Category: HIPAA

If the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to give patients more control over their medical records in the electronic age, what does it say if twelve years later we decide we’d prefer Google to manage it for us?

In a recent article in the New York Times, it seems patients are eager to do just that:

The Google record … allows the user to send personal information, at the individual’s discretion, into the clinic record or to pull information from the clinic records into the Google personal file.

The move toward online control and access to personal health information changes the previously static, analog patient record into a dynamic set of data that serves multiple purposes. Our concepts of record management and documentation might have to change as well.

Several news outlets have reported on a new finding published in the New England Journal of Medicine (vol. 357, no. 4, July 26, 2007) regarding the spread of obesity in social groups. The article, "The Spread of Obesity in a Large Social Network over 32 Years," was written by Nicholas Christakis, MD, PhD, and James Fowler, PhD.

Their findings detailed the increased chances of an individual becoming obese if 1. a close friend became obese (57% increase); 2. an adult sibling became obese (40% increase); or, 3. a spouse became obese (37% increase). They also found that persons of the same gender also increased the chances of one obese person influencing another.

The data set used for the study comes from material collected for the Framingham Heart Study that began in 1948. A second cohort of the offspring of the first FHS was established in 1971 and a third cohort of offspring of the second generation began in 2002. The obesity study used only data from 5124 individuals in the second FHS cohort (1971). It tracked the social networks of the people by creating a database of information taken from handwritten administrative tracking sheets used to facilitate follow-ups with each participant. The tracking sheets included family names, relationships, addresses, and at least one close friend as a contact. This social information was not the basis for the Framingham study, but merely an administrative tool to be able to contact someone for their next appointment. The net result was 38,611 observable social networks among the participants.

This study demonstrates two interesting points in regards to archives. First, data collected for one reason can be creatively repurposed at a later time for another reason. This is one of the simplest arguments for retaining records in archives. Records are not kept merely to recreate the transactional nature of institutions and their activities, but instead provide for the use of information for other intentions.

The second point is the fragility of data. The information used to gather the findings was part of a three generation (and counting) study of heart disease. It was available because it was part of an active project that was well-documented. Due to the size of the FHS and its findings, it is likely that the data sets produced will be well-maintained after its conclusion at the National Library of Medicine or elsewhere. However, other data sets with the same potential to be repurposed into new studies are not always as lucky. And, it is likely it will become more precarious for them in the near future.

Issues concerning the privacy of patient and human subject information are part of the archival management process. The Privacy Rule regulations under HIPAA have done little to address the long-term preservation of PHI materials in archives. It is much easier for principle investigators, institutions, and archives to simply destroy the data as a sweeping act of safeguarding. True, there are few alternatives under the current regulations, but it comes at a cost of re-useable information and perhaps at the cost of our own health and well-being.

On my way to Columbus, OH to present on the topic of privacy and medical records, I read several interesting pieces in The Economist (28 April 2007) in a special report on telecoms. One article was particularly interesting and timely given the subject of my presentation. It discussed the current/future applications of RFID (Radio Frequency Identification) technology in health care. Commonly used as Tattle-Tape(tm) to prevent theft from retail stores and libraries, the chips are now the size of bits of powder.

It noted that wireless technologies are not new in medical care – the pacemaker is a machine that can be adjusted wirelessly – but that the trend will be toward ubiquitous integration, including deep inside our own bodies. RFID chips will communicate with other devices in the examination room as well as outside of the doctor’s office to provide a 24/7 health monitoring program. Our cell phones will be the go-between for our body and our physician. We could be blissfully unaware of any changes to our health when our phone rings to notify us we are scheduled for a visit to the family doctor or even providing directions to the nearest emergency room for an evaluation.

But notification is not the only purpose RFID chips and other similar technologies can provide. Smart chips planted near a tumor can wirelessly power up to burn any new cancer cell growth in a particular area. Chips in the digestive tract can measure the absorption of medication and alert the pharmacist to needed changes in dosage and strength.

Today, the question is how do we protect privacy while providing access to information that can move medical advances forward and allow us to better understand historic patterns in public health? In the coming years the question will shift to how do we protect privacy when there is no separation of the patient and their medical record? What happens when a person is not only the subject of study but also the document itself? What will the medical record look like? What exactly will come to the archives?

Currently, HIPAA and the Privacy Rule are trying to balance the issues of privacy protection and research use. Formulated during the rise of the electronic medical record, the legislation and regulation may become as quickly outdated as Zip drives. It will be seen as a solution based on what the needs were, not what the needs will be. The act also presumes a government’s responsibility to its citizens to aid in privacy protection. Yet, in a wirelessly networked world the government-citizen relationship is blurred and the emphasis on geographic location will wane as the demand for information and the privileges afforded by technology will rise.

Perhaps the very technology that scuttles our notion of a medical record will be the solution to privacy and access. Long vilified as a potential breach to privacy, the RFID and similar technologies could be the literal key to access. Those with permission to review medical records or to provide access to others will be the only ones able to gain access to the information. Individuals will be able to opt-in to have their information included in studies or databanks depending on their preferences without the need for patient consent forms each time a researcher submits a proposal to a review board. Perhaps the technology will ultimately give the individual what the HIPAA legislation cannot, immediate control over who can and cannot have access to their medical history.

And of course, there will be a setting to send it all to the archives.