Previous installment: Dividing the pie, from research to patents
The fear of revealing patient data pervades the medical field, from the Hippocratic Oath to the signs posted all over hospitals reminding staff not to discuss patients in the hallways and elevators. HIPAA’s privacy provisions are parts most routinely cited, and many hospitals overreach their legal mandates, making it even harder than the law requires to get data. Whereas Americans have gotten used to the wanton collection of data in other spheres of life, health care persists in its idyllic island of innocence (and we react with outrage whenever this innocence proves illusory).
In my break-out session about terms of service, a lot of the talk revolved around privacy. The attendees acknowledged respectfully on one level and grumbled about how the laws got in the way of good research on another level. Their attitudes struck me as inconsistent and lacking resolve, but overall I felt that these leaders in the field of health lacked an appreciation for the sacredness of privacy as part of the trust a patient has for her doctor and the health care system.
Even Peter Kapitein, in his keynote, railed that concerns for privacy were just excuses used by institutions to withhold information they didn’t want the public to know. This is often true, but I felt he went too far in uttering: “No patient will say, please don’t use my data if it will help me or help someone else in my position.” This is not what surveys show, such as Dr. Alan Westin’s 2008 report to the FTC. When I spoke to Kapitein afterward, he acknowledged that he had exaggerated his point for the sake of rhetoric, and that he recognized the importance of privacy in many situations. Still, I fear that his strong statement might have a bad effect on his audience.
We all know that de-identified data is vulnerable to re-identification and that many patients have good reason to fear what would happen if certain people got word of their conditions. It’s widely acknowledged that many patients withhold information from their own doctors out of embarrassment. They still need to have a choice when researchers ask for data too. Distrust of medical research is common among racial minorities, still angry at the notorious Tuskegee syphilis study and recently irked again by researchers’ callous attitude toward the family of Henrietta Lacks.
Wilbanks recommends that the terms of service for the commons prohibit unethical uses of data, and specifically the combination of data from different sources for re-identification of patients.
It’s ironic that one vulnerability might be forced on the Sage commons by patients themselves. Many patients offer their data to researchers with the stipulation that the patients can hear back about any information the researchers find out about them; this is called a “patient grant-back.”
Grant-backs introduce significant ethical concerns, aside from privacy, because researchers could well find that the patient has a genetic makeup strongly disposing him to a condition for which there’s no treatment, such as Huntington’s Disease. Researchers may also find out things that sound scary and require professional interpretation to put into context. One doctor I talked to said the researcher should communicate any findings to the patient’s doctor, not the patient himself. But that would be even harder to arrange.
In terms of privacy, requiring a researcher to contact the patient introduces a new threat of attack and places a huge administrative burden on the researchers, as well as any repository such as the commons. It means that the de-identified data must be linked in a database to contact information for the patient. Even if careful measures are taken to separate the two databases, an intruder has a much better chance of getting the data than if the patient left no such trace. Patients should be told that this is a really bad deal for them.