Privacy advocates continue to push for better support of Privacy. The goal is to have easy and implementable systems that enable a Patient to control where, when, and to whom their data is accessible. When the data are all considered equal in the eyes of Privacy, they can all be covered by simple rules of "Permit all access...", or "Deny all access..."
This would result in a much more simple world of yes or no. Or at least the consent rules would be more focused on the where, when, and to whom.
Note that we must start with the stepping stone of this more simple set of rules. It is not an end goal, but it is an important stepping stone. It enables data use for those without sensitive topics, while it does force those that have sensitive topics to either permit access and take on the ramifications, or deny access and take on the ramifications of data not being available. This is unacceptable, hence why it is not a goal.
Healthcare is not simple. I am not going to say that other domains are simple, because many other domains are similarly complex (military, social, politics ...). So the next concepts are not all that special in healthcare.
Healthcare data contain some topics that have various sensitivities. Exposing these sensitivities to the wrong organization or person might damage the Patient. This damage might be social stigma. This damage might be financial (denied life insurance). This damage might manifest in physical violence.
Some data are themselves sensitive: Lab results showing positive tests for sexually transmitted disease, Genetic results showing higher likelihood for a hard to treat condition, Diagnosis of substance abuse.
Some episodes of care indicate sensitive topics even when there is no data recorded: Patient received psychotherapy treatment, patient was treated for substance abuse.
Some data are only sensitive in specific context. Best example is that Sickle Cell diagnosis has historically been used to exclude people from serving in the military. That is to say that volunteers that really wanted to serve in the military would be denied if they had a Sickle Cell diagnosis. I understand this is no longer the case. But you can understand how a medical diagnosis could limit what you are allowed to do.
Some data might be marked as less sensitive so that it can be made more widely available. An example might be a document specifically assembled as an "Emergency Data set", a critical set of data with minimal facts useful in an emergency. Similar to a medical alert bracelet that announces to all that you are highly diabetic, this data would be anonymously accessible. The point of a medical alert bracelet is to address only the emergency portion of treatment, where stabilization of the emergency is the goal, where doing the wrong thing could make things worse. I expect most Emergency Data Set data are printed on a card carried on the patient, or available at a service the patient designates. But I bring up "less sensitive" as just as legitimate use of DS4P as more sensitive topics.
Healthcare data tends to be scientific facts. The sensitivity of that fact may not be obvious or a one-to-one relationship. That is to say that a medically trained individual can look at three seemingly unrelated facts and draw a conclusion that is a new fact derived from those three. This was the case often in HIV, where the diagnosis of HIV was not recorded, but where some lab results combined with some specific prescription drugs would be clear to a medically trained individual that the patient was HIV positive. None of the facts alone was a strong indicator of HIV positive status, only the combination.
Sensitivities change over time. A specific lab result might not be considered sensitive, but months later medical knowledge realizes that kind of a lab result is an indication of a medical condition that is considered sensitive. Thus what was originally a normal lab result, should now be treated as a sensitive health condition. It can also happen that a sensitive result may become less sensitive, although I expect this to be rare.
How data are tagged with specific kinds of sensitivity labels is the topic of my next article...
So, this is why the health database can't be simply treated as a "Permit all access..." or "Deny all access.." It is important that any organization that has health data must start with gross Permit and Deny capability. Which is what we have been stressing for the last 10 years. DS4P is indicating the next step beyond that yes/no level of consent, to a more conditional level of consent.
The goal of DS4P is to enable privacy policies to have different Permit/Deny rules for these lesser or more sensitive health topics. Thus "Data Segmentation" is the concept of being able to differentiate one kind of sensitive health data from another kind of health data, segmenting one from the other. With the goal that the variously segmented data can have different Privacy rules applied.
Break-Glass is one example where sensitive health topics might be blocked, but available if the medical professional has determined they are in a treatment situation and have medical safety reasons to override the blocking rules.
This would result in a much more simple world of yes or no. Or at least the consent rules would be more focused on the where, when, and to whom.
Note that we must start with the stepping stone of this more simple set of rules. It is not an end goal, but it is an important stepping stone. It enables data use for those without sensitive topics, while it does force those that have sensitive topics to either permit access and take on the ramifications, or deny access and take on the ramifications of data not being available. This is unacceptable, hence why it is not a goal.
