Whenever discussions about electronic health records (EHRs) come up, HIPPA (the Health Insurance Portability and Accountability Act) is often trotted out as the end-all-be-all addressing privacy concerns.
“Our software is HIPPA compliant,” answers the industry spokesperson, as if the essential question everyone is asking is “Are you HIPPA compliant?”
It’s not.
The essential question is this:
“When I go to my doctor for an ear infection/cold/UTI/yeast infection/rash/depression… outside of that doctor, what people and entities have access to data from that visit—both inside and outside the healthcare organization—and for how long?”
I think you will find this question will not be answered, partly because it isn’t really known, but mostly because it is a Pandora’s Box health organizations don’t want to open.
And what questions are in this box?
Ethical questions such as:
- To what extent is it necessary to get informed consent on sharing your de-identified data with third-party vendors?
- Who are these third-party vendors?
- Do the insights gained from these vendors help you as an individual, or are you being used as a means to an end to help others?
- Can I still be seen by a doctor if I don’t agree to this third-party review of my data?
- For how long will my data be available to be shared?
- …
In other words, healthcare organizations don’t want to answer the what, when. where, why, how, and how long questions about you visit data set because it will become apparent your data set—your representation of you as a data set—is possibly more important to them as data-gatherers than you are.