: if you
want perfect medical privacy, then nobody should know any of your medical
information. Your high blood pressure
reading is your own private information, and nobody should know it. Not even your doctor. Wait, how can your doctor treat you if he
doesn’t have your information?
That’s the issue: the most extreme level of privacy would
not just prevent your medical information from being used in ways you don’t
want, it would also prevent it from being used in ways you DO want. In other words, perfect privacy would
eliminate your receipt of any healthcare services, other than what you can do
yourself. If you’re the only one who
knows you have high blood pressure, then you’re the only one who can treat
it. Good luck with that.
On the other hand, if you want the absolute best healthcare,
then EVERYONE should know your medical information: crowdsource your cure. Much medical research, and many medical
advancements, have occurred due to the amalgamation of enough information to
identify patterns, form a hypothesis, test it, and determine the cause a
disease and its cure. Google “Broad
Street Pump,” and read the story of how Dr. John Snow used a dot map to prove
that a particular pump was the source of water that spread cholera through SoHo
in London. The fact that those
individuals had died of cholera was PHI, but because Dr. Snow had access to it,
he saved many more.
In that vein, there’s probably someone out there in the world
with your exact condition; in a realm of zero privacy, you could find out what
that person was doing (and vice versa), and each of you would benefit from
better healthcare.
In other words, perfect medical record privacy would
virtually eliminate healthcare, while a perfect lack or privacy would
dramatically improve healthcare. Perfect
healthcare and perfect privacy are in an oppositional tension. Or, expressed as a continuum:
Perfect Healthcare ß------------------------à
Perfect Privacy
Why does this matter?
If HIPAA’s privacy protections go so far as to impede good healthcare,
the result is not worth it. Instead,
HIPAA’s privacy protections must be balanced against the fact that the
healthcare universe needs your private information to work.
Does HIPAA achieve this balance? I think it does a pretty good job. It’s not perfect, and never will be: the
balance is always shifting as circumstances change. But structurally, at its core (as I’ll discus
more in the next 3 chapters), with its built-in reasonableness and scalability
requirements, HIPAA is built to do just this.
Jeff [1:22 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template