MediaNama attended a round-table discussion on April 27th by SFLC.in on policy enabling Information Technology in healthcare. The round-table aimed to discuss questions around current and future regulation, the effect of government policy and technical aspects of providing healthcare using IT. Below are the main points made during the discussion. Quotes are paraphrased and not verbatim, they are unattributed since the discussion was held under Chatham House Rule.
Treatment of personal health identifiers
- Personal health identifier: Anything that makes a person identifiable and pinpoints who the person is can be their Personal Health Identifier, this includes name, gender, house number. I suspect how much of anonymized data is actually anonymous. Hospitals today take blanket consent without the patient having specific understanding of what his/her consent means. What’s the consent taken if you have an Apple Watch which is collecting your real-time ECG data. We need to ask whether consent for use and collection of that data is taken, especially considering that it isn’t patient data but simply consumer data.
- There are 18 PHIs under US federal law Health Insurance Portability and Accountability Act, 1996 (HIPAA), including credit card number, phone number, social security number, registration card. Anything that identifies me – including as date-of-birth, or date-of-birth associated with another ID – is a PHI, which then needs to be deidentified. In India, this would include Aadhaar number.
- Personal Health Identifier needs to be anonymised or masked; and consent is required for transferring this data between parties. For example, if I’m looking at an American’s data sitting in India, the data will have to be anonymised or masked.
Anonymization of Health Data
- The DISHA bill lays down a legal framework for exchange of medical information and records, and talks about a National Health Authority to do this. It says that the government can get access only to anonymized data.
- Under current US laws, you can send health data to people who are authorized to view the data, who are on the staff of the hospital, and can be sent across the globe. But, when you send data belonging to certain categories of US citizens or certain entities, the doctor who is accessing the data has to be on US soil.Today it’s very easy to carry out on-the-fly anonymization and de-anonymization. There are countries which require that the data needs to be completely anonymized before it leaves the soil of that country, it comes to India, gets read, goes back into that server in the origin country, gets de-anonymized, and reaches the patient there.
- Personally identifiable data may or may not be required for study or for data analytics purposes, what’s required is the health indicators of the individual, then the demographics, after which data can be analyzed to see trends, which may say there is so-and-so deficiency in this particular area. A PHI is exclusive to a person and has to be anonymized, but in India I’m not sure how much this actually happens.
- Absolute anonymization may not be feasible or serve everybody’s purpose. For instance, if a doctor needs to see the medical records of a patient for the last three years, the hospital may not have stored the data in a format which is easily anonymize-able. It might just be a pdf file lying somewhere in which case the idea of anonymization is pointless.
- Anonymization is the safeguard because of which we are supposed to trust the system. There have been positions taken when the patient’s consent isn’t required if the data is anonymized. The building blocks of anonymization was built on this. Why are we belittling the concept of consent? I may want to tell people around me about my disease but that doesn’t mean that someone sitting across the globe can use my data for purposes I did not think of when I gave consent. Under current laws, if I consent to give my organs, but after my death my kith and kin decide to not give my organs and their decision will prevail.