Wednesday, September 30, 2015

Privacy & Consent a Simple Solution

If you have been reading this blog you know that data privacy is not a very well defined concept at this point and the ways it is being dealt with is confusing at best.  In the last post I talked about HIPAA (the Health Insurance Portability and Accountability Act) and how it works.  The key elements (the actual act is quite complex) are the following:

  1. HIPAA defines what health information is to be protected -- termed personal health information or PHI for short.
  2. It defines the concept of a covered entity as well as who they are.  In essence, a covered entity is any person or organization that creates or has access to your PHI.
  3. It defines needed legal contractual structures for any covered entity as well as business associates who must also function under HIPAA.
  4. It defines a TPO (treatment, payment or operations) exception that states that PHI can be shared among covered entities for the purposes of fulfilling TPO.  In simpler terms that means a doctor can share your PHI with any other covered entity (think doctor or nurse) for the purpose of serving your health needs.
  5. The policy that only the minimum necessary information should be shared. This guarantees patients get the services they require, but that extraneous information is not shared.
One solution to the privacy and consent problem is to generalize HIPAA.  There are several reasons this is a good idea even before sketching in the details.  They are:
  1. HIPAA has been in existence for almost a two decades so, at least in healthcare, there is a lot of experience with this law.  This experience can be leveraged if HIPAA is generalized and may be of far less value if any other method of protecting privacy is adopted.
  2. Since everyone needs healthcare, HIPAA is something which almost everyone has experienced.  Thus patients have an understanding (more or less) on how HIPAA works so that if it is generalized, people will have a better chance of understanding a more general form of HIPAA than an entirely new policy.  It is also clear that nobody can really understand the current policy since it has led to so much confusion.  
  3. Policy makers, at least in healthcare, have a lot of experience with HIPAA so that using it as a model will make it easier on policy makers to create new policies that mirror HIPAA.
My proposal to generalize HIPAA is as follows:
  1. Divide up the economy into different domains.  A domain is composed of a set of services together with those that provide those services.  For example, a healthcare domain, a mental health domain, a financial domain, a legal domain, an education domain, a military service domain, etc.  These domains will need formal definitions which ultimately means some laws that make it clear or, better, a law that creates an open governance process which manages the definition of these domains.  That is a process that engages the public, service providers as well as government.  This is really a generalization of the HIPAA notion of covered entity.
  2. A concept of appropriate use meaning the different ways that the covered entities of the domain can share data amongst each other in order to provide the services the patient/client requested.  This will vary from domain to domain but is really fairly intuitive.  When you go to a service provider, you expect that the provider will do what is necessary to provide the service. Appropriate use defines what data sharing is appropriate in each domain. Any data sharing that falls outside of appropriate use will need a consent from the patient/client before any data sharing can proceed.  This is a generalization of the HIPAA TPO exception.
  3. Legal contracts that bind patients/clients to service providers as well as legal contracts that bind service providers to others that may be needed to fulfill service requests.  For example, a medical transport service needs appropriate contracts with the medical groups they service.  In general, outside contractors may be needed to help out service providers.  Since they will be agents of the service provider, they will need to be held to the same legal requirements as the service provider.
  4. Audit trails that patients/clients can actually read that document every access to their data.  What data was accessed by whom, within appropriate use or details of the consent, for what purpose, with a date and time stamp.  This is necessary so the public can be assured that their data is being handled appropriately.  This is not a HIPAA requirement but it should be.
Here's one example of how this should work.  Say you have a credit card from a bank, Umongobanking.  Whenever you charge something on the card, the retailer shares that information with Umongobanking first to make sure you have enough credit to make the purchase and secondly so that Umongobanking can provide the cash to the retailer.  That is obviously what appropriate use should entail.  If that is it, then Umongobanking will have to ask for your consent to share that data (rather sell it) to anyone.  It will also have to ask for your consent to share the purchase with any credit rating agency (I have a feeling that the banks will fight to put that under appropriate use, but it will at least have to be a fight).  This would really gum up the works since trade in consumer financial transactions is now part of a hidden economy. 

The industry already has a solution that you may not have understood, points.  Many credit cards issue points on purchases, more points on some such as travel or entertainment since they can sell that information for more money.  So what would be different?  You would have access to an audit trail on who was buying your information, something you don't know now.  You might not care, that's fine, but the main thing to notice is that this change won't affect the way you use a credit card, but access to the audit trail will give you much better insight into how your data is being shared.  Current privacy statements are filled with lots of legaleese, but provide hardly any transparency.  Understandable audit trails do a far better job with transparency.  It is even possible that you may be given the option to forgo points in order to prevent your data from being shared or you may be given the option to only share with specific industries or businesses.  

Options and other fine points will need to be part of a public discussion that should be debated before the implementation of these ideas.

There are many other issues to consider (in future posts).  Here are a few:
  • How to secure data since there can't be any privacy without the ability to store data securely.
  • What about anonymity?
  • How much will this cost?
  • How to implement this so it is self-sustaining?
Stay Tuned.