Patient Privacy in the Era of Big Data

Abstract

Privacy was defined as a fundamental human right in the Universal Declaration of Human Rights at the 1948 United Nations General Assembly. However, there is still no consensus on what constitutes privacy. In this review, we look at the evolution of privacy as a concept from the era of Hippocrates to the era of social media and big data. To appreciate the modern measures of patient privacy protection and correctly interpret the current regulatory framework in the United States, we need to analyze and understand the concepts of individually identifiable information, individually identifiable health information, protected health information, and de-identification. The Privacy Rule of the Health Insurance Portability and Accountability Act defines the regulatory framework and casts a balance between protective measures and access to health information for secondary (scientific) use. The rule defines the conditions when health information is protected by law and how protected health information can be de-identified for secondary use. With the advents of artificial intelligence and computational linguistics, computational text de-identification algorithms produce de-identified results nearly as well as those produced by human experts, but much faster, more consistently and basically for free. Modern clinical text de-identification systems now pave the road to big data and enable scientists to access de-identified clinical information while firmly protecting patient privacy. However, clinical text de-identification is not a perfect process. In order to maximize the protection of patient privacy and to free clinical and scientific information from the confines of electronic healthcare systems, all stakeholders, including patients, health institutions and institutional review boards, scientists and the scientific communities, as well as regulatory and law enforcement agencies must collaborate closely. On the one hand, public health laws and privacy regulations define rules and responsibilities such as requesting and granting only the amount of health information that is necessary for the scientific study. On the other hand, developers of de-identification systems provide guidelines to use different modes of operations to maximize the effectiveness of their tools and the success of de-identification. Institutions with clinical repositories need to follow these rules and guidelines closely to successfully protect patient privacy. To open the gates of big data to scientific communities, healthcare institutions need to be supported in their deidentification and data sharing efforts by the public, scientific communities, and local, state, and federal legislators and government agencies.

Keywords

• Health Insurance Portability and Accountability Act, medical informatics, confidentiality, data anonymization data sharing, personally identifiable information, privacy

References

1. 1. Hippocrates. Jusjurandum (The Oath). In: Jones WHS, editor. Loeb Classical Library. Reprint: Hippocrates Collected Works I. Hippocrates ed. Cambridge, MA: Harvard University Press; 1868.
2. 2. Higgins GL. The history of confidentiality in medicine: the physicianpatient relationship. Can Fam Physician 1989;35:921-6.
3. 3. Parent WA. Recent work on the concept of privacy. Am Philos Q 1983;20:341-55.
4. 4. Heins M. “The Right to Be Let Alone”: Privacy and Anonymity at the U.S. Supreme Court. Revue Française D’études Américaines 2010:54-72.
5. 5. Coke E. Semayne's case. In: Court of King's Bench, editor. 5 Co Rep 91a, 77 Eng Rep 1941604.
6. 6. U.S. Constitution Amendment IV-search and seizure (1791).
7. 7. Warren SD, Brandeis LD. The right to privacy. Harvard Law Review 1890;4:193-220.
8. 8. Coleman AH. The Patient's Right to Privacy. J Natl Med Assoc 1961;53:207.

9. 9. Al-Fedaghi SS. The "right to be let alone" and private information. In: Chen CS, Filipe J, Seruca I, Cordeiro J, editors. Enterprise Information Systems VII. Dordrecht: Springer Netherlands; 2006. p. 157-66.
10. 10. Yamamoto R. [Management system of personal data protection in the health care field]. Rinsho Byori 2014;62:1129-34.
11. 11. Universal declaration of human rights. United Nations (1948).
12. 12. Thomson JJ. The right to privacy. Philosophy and Public Affairs 1975;4:295-314.
13. 13. Feinberg W. Recent developments in the law of privacy. Columbia Law Review 1948;48:713-31.
14. 14. Veal WR. Torts-right of privacy. Louisiana Law Review 1949;9:17.
15. 15. Thompson IE. The nature of confidentiality. J Med Ethics 1979;5:57-64.
16. 16. Scanlon T. Thomson on privacy. Philosophy and Public Affairs 1975;4:315- 22.
17. 17. Richards NM, Solove DJ. Privacy's Other Path: Recovering the law of confidentiality. Geo L J 2007;96:123-82.
18. 18. Beardsley EL. Privacy: Autonomy and selective disclosure. In: Pennock JR, Chapman JW, editors. Privacy Vol XIII. Atherton Press; 1971:56- 70.
19. 19. Code of medical ethics. American Medical Association (2001).
20. 20. Directorate-General for Research and Innovation. Ethics for researchers, facilitating research excellence in FP7. Luxembourg: European Commission; 2013 (http://ec.europa.eu/research/participants/data/ref/ fp7/89888/ethics-for-researchers_en.pdf).
21. 21. Bernasek A. Should tax bills be public information? The New York Times. 2010 Feb 13;Sect. Your Taxes.
22. 22. Basic HHS policy for protection of human research subjects, 45 C.F.R. Sect. 46.102 (2017).
23. 23. Sebelius K. 45 CFR Parts 160 and 164. Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the health information technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule In: Office of the Secretary of the Department of Health and Human Services, editor. Federal Register, Volume 78, No 172013. p. 5566-702.
24. 24. Administrative simplifications: definitions, 42 U.S. Code Sect. 1320d (1996).
25. 25. 45 CFR §160.103 Definitions. [ 65 FR 82798, Dec. 28, 2000, as amended at 67 FR 38019, May 31, 2002; 67 FR 53266, Aug. 14, 2002; 68 FR 8374, Feb. 20, 2003; 71 FR 8424, Feb. 16, 2006; 76 FR 40495, July 8, 2011; 77 FR 1589, Jan. 10, 2012; 78 FR 5687, Jan. 25, 2013]: Department of Health and Human Services; 2013.
26. 26. Family educational and privacy rights, 20 U.S. Code Sect. 1232g (2010).
27. 27. National Institutes of Health. Certificates of confidentiality (CoC) [7/12/2017]. Available from: https://humansubjects.nih.gov/coc/index, https://humansubjects.nih.gov/coc/faqs.
28. 28. Research and investigations generally, 42 U.S. Code Sect. 241 (2016). 29. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-91 (August 21, 1996).
29. 30. Office of Civil Rights. The HIPAA privacy rule 2015. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
30. 31. 45 CFR §164.502 Uses and disclosures of protected health information: general rules. [65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53267, Aug. 14, 2002; 78 FR 5696, Jan. 25, 2013]: Department of Health and Human Services; 2013.
31. 32. 45 CFR §164.508 Uses and disclosures for which an authorization is required. [67 FR 53268, Aug. 14, 2002, as amended at 78 FR 5699, Jan. 25, 2013]: Department of Health and Human Services; 2013.
32. 33. 45 CFR §164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object. [ 65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53270, Aug. 14, 2002; 78 FR 5699, Jan. 25, 2013]: Department of Health and Human Services; 2013.
33. 34. 45 CFR §164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required. [ 65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53270, Aug. 14, 2002; 78 FR 5699, Jan. 25, 2013; 78 FR 34266, June 7, 2013; 81 FR 395, Jan. 6, 2016]: Department of Health and Human Services; 2016.