HIPAA’s Broken PromiseComments on: --

By: Cancer 2.0 | e-Patients.net

Cancer 2.0 | e-Patients.net — Tue, 14 Dec 2010 22:07:09 +0000

[...] headline for me was his critique of Paul Ohm’s “Broken Promises” article, which I wrote about last year. Malin says that Ohm exaggerated the threat and caused damage to the field by scaring [...]

By: Ian Eslick

Ian Eslick — Wed, 15 Sep 2010 19:27:00 +0000

The reality is that the database of ruin exists in parts at companies like BlueKai, Rapleaf, and Experian. It’s not just search logs that can be used to identify you, it is also web cookies, financial transaction histories, and e-commerce databases. Since the technology exists to circumvent any de-identification procedure that would yield data useful for medical discovery, the future lies in how well we plan out and manage the web of trust and confidentiality agreements.

By: A New Conversation About Health Privacy: Who’s In? | e-Patients.net

A New Conversation About Health Privacy: Who’s In? | e-Patients.net — Fri, 21 May 2010 12:02:09 +0000

[...] reminded of what Paul Ohm wrote about the broken promise of HIPAA: [I]t is hard to imagine another privacy problem with such starkly presented benefits and costs. On [...]

By: SusannahFox

SusannahFox — Mon, 21 Dec 2009 21:11:36 +0000

Health geek backgrounder: implications of @paulohm's anonymization #fail insights for HIPAA http://bit.ly/178l0f

By: What’s on the Web: Telemedicine, Twitter and Wii-hab « ScienceRoll

What’s on the Web: Telemedicine, Twitter and Wii-hab « ScienceRoll — Fri, 23 Oct 2009 19:14:41 +0000

[...] HIPAA’s Broken Promise (e-Patients.net) [...]

By: Health Highlights – September 22nd, 2009 | Highlight HEALTH

Health Highlights – September 22nd, 2009 | Highlight HEALTH — Wed, 23 Sep 2009 00:56:20 +0000

[...] HIPAA’s Broken Promise | e-Patients.net [...]

By: Susannah Fox

Susannah Fox — Tue, 22 Sep 2009 20:17:45 +0000

This essay was crossposted to The Health Care Blog where another discussion has cropped up, in case you want to check it out:

http://www.thehealthcareblog.com/the_health_care_blog/2009/09/hipaas-broken-promises.html#comments

By: Just because you don’t see them, it doesn’t mean you aren’t being followed. | James [ HATCHideas ]

Tue, 22 Sep 2009 18:14:28 +0000

[...] technological policymaking, has spurred the discussion into just what it means to be anonymous. Are you anonymous when someone attempts to anonymize your data? It appears not, at least to some degree. The ethical issue here is; Why de-anonymize data that has [...]

By: Susannah Fox

Susannah Fox — Thu, 17 Sep 2009 18:08:29 +0000

Dan,

Orwellian indeed! The word panopticon comes to mind, too. When I put out a few key points of this article on Twitter I got back another haunting phrase: “gossip biography” (from @EvidenceMatters).

Thanks so much for adding these insights. I love the idea of working towards a “utility curve.” Can lawyers, coders, health researchers, patients, etc. all contribute to getting there?

By: Health IT Policy: E-patients want access | e-Patients.net

Health IT Policy: E-patients want access | e-Patients.net — Thu, 17 Sep 2009 17:11:24 +0000

[...] Other panels will cover data stewardship, de-identification/re-identification, and transparency/accountability. I’m no expert on HIPAA or code, but yes, I will suggest that Paul Ohm’s article, “Broken Promises of Privacy,” be considered required reading for all the reasons I wrote about here. [...]

By: SusannahFox

SusannahFox — Wed, 16 Sep 2009 21:10:46 +0000

Health IT Policy Committee encourages debate, so I also shared HIPAA’s Broken Promise post w/co-panelists: http://bit.ly/178l0f

By: Walter Jessen

Walter Jessen — Wed, 16 Sep 2009 20:21:59 +0000

@SusannahFox Absolutely! "The more useful a data set, the less likely it is to be scrubbed of identifying information." http://bit.ly/178l0f

By: Dan Arista

Dan Arista — Wed, 16 Sep 2009 15:15:54 +0000

It is about time this topic gets more attention. Hopefully the folks at the VA are reading!

At first I read:

“Ohm uses a haunting phrase to describe the possibility of re-identification: the database of ruin. It will reveal all our secrets to everyone, at any time, and follow us wherever we go.”