Sensitive health topics
Healthcare data contain some topics that have various sensitivities. Exposing these sensitivities to the wrong organization or person might damage the Patient. This damage might be social stigma. This damage might be financial (denied life insurance). This damage might manifest in physical violence.
Some data are themselves sensitive: Lab results showing positive tests for sexually transmitted disease, Genetic results showing higher likelihood for a hard to treat condition, Diagnosis of substance abuse.
Some episodes of care indicate sensitive topics even when there is no data recorded: Patient received psychotherapy treatment, patient was treated for substance abuse.
Some data are only sensitive in specific context. Best example is that Sickle Cell diagnosis has historically been used to exclude people from serving in the military. That is to say that volunteers that really wanted to serve in the military would be denied if they had a Sickle Cell diagnosis. I understand this is no longer the case. But you can understand how a medical diagnosis could limit what you are allowed to do.
Some data might be marked as less sensitive so that it can be made more widely available. An example might be a document specifically assembled as an "Emergency Data set", a critical set of data with minimal facts useful in an emergency. Similar to a medical alert bracelet that announces to all that you are highly diabetic, this data would be anonymously accessible. The point of a medical alert bracelet is to address only the emergency portion of treatment, where stabilization of the emergency is the goal, where doing the wrong thing could make things worse. I expect most Emergency Data Set data are printed on a card carried on the patient, or available at a service the patient designates. But I bring up "less sensitive" as just as legitimate use of DS4P as more sensitive topics.
Sensitivities are hard
Healthcare data tends to be scientific facts. The sensitivity of that fact may not be obvious or a one-to-one relationship. That is to say that a medically trained individual can look at three seemingly unrelated facts and draw a conclusion that is a new fact derived from those three. This was the case often in HIV, where the diagnosis of HIV was not recorded, but where some lab results combined with some specific prescription drugs would be clear to a medically trained individual that the patient was HIV positive. None of the facts alone was a strong indicator of HIV positive status, only the combination.
Sensitivities change over time. A specific lab result might not be considered sensitive, but months later medical knowledge realizes that kind of a lab result is an indication of a medical condition that is considered sensitive. Thus what was originally a normal lab result, should now be treated as a sensitive health condition. It can also happen that a sensitive result may become less sensitive, although I expect this to be rare.
How data are tagged with specific kinds of sensitivity labels is the topic of my next article...
Conclusion
So, this is why the health database can't be simply treated as a "Permit all access..." or "Deny all access.." It is important that any organization that has health data must start with gross Permit and Deny capability. Which is what we have been stressing for the last 10 years. DS4P is indicating the next step beyond that yes/no level of consent, to a more conditional level of consent.
The goal of DS4P is to enable privacy policies to have different Permit/Deny rules for these lesser or more sensitive health topics. Thus "Data Segmentation" is the concept of being able to differentiate one kind of sensitive health data from another kind of health data, segmenting one from the other. With the goal that the variously segmented data can have different Privacy rules applied.
Break-Glass is one example where sensitive health topics might be blocked, but available if the medical professional has determined they are in a treatment situation and have medical safety reasons to override the blocking rules.
Alternatives:
Some would indicate that if the patient is the only one communicating their data, then the patient can choose what data gets exposed. This is not wrong, but is not complete. There are data flows that are not supported by patient mediated exchange. But even in these cases the Patient might need help deciding which of their data is an indicator of a sensitive health topic.See my other articles on Privacy
- Modes of patient centric communication
- Basics of Healthcare Data access rights in USA
- Privacy and Security Considerations for the use of Open APIs for Patient Directed Exchange
- GDPR on FHIR
- IHE Perspective on EU GDPR
- Privacy is not dead, but does need reinforcement
- Patient Centered HIE
- Apple should have a HEART
- HIE Future is Bright - stepping into 2018
- Remedial FHIR Consent Enforcement
- #FHIR and Bulk De-Identification
- Consent to deny Sharing for Treatment and Emergency Break-Glass
- Stop using OPT-IN and OPT-OUT
- Enabling Point-Of-Care Consent
- Basic Consent - a necessary first step
- Consent Process
- How to set the ConfidentialityCode
- Privacy Principles
- etc...
This comment has been removed by a blog administrator.
ReplyDelete