Digital privacy is in the news. Congress is moving a bipartisan bill to regulate software holding personal information and, within healthcare, there has been recent concern about the Epic – Particle Health – Carequality controversy. With vast amounts of information about each of us being shared continuously (unless of course you don’t have a phone, search the internet, use credit cards, or travel), our digital privacy is bounded.
Healthcare, though, is special for a number of reasons. Historically, patient conversations with physicians have been privileged information. HIPAA provides a variety of healthcare-enforced privacy protections. While we all understand personal details that should not be public, the biggest ongoing push for healthcare privacy comes from the extremely high costs associated with medical care and the need to maintain as much insurability as possible.
So, what are the core digital privacy policies and protections, and how do they interact with both legacy and modern software stacks?
Beyond state laws protecting privileged information, the big digital privacy protector in healthcare is HIPAA (The Health Insurance Portability and Accountability Act of 1996). While there are many details to HIPAA’s Privacy Rule, the core principles are that the patient has to give either explicit consent to share information or Covered Entities and their Business Associate designees may without explicit permission share the “minimum necessary” information needed for Treatment, Payment or Operations (TPO).
The current controversy hinges around the definition of “treatment”. While “minimum necessary” is relatively clear for payment and operations, it’s hard to draw a border around the clinical information needed for treatment. Potentially almost every piece of clinical history, such as a surgery as an infant or a medicine given in childhood, may have clinical relevance for the patient’s entire life.
We can see that many questions of privacy have at their heart whether there was an informed consent gathered from the patient or if the data being shared was under the “treatment” provisions of HIPAA’s privacy rule.
What is the interplay with generations of technology?
As a very broad brush stroke, the 1990’s internet communicated with “page views” of information. In the early 2000s, the rise of modern APIs using the principles of RESTful APIs allowed rapid communication of individual data fields. Today, almost every app on your smartphone communicates back to its server to give you the news, music, financial, travel, lifestyle, or services information you wish. Transmissions are extremely granular.
Privacy protecting technologies tend to follow this history as well. In the 1990s, the IHE protocols that allow exchange of documents had privacy enforced by limitations on who could be an endpoint. Ultimately it was one EHR communicating with another EHR and all the EHR users had strict access controls, so contractual attestation that the transmission was a stated TPO purpose was adequate.
Today, the modern digital economy has potentially many more participants and those non-EHR participants are not bounded by medical licensure enforcement. Attestation is clearly inadequate and, in a world of many threats, does not meet what the statisticians call “face validity” – common sense to the rest of us.
Today, in the 2020s, modern privacy can be protected by public key cryptography and strict OAuth authorizations and authentications. This is how your banking and financial information is secured on the Internet. The 21st Century Cures Act APIs promulgated by ONC and CMS follow this architecture or that of explicit contractual consent. No more “crossing your fingers behind your back.”
The challenge comes when we try to carry over the attestation pieces of the 1990’s architecture to the modern world. Epic and the external interoperability network Carequality it created rely on these attestation-based protocols and when a newer player, in this case Particle Health, uses this older construct and “attests” that they or their clients are using potentially large numbers of patient records for “treatment”, the network can either provide these records or, as is the case for the first time publicly here, engage in a complaint process to prevent the movement of that data.
The 2024 alternative is to use direct consent enforced by public key cryptographic authentication and authorization, and this entire issue is prevented because in this world there is no attestation. Promises are enforced digitally – no permission, no transmission. These techniques are at the heart of modern APIs.
Importantly, business models play a critical role here.
Most business models are using interoperability directly on behalf of a covered entity, such as a provider or payer, or on behalf of the patient themselves. Unlike some of the interoperability vendors, these business models do not have deep economic incentives to move data between unrelated third parties.
Our ability to provide modern digital health tools like the apps we use in the rest of our lives and our ability to introduce digital competition into the widely anti-competitive world of healthcare will depend on how we protect privacy while encouraging innovation and actual competition. Federal policies will almost certainly continue to affect the balance between these older approaches to privacy and modern fully digital APIs. One area that will need attention is TEFCA, which is built on a 1990’s style of attestation consent.
Privacy policy can be quite dry, but those policies will determine the nature of the care we get for the rest of our lives. Stay tuned.