…and I thought “Database of Ruin” sounds a bit Orwellian. But the reality is, as more and more data is collected it will be increasingly impossible to completely anonymize it.

But who would want to access to this identifiable roster?

THEY would need ALL the data and very SOPHISTICATED ALGORYTHYMS and trained HUMAN ANALYSIS to kludge it all together again…maybe some Computer Scientist structured data Subject Matter Experts can make it LOOK easy, but not so much. This would be a considerably difficult undertaking. Although it seems nearly impossible, the entire health industry and IT industry are moving in that direction, and with there funding and talented ability to avoid regulatory impediments, they’ll most likely get there.

I believe this is an inevitability due to the efficiencies and benefits of information sharing, especially in a field where basic, clinical, and longitudinal studies are very active, not to mention information intensive decision cycles in treatment.

That said, the debate should be elevated to determine how to manage the risks…how to know when it’s worth the danger of ‘being revealed’ for the benefits of informing researchers and care givers. It may be more productive than the polarizing ‘they’ who will build a ‘database of ruin’ to destroy humanity vs. ‘they’ who impede science to ‘hide’ their ‘gluttonous’ preventable illnesses.

This type of novel research in Risk Management will benefit several other industries which as a result of the Information Age (and globalization) are facing regulatory, policy, ethics, and poignantly ‘management’ debates surrounding information management. Many of these topics are classical legal and political issues, which have resurfaced in modernized forms, being revisited generally because IT advancements. A great case in point is digital signatures…many lawyers had to dust off the books when that rolled around in the early ’90s.

IMHO, it’s really a utility curve we should be working towards. A model which all stakeholders could leverage as means to inform and empower themselves in their individual roles (especially patients and regulators), and to hopefully optimize the Health Care Information Market.

By: SusannahFox

SusannahFox — Wed, 16 Sep 2009 15:08:49 +0000

@wjjessen Hey, thanks! Would love your opinion on HIPAA’s shortcomings and implications for researchers: http://bit.ly/178l0f

By: SusannahFox

SusannahFox — Wed, 16 Sep 2009 13:11:16 +0000

@BarbaraFicarra Thanks for the RT – how about a show on privacy, #myhealthdata and HIPAA’s shortcomings? See http://bit.ly/178l0f

By: SusannahFox

SusannahFox — Tue, 15 Sep 2009 13:57:44 +0000

@bobcoffield You’re in the Venn overlap of health mavens & privacy experts: looking fwd to your dissection of http://bit.ly/178l0f

By: Susannah Fox

Susannah Fox — Tue, 15 Sep 2009 13:54:15 +0000

Thanks, Dave!

I have to give credit to Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, who called Paul Ohm’s article “one of the most important papers of the year.” (Follow his tweets: http://twitter.com/JulesPolonetsky )

One of my goals in writing this is to bring together the two worlds of health mavens and privacy mavens. Just as we’ve urged statistical literacy and data literacy, I am urging privacy/security literacy.

Ohm’s article is a great place to start because it’s a page-turner — how can you resist a writer who refers to unicorns and mermaids?? This debate shouldn’t be limited to law professors and code geeks. Too much is at stake.

By: arthurwlane

arthurwlane — Tue, 15 Sep 2009 13:19:40 +0000

HIPAA’s Broken Promise (e-patients): http://bit.ly/gmqHw

By: ICMCC News Page » HIPAA’s Broken Promise

ICMCC News Page » HIPAA’s Broken Promise — Tue, 15 Sep 2009 05:49:52 +0000

[...] Article Susannah Fox, e-patients.net, 14 September 2009 SHARETHIS.addEntry({ title: "HIPAA’s Broken Promise", url: "http://articles.icmcc.org/2009/09/15/hipaa%e2%80%99s-broken-promise/" }); [...]

By: e-Patient Dave

e-Patient Dave — Tue, 15 Sep 2009 04:56:15 +0000

WOW! WOW!

Great article by Ohm, great take on it by you, Susannah. REALLY puts a potent, relevant light on the subject.

When I first got exposed to all the deep geeky talk about HIPAA (in a meeting at the Center for Democracy and Technology – experts chatting informally about breach notifications, variations in laws, and all that), it was way over my head but I could at least say “As far as I can tell, ALL of these concerns are to protect people from having their data used against them, right?” Everyone nodded.

Now I see this in a whole different light: the data is NOT secure, not at all. So I think you’re exactly right: given that, what do we do?