DATA-RICH AND KNOWLEDGE-POOR: HOW PRIVACY LAW PRIVATIZED MEDICAL DATA AND WHAT TO DO ABOUT IT

The Health Information Technology for Economic and Clinical Health Act (HITECH) successfully encouraged widespread adoption of electronic health records (EHR). Their suitability for “big data” analysis make EHR data immensely valuable for secondary research, which could help scientists develop new drugs, medical devices, and public-health knowledge. Thus far, EHR data have not been widely available to academic medical scientists in quantities sufficient to support big data analysis. Instead, the data are aggregated, analyzed, and sold by insurance companies, EHR vendors, and other medical informatics firms. This Note argues that the advent of the EHR data market is a direct result of HITECH’s interaction with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (together, the “Privacy Regime”). The Privacy Regime (1) establishes the necessary preconditions for the EHR data market; (2) funnels EHR data towards a few large firms; and (3) prevents others, including academic scientists, from acquiring data in similarly large quantities.

The Privacy Regime has radically changed medical research regulation. Traditional clinical trials and retrospective studies are governed by the familiar safeguards of medical ethics including IRB review, peer review, and publication. But under the Privacy Regime, private-sector EHR-based studies are not subject to any ethical review. This result subverts the fundamental principles of medical ethics and inhibits socially valuable public-sector research. This Note proposes reforming the Privacy Regime to subject all medical research to ethical review and to incentivize private firms to share EHR data with academic researchers.

The full text of this Note can be found by clicking the PDF link to the left.

* J.D. Candidate 2021, Columbia Law School. The author would like to thank Professor Thomas Merrill for his wise counsel throughout the writing process, and his family, Dr. Veronique Roger, Dr. Maurice Enriquez-Sarano, and Charles-David Enriquez-Sarano, for their enduring support and professional insights. The author also thanks Charles Nathan, Mollie Weiss, Janna Yu, and the staff of the Columbia Law Review for their invaluable editorial assistance.

I swear by Apollo the physician . . . and all the gods and goddesses as my witnesses, that, according to my ability and judgement, I will keep this Oath and this contract: . . . Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private. 1 The Hippocratic Oath, NIH, https://www.nlm.nih.gov/hmd/greek/greek_oath.html [https://perma.cc/MP7X-R5LU] (last visited Nov. 3, 2019).

Introduction

Thirty years ago, whenever a cancer patient permitted their doctor to physically examine them or peer inside their body with an x-ray, the resulting images, measurements, and notes would remain in the patient’s paper medical record. 2 See infra section I.A.1 (noting that paper medical records were the most common form of record until 2009). During a similar examination today, doctors and nurses record this information in the patient’s electronic health record (EHR), 3 EHRs are “digital version[s] of . . . patient[s’] paper chart[s].” What Is an Electronic Health Record (EHR)?, Off. of the Nat’l Coordinator for Health Info. Tech., https://www.healthit.gov/faq/what-electronic-health-record-ehr [https://perma.cc/8S78-HCRD] (last updated Sept. 10, 2019). A patient’s physicians and nurses reference their EHR as they would paper records throughout the provision of medical care. See id.; see also infra section I.A.1 (describing the EHR in detail). generating data that can immediately be analyzed and sold by companies unfamiliar to most patients. 4 See infra section I.A.2 (describing the private market for EHR data and EHR-based research). In contrast to paper records, EHRs are readily accessible not only to care providers, but also to medical insurance companies, EHR vendors, and other firms. 5 See infra section I.A.2. EHR vendors develop and sell EHR platforms to healthcare providers. How Do I Select a Vendor?, Off. of the Nat’l Coordinator for Health Info. Tech., https://www.healthit.gov/faq/how-do-i-select-vendor [https://perma.cc/Q9YH-54FP] (last updated Oct. 17, 2019). EHR vendors and insurance companies can access EHR data thanks to the HIPAA Privacy Rule. See infra notes 56–62 and accompanying text. Patients may not elect to use paper records instead. 6 See infra notes 63–64, 78–81 and accompanying text (noting the approximately ninety percent EHR penetration rate and the absence of regulations governing the use of de-identified EHR data). In contrast, patients may give or withhold their consent for many uses of their identifiable EHR data. See, e.g., 45 C.F.R. §§ 164.508–510, 164.522 (2019). Over the past decade, the sale of privately conducted research using “de-identified” EHR data has become a multibillion-dollar industry, operating without any ethical or scientific oversight. 7 See infra section I.A.2. De-identified data are EHR data that have been stripped of identifying information such as patient names, addresses, and social security numbers. See infra note 63 and accompanying text. De-identified EHR data are especially valuable because they permit private companies to analyze patient-derived biomedical information without any of the expensive ethical strictures applicable to traditional clinical studies and research using identifiable patient data. See infra notes 112–121 and accompanying text. Meanwhile, efforts at harnessing this data for academic research have floundered, despite its lifesaving potential. 8 See infra notes 185, 188 and accompanying text. This failure has only grown more troubling during recent months given the possibility of using EHR data to help scientists understand and contain viral outbreaks. 9 See Hongzhang Zheng, William H. Woodall, Abigail L. Carlson & Sylvain DeLisle, Can Long-Term Historical Data from Electronic Medical Records Improve Surveillance for Epidemics of Acute Respiratory Infections? A Systematic Evaluation, PLoS One, Jan. 2018, at 2, 10, 11 (discussing how EHR databases could help governments identify and respond more swiftly to novel viruses, including coronaviruses).

This Note proceeds in three parts. Part I summarizes EHRs’ key features, the EHR data market, and the core provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) 10 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered titles of the U.S.C.). and the Health Information Technology for Economic and Clinical Health Act (HITECH) 11 Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 123 Stat. 226 (2009) (codified in scattered sections of 42 U.S.C.). —laws referred to collectively in this Note as the “Privacy Regime.” 12 This Note refers to this system as the “Privacy Regime” because these laws regulate medical data by protecting patient privacy instead of by regulating data flows for secondary uses—that is, how data are used after their use for the provision of care. See infra sections I.B–II.A. Part II then argues that the Privacy Regime created the EHR data market and is harmful because it not only fails to make the vast majority of EHR data available for academic research, but also permits for-profit research without any scientific or ethical scrutiny. Finally, Part III proposes requiring BigMedTech firms 13 For the sake of convenience, this Note refers collectively to insurance companies, EHR vendors, and other firms engaged in the collection and sale of EHR data as “BigMedTech.” See infra section I.A.2 for a more detailed account of the EHR data market’s key participants. to regularly report on their data collection practices, submit their research to independent ethical review, and make data available for academic research. In essence, Congress should offer these firms a bargain: In exchange for continued permission to monetize deidentified EHR data, they must play by the rules of medical research ethics and share the data’s benefits with society at large.

This Note contributes to the medical data regulation literature by causally linking private EHR-based research to an existing regulatory regime. Hopefully, noting that the Privacy Regime creates two tracks for EHR-based research (one with and another without ethical guidelines) will add urgency to widespread calls for regulatory reform. 14 See infra note 190 and accompanying text. Finally, this analysis should serve as a warning to regulators and legislatures around the country contemplating increased privacy protections. Individual privacy must be defended, but it should not come at the cost of a wholesale transfer of valuable and powerful information to an unaccountable private sector.