Patient Privacy in the Era of Big Data

Year 2018, Volume: 35 Issue: 1, 8 - 17, 01.01.2018

Mehmet Kayaalp

Abstract

Privacy was defined as a fundamental human right in
the Universal Declaration of Human Rights at the 1948
United Nations General Assembly. However, there is still
no consensus on what constitutes privacy. In this review,
we look at the evolution of privacy as a concept from the
era of Hippocrates to the era of social media and big data.
To appreciate the modern measures of patient privacy
protection and correctly interpret the current regulatory
framework in the United States, we need to analyze and
understand the concepts of individually identifiable
information, individually identifiable health information,
protected health information, and de-identification. The
Privacy Rule of the Health Insurance Portability and
Accountability Act defines the regulatory framework and
casts a balance between protective measures and access
to health information for secondary (scientific) use. The
rule defines the conditions when health information is
protected by law and how protected health information
can be de-identified for secondary use. With the advents
of artificial intelligence and computational linguistics,
computational text de-identification algorithms produce
de-identified results nearly as well as those produced by
human experts, but much faster, more consistently and
basically for free. Modern clinical text de-identification
systems now pave the road to big data and enable
scientists to access de-identified clinical information
while firmly protecting patient privacy. However, clinical
text de-identification is not a perfect process. In order to
maximize the protection of patient privacy and to free
clinical and scientific information from the confines
of electronic healthcare systems, all stakeholders,
including patients, health institutions and institutional
review boards, scientists and the scientific communities,
as well as regulatory and law enforcement agencies must
collaborate closely. On the one hand, public health laws
and privacy regulations define rules and responsibilities
such as requesting and granting only the amount of
health information that is necessary for the scientific
study. On the other hand, developers of de-identification
systems provide guidelines to use different modes of
operations to maximize the effectiveness of their tools
and the success of de-identification. Institutions with
clinical repositories need to follow these rules and
guidelines closely to successfully protect patient privacy.
To open the gates of big data to scientific communities,
healthcare institutions need to be supported in their deidentification
and data sharing efforts by the public,
scientific communities, and local, state, and federal
legislators and government agencies.

Keywords

Health Insurance Portability and Accountability Act, medical informatics, confidentiality, data anonymization data sharing, personally identifiable information, privacy

References

• 1. Hippocrates. Jusjurandum (The Oath). In: Jones WHS, editor. Loeb Classical Library. Reprint: Hippocrates Collected Works I. Hippocrates ed. Cambridge, MA: Harvard University Press; 1868.
• 2. Higgins GL. The history of confidentiality in medicine: the physicianpatient relationship. Can Fam Physician 1989;35:921-6.
• 3. Parent WA. Recent work on the concept of privacy. Am Philos Q 1983;20:341-55.
• 4. Heins M. “The Right to Be Let Alone”: Privacy and Anonymity at the U.S. Supreme Court. Revue Française D’études Américaines 2010:54-72.
• 5. Coke E. Semayne's case. In: Court of King's Bench, editor. 5 Co Rep 91a, 77 Eng Rep 1941604.
• 6. U.S. Constitution Amendment IV-search and seizure (1791).
• 7. Warren SD, Brandeis LD. The right to privacy. Harvard Law Review 1890;4:193-220.
• 8. Coleman AH. The Patient's Right to Privacy. J Natl Med Assoc 1961;53:207.
• 9. Al-Fedaghi SS. The "right to be let alone" and private information. In: Chen CS, Filipe J, Seruca I, Cordeiro J, editors. Enterprise Information Systems VII. Dordrecht: Springer Netherlands; 2006. p. 157-66.
• 10. Yamamoto R. [Management system of personal data protection in the health care field]. Rinsho Byori 2014;62:1129-34.
• 11. Universal declaration of human rights. United Nations (1948).
• 12. Thomson JJ. The right to privacy. Philosophy and Public Affairs 1975;4:295-314.
• 13. Feinberg W. Recent developments in the law of privacy. Columbia Law Review 1948;48:713-31.
• 14. Veal WR. Torts-right of privacy. Louisiana Law Review 1949;9:17.
• 15. Thompson IE. The nature of confidentiality. J Med Ethics 1979;5:57-64.
• 16. Scanlon T. Thomson on privacy. Philosophy and Public Affairs 1975;4:315- 22.
• 17. Richards NM, Solove DJ. Privacy's Other Path: Recovering the law of confidentiality. Geo L J 2007;96:123-82.
• 18. Beardsley EL. Privacy: Autonomy and selective disclosure. In: Pennock JR, Chapman JW, editors. Privacy Vol XIII. Atherton Press; 1971:56- 70.
• 19. Code of medical ethics. American Medical Association (2001).
• 20. Directorate-General for Research and Innovation. Ethics for researchers, facilitating research excellence in FP7. Luxembourg: European Commission; 2013 (http://ec.europa.eu/research/participants/data/ref/ fp7/89888/ethics-for-researchers_en.pdf).
• 21. Bernasek A. Should tax bills be public information? The New York Times. 2010 Feb 13;Sect. Your Taxes.
• 22. Basic HHS policy for protection of human research subjects, 45 C.F.R. Sect. 46.102 (2017).
• 23. Sebelius K. 45 CFR Parts 160 and 164. Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the health information technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule In: Office of the Secretary of the Department of Health and Human Services, editor. Federal Register, Volume 78, No 172013. p. 5566-702.
• 24. Administrative simplifications: definitions, 42 U.S. Code Sect. 1320d (1996).
• 25. 45 CFR §160.103 Definitions. [ 65 FR 82798, Dec. 28, 2000, as amended at 67 FR 38019, May 31, 2002; 67 FR 53266, Aug. 14, 2002; 68 FR 8374, Feb. 20, 2003; 71 FR 8424, Feb. 16, 2006; 76 FR 40495, July 8, 2011; 77 FR 1589, Jan. 10, 2012; 78 FR 5687, Jan. 25, 2013]: Department of Health and Human Services; 2013.
• 26. Family educational and privacy rights, 20 U.S. Code Sect. 1232g (2010).
• 27. National Institutes of Health. Certificates of confidentiality (CoC) [7/12/2017]. Available from: https://humansubjects.nih.gov/coc/index, https://humansubjects.nih.gov/coc/faqs.
• 28. Research and investigations generally, 42 U.S. Code Sect. 241 (2016). 29. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-91 (August 21, 1996).
• 30. Office of Civil Rights. The HIPAA privacy rule 2015. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
• 31. 45 CFR §164.502 Uses and disclosures of protected health information: general rules. [65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53267, Aug. 14, 2002; 78 FR 5696, Jan. 25, 2013]: Department of Health and Human Services; 2013.
• 32. 45 CFR §164.508 Uses and disclosures for which an authorization is required. [67 FR 53268, Aug. 14, 2002, as amended at 78 FR 5699, Jan. 25, 2013]: Department of Health and Human Services; 2013.
• 33. 45 CFR §164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object. [ 65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53270, Aug. 14, 2002; 78 FR 5699, Jan. 25, 2013]: Department of Health and Human Services; 2013.
• 34. 45 CFR §164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required. [ 65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53270, Aug. 14, 2002; 78 FR 5699, Jan. 25, 2013; 78 FR 34266, June 7, 2013; 81 FR 395, Jan. 6, 2016]: Department of Health and Human Services; 2016.