Wednesday, September 30, 2015

Privacy & Consent a Simple Solution

If you have been reading this blog you know that data privacy is not a very well defined concept at this point and the ways it is being dealt with is confusing at best.  In the last post I talked about HIPAA (the Health Insurance Portability and Accountability Act) and how it works.  The key elements (the actual act is quite complex) are the following:

  1. HIPAA defines what health information is to be protected -- termed personal health information or PHI for short.
  2. It defines the concept of a covered entity as well as who they are.  In essence, a covered entity is any person or organization that creates or has access to your PHI.
  3. It defines needed legal contractual structures for any covered entity as well as business associates who must also function under HIPAA.
  4. It defines a TPO (treatment, payment or operations) exception that states that PHI can be shared among covered entities for the purposes of fulfilling TPO.  In simpler terms that means a doctor can share your PHI with any other covered entity (think doctor or nurse) for the purpose of serving your health needs.
  5. The policy that only the minimum necessary information should be shared. This guarantees patients get the services they require, but that extraneous information is not shared.
One solution to the privacy and consent problem is to generalize HIPAA.  There are several reasons this is a good idea even before sketching in the details.  They are:
  1. HIPAA has been in existence for almost a two decades so, at least in healthcare, there is a lot of experience with this law.  This experience can be leveraged if HIPAA is generalized and may be of far less value if any other method of protecting privacy is adopted.
  2. Since everyone needs healthcare, HIPAA is something which almost everyone has experienced.  Thus patients have an understanding (more or less) on how HIPAA works so that if it is generalized, people will have a better chance of understanding a more general form of HIPAA than an entirely new policy.  It is also clear that nobody can really understand the current policy since it has led to so much confusion.  
  3. Policy makers, at least in healthcare, have a lot of experience with HIPAA so that using it as a model will make it easier on policy makers to create new policies that mirror HIPAA.
My proposal to generalize HIPAA is as follows:
  1. Divide up the economy into different domains.  A domain is composed of a set of services together with those that provide those services.  For example, a healthcare domain, a mental health domain, a financial domain, a legal domain, an education domain, a military service domain, etc.  These domains will need formal definitions which ultimately means some laws that make it clear or, better, a law that creates an open governance process which manages the definition of these domains.  That is a process that engages the public, service providers as well as government.  This is really a generalization of the HIPAA notion of covered entity.
  2. A concept of appropriate use meaning the different ways that the covered entities of the domain can share data amongst each other in order to provide the services the patient/client requested.  This will vary from domain to domain but is really fairly intuitive.  When you go to a service provider, you expect that the provider will do what is necessary to provide the service. Appropriate use defines what data sharing is appropriate in each domain. Any data sharing that falls outside of appropriate use will need a consent from the patient/client before any data sharing can proceed.  This is a generalization of the HIPAA TPO exception.
  3. Legal contracts that bind patients/clients to service providers as well as legal contracts that bind service providers to others that may be needed to fulfill service requests.  For example, a medical transport service needs appropriate contracts with the medical groups they service.  In general, outside contractors may be needed to help out service providers.  Since they will be agents of the service provider, they will need to be held to the same legal requirements as the service provider.
  4. Audit trails that patients/clients can actually read that document every access to their data.  What data was accessed by whom, within appropriate use or details of the consent, for what purpose, with a date and time stamp.  This is necessary so the public can be assured that their data is being handled appropriately.  This is not a HIPAA requirement but it should be.
Here's one example of how this should work.  Say you have a credit card from a bank, Umongobanking.  Whenever you charge something on the card, the retailer shares that information with Umongobanking first to make sure you have enough credit to make the purchase and secondly so that Umongobanking can provide the cash to the retailer.  That is obviously what appropriate use should entail.  If that is it, then Umongobanking will have to ask for your consent to share that data (rather sell it) to anyone.  It will also have to ask for your consent to share the purchase with any credit rating agency (I have a feeling that the banks will fight to put that under appropriate use, but it will at least have to be a fight).  This would really gum up the works since trade in consumer financial transactions is now part of a hidden economy. 

The industry already has a solution that you may not have understood, points.  Many credit cards issue points on purchases, more points on some such as travel or entertainment since they can sell that information for more money.  So what would be different?  You would have access to an audit trail on who was buying your information, something you don't know now.  You might not care, that's fine, but the main thing to notice is that this change won't affect the way you use a credit card, but access to the audit trail will give you much better insight into how your data is being shared.  Current privacy statements are filled with lots of legaleese, but provide hardly any transparency.  Understandable audit trails do a far better job with transparency.  It is even possible that you may be given the option to forgo points in order to prevent your data from being shared or you may be given the option to only share with specific industries or businesses.  

Options and other fine points will need to be part of a public discussion that should be debated before the implementation of these ideas.

There are many other issues to consider (in future posts).  Here are a few:
  • How to secure data since there can't be any privacy without the ability to store data securely.
  • What about anonymity?
  • How much will this cost?
  • How to implement this so it is self-sustaining?
Stay Tuned.

Tuesday, September 15, 2015

So what is data privacy anyway?

The last post covered the latest thinking on how the federal government, in particular the agency, Health and Human Services, has decided to go about protecting your privacy.  I listed 6 problems with this rather feeble approach.  In this post I want to do a more thorough look at what we mean by data privacy.

First, let's think a bit about what we mean by data privacy.  The data part is easy, by data we mean digital data, that is data that is captured, stored and/or manipulated by a computer (whether it is your desktop, a server, a laptop, cell phone, tablet or a digital device).  The problem comes when you try to define what data an individual can claim to own.

For example, consider Facebook.  Facebook gives you many options on who can see or share the posting you put on Facebook.  But Facebook is a privately owned corporation.  They give you access to a set of routines that provide you the ability to share or not share data that you post.  Does this make it your data or is Facebook providing you with a convenient application that gives you the illusion of ownership?  Why should Facebook which not only provides the service but also has to pay for its incredibly expensive infrastructure actually allow you to control "your" data.  What does Facebook get out of this?

The current answer is a combination of the following:

  • Facebook needs to be responsive to the needs of the majority of its members if it expects to stay in business and it appears that its members want these controls and maybe even more.
  • The federal government is looking at this issue and Facebook would prefer to handle the issue of privacy without being compelled to follow any new laws that may conflict with its business model.  So it hopes it can mollify concerns before they escalate and Facebook loses the amount of control it now enjoys.
This is not a very satisfactory answer.  Though it is a typical answer which is not based on any recognizable principles as much as a tactical approach to the current environment.

So what's a good answer?  One place to start is in healthcare.  In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was passed.  This act defines the clinical health data that is considered private to an individual  In particular it defines "covered entities" such as your doctor, hospital, clinic, insurance carrier or anyone working in a healthcare institution that provides you with service.  Covered entities are required to  ensure that no "personally identifiable information" is disclosed without your consent with one exception.  This means that your doctor can't legally discuss or share anything they know about you with anyone (with one exception, see below) if the discussion links you personally to information the doctor gleaned while providing you with medical services.

That is, HIPAA actually codifies in law what medical data you own as a citizen.  And this is really the only way the concept of data ownership can be defined, Government must do it.  Unfortunately, so far,  government is not up to completing the task.

The other interesting aspect of HIPAA is the exception for treatment, payment and operations or TPO.  This says that a doctor or other healthcare professional can share your data for the purpose of providing you with a medical service.  

Oh yeah!  Doctors need your data to provide you with the medical services you expect.  This raises a very important issue which is hardly ever discussed though obvious.  That is that data sharing is not really something that can be understood in one context.  The context in which data sharing needs to be understood is the utility of the data sharing.   Presumably, you should have no problem having your doctor share your data if the purpose is to provide you with the service you went to the doctor in the first place.

The lack of considering the utility context is exactly what is wrong with the segmentation approach discussed in the last post.  Doctors not patients are the ones that understand the data in a patient's medical record.  The patient goes to a doctor to obtain a service they can't do for themselves.  What sense does it make for the patient to be the one to decide what data can be shared with other healthcare professionals?  In the context of the medical utility of a person's medical data, a physician is the person who best understands what data should be shared for what purpose.  Putting the patient in charge of data sharing makes no sense (except as it mollifies certain patient advocates).  There are many other arguments people make to defend this foolish idea, I will get to them in a future post.

It's not hard to generalize these ideas.  Data sharing really has 2 major contexts:
  • Sharing data for the purpose of providing an individual with requested services and
  • Sharing data for other purposes.
And, in order to tie this to the concept of data ownership we need laws.

In sum, ownership of data must be defined in law if it is to have any useful meaning and the law needs to also recognize the distinction between sharing data for a purpose the owner has requested and sharing data for other purposes.  In the next post I will share a proposal I have for a simple to understand (not so simple to implement) solution for data privacy.

Saturday, September 12, 2015

Privacy, Security & Consent - an unholy trinity we need to address

So, you have credit cards, maybe a mortgage or auto loan, health insurance, auto insurance, and more.  You are probably using Facebook or some other social networks,  You also have a desktop, a tablet and/or a smartphone.  Maybe other devices like a fitbit.  Do you know who knows what about you?  Does the avalanche of privacy statements from all of the institutions that have your data make sense?  Does it make you feel that your privacy is being protected?  If you actually feel comfortable in the current situation, this blog is not for you.

Last fall I attended a conference that was focused on different aspects of privacy and security.  One of the speakers claimed that a presentation by IBM a few years early stated that every year approximately 2.5 quintillion bytes of data was created.  That is 2.5 followed by 18 zeros and this number is growing very quickly.  I am looking for the actual source of those numbers, but I'm sure they are a good approximation.  These numbers are way too big for a human to understand, but nonetheless, we are confronted by these numbers in our daily lives.  This is because we have this global network, the internet, that links all of this data together in myriad ways and makes enormous amounts of it available to us and the institutions of which we are members (voluntarily or not).

Managing this data is hard to conceptualize.  Ensuring that the data that each of us considers private remains private -- that is, only accessible to people or institutions which we approve -- seems to be impossible.  Yet that is what is needed if the public is ever to be comfortable with sharing data.  And healthcare and human services will remain stuck in the incredible inefficiencies of the 20th century data infrastructure with a disbelieving public if this doesn't change.

Currently, the feds (primarily SAMHSA Substance Abuse and Mental Health Services Agency), have proposed giving the public a way to control a small subset of healthcare data.  A method that has not caught on to be polite.  The scheme (primarily to protect substance abuse and mental health data, but there is a desire to expanded to all healthcare data) allows the patient to determine which data he or she may allow a physician to share.  This is called segmentation.  This is a very bad idea for many reasons:

  1. So far, this only applies to particular forms of the electronic medical record, namely the C32 and CCDA.  Not all commercial medical record vendors support either standard, and those that do in general only support a subset of these standards.
  2. The majority of clinical data sharing takes place with messages that conform to the HL7 or Direct, neither standard supports segmentation nor does it look like they ever will.
  3. "Clinical Swiss Cheese" (thanks to Mark Chudzinski for coining this term).  That is, with segmentation, a physician may never know if all of the relevant data they need to serve a patient is available to them.  This provides a strong disincentive for a physician to participate in data sharing since inconsistent access to data raises large liability concerns let alone the concern of helping to heal a patient.
  4. Hidden conditions may be deduced because of other data that has been shared.  For example (this has been cooked up to make it simple), let's say you have a heart condition that you don't want anyone including say an othopedic surgeon to know about.  But the surgeon needs to know the meds you are on and sees you are taking aspirin once a day.  That would be enough to make it clear you have a heart condition.
  5. Patients may not feel comfortable deciding what data to share or even if they do, they may not make choices that are wise.
  6. Physicians are already functioning under the Health Information Privacy and Portability Act (HIPPA) which makes it illegal for a physician to share data outside of the needs of treatment, payment or operations (TPO).  Allowing a patient to decide what information a physician can or can't see would appear to tell the public that you can't trust your physician with your data.  I fail to see how this can help improve our healthcare system.
So, if segmentation is a bad idea, what is a good idea?  How do we allow our data to be shared for our benefit without losing our privacy?  Great questions, see the next post for an answer.

Introducing Insightamation

What is the relationship between data ("big data" is a stupid marketing term imho), business, politics and economics?  This blog will plunge into this topic in an attempt to create discussion, wake people up to the reality of the continuing data tsunami in which we live, as well as to advocate for policies and services that serve humans no matter their ethnic, racial, gender, class, history or educational level.

My background is appropo for this discussion.  I am a mathematician by training (still working on my thesis topic in Algebraic Topology for over 30 years), a computerphreak since 1963, was the Chief Information Officer (CIO) of the State of Illinois Medicaid Agency, Healthcare and Family Services from 2005 until 2011.  I also served in a similar capacity from 2011 until June of this year as the CIO of the Illinois Health Information Exchange (actually served in 2 different related agencies, but those details are unimportant).

Some topics will be technical and I will do the best I can to educate readers in the background they will need to understand the issue.

I have chosen the title, Insightamation, for the blog, it is also the name I consult under.  The name reflects the need for both human insight and automation to guide our path forward in this more and more data-centric world.  Insight is inherently human from my point of view.  It represents our ability to reflect on our experiences and apply the reflection on any topic whether already experienced or not.  It is an area that still defies automation, though maybe not forever (look to a future blog on the topic of automation and participation in human culture).  I believe that automation needs to be guided by the needs of people not large corporations, not brilliant science fiction fantasies of "singularities" or other such trip outs.  There is a beautiful book called Computer Power and Human Reason published by Joseph Weisenbaum (one of the early pioneers of automation at MIT) that lays out many of these issues very clearly and is still relevant today even 40 years after it was published.  Many of my ideas have been in response to this book.

One more thing.  I intend to create a national (or hopefully global at some point) infrastructure for sharing data intended to be used in services that people need.  Services such as health care, social services, educational services, legal, financial, military, wellness and more.  All of the items related to the creation, somehow, of this infrastructure will eventually make their way to this blog.

Thanks for reading this introduction.  I look forward to feedback.  I have no problem with criticism, but if you think that insults and wild screeds are good ways to communicate, find somewhere else to post.  I will delete posts that add nothing to the discussion including disrespectful posts.