We Have an Absolute Right to Health Privacy, But We Must Fight for It
With Jennifer Kimball Watson.
The Second International Patient Privacy Summit took place in Washington, D.C. recently. Dozens of leading experts gathered from across the United States to discuss how electronic health records can be protected from the numerous government agencies and private companies that want to collect, mine, and market them.
(If you don’t yet have an electronic health record, you soon will, since Washington is spending 29 billion dollars to not only create them, but to store them on federally funded Health Information Exchanges.)
Our part in this conference was to bring Catholic Church teaching to bear on the question of who effectively owns these health records. Do we have a natural law right to these records which are, after all, collections of intimate information about our very selves? Do we own, in any real sense, our own genome? Can we insist on giving (or withholding) permission for any proposed experimentation using our records?
Because the technology is advancing at the speed of light, while Church teaching moves at a much slower pace, Rome has as yet given no definitive answers to these exact questions.
Of course, Catholic bioethicists have consistently maintained that doctors must respect the privacy and confidentiality of their patients. But how far do these principles extend beyond the human person per se to encompass personal data? Data itself, it may be argued, is not a human subject and therefore has no moral standing. At the same time, however, it is becoming ever easier to identify individuals from ever fewer data points, so that patient privacy and confidentiality may be compromised by even very limited data sharing.
Medical data is far more intimately associated with the human person than mere personal property, such as money or clothing, or personal identifiers, such as addresses and phone numbers. In fact, a complete medical history going back to birth, complete with blood tests and brain scans, comes close to being a blueprint of a person’s corporal, emotional, and psychosomatic well-being.
We believe that we can parse out the position that the Church is likely to take on this emerging issue of medical record privacy from a number of recent Vatican documents.
The 1995 Charter for Healthcare Workers, issued by the Pontifical Council for Pastoral Assistance to Healthcare Workers, offers some insight: “Health care workers must above all else be aware that each person is a unity of body and soul, and realize that for this reason the person himself in his practical reality becomes achieved through the body.”
What is “achieved through the body” are intimate expressions of the person, not merely actions by the person. For this reason a patient who is a possible subject of medical research must be, according to the above Charter, “… informed about the experimentation, its purpose and possible risks, so that he can give or refuse his consent with full knowledge and freedom. In fact, the doctor has only that power and those rights which the patient himself gives him.”
But what rule applies when the medical experimentation does not involve the patient directly, but “only” the use of his medical records to validate an existing medical treatment, or test a new one? That is to say, what ethical norm is applicable to the confidentiality of patient information, once removed from proximity to the patient himself?
As we have noted, healthcare records pertain to much more than an individual’s privacy; they are more in the nature of a personal identity. The Pontifical Academy for Life’s document on Prospects for Xenotransplants deals with the ethical treatment of personal identity:
Certainly, the concept of “personal identity” is replete with implications and subtleties of meaning, given the different contributions of philosophy and science we can indicate personal identity as the relation of an individual’s unrepeatability and essential core to his being a person (ontological level) and feeling that he is a person (psychological level). These characteristics are expressed in the person’s historical dimension and, in particular, in his communicative structure, which is always mediated by his corporeality.
It must be affirmed, then, that personal identity constitutes a good of the person, an intrinsic quality of his very being, and thus a moral value upon which to base the right and duty to promote and defend the integrity of the personal identity of every individual.
And again, from the Charter:
In the research stage, the ethical norm requires that its aim be to “promote human well-being.” Any research contrary to the true good of the person is immoral. To invest energies and resources in it contradicts the human finality of science and its progress. In the experimental stage, that is, testing the findings of research on a person, the good of the person, protected by the ethical norm, demands respect for previous conditions which are essentially linked with consent and risk.
This link between consent and risk is more than evident to the medical community of today. The collection, banking, combing and analysis of electronic data, is not a secure process. Records are handed on for billing, disease control, pharmaceutical research, marketing, etc., and data is even sold. Patient records have become a commodity, not owned by the patient.
The risks of such activities to the patient are well known. The 2009 Report of the Council on Ethical and Judicial Affairs of the American Medical Association claimed that medical identity theft is the “fastest growing form of identity theft,” citing that security breaches are “higher than ever before” due to “complex patterns of collecting and using patient information.”
Even without a break-in, your electronic health records are already an open book to millions of providers, employers, government agencies, insurance companies, billing firms, transcription services, pharmacy benefit managers, pharmaceutical companies, data miners, creditors and more. This is considered “routine” use, and is not covered by HIPAA (Health Insurance Portability and Accountability Act of 1996).
In fact, you probably did not know that in 2002 HHS actually amended the HIPAA “Privacy Rule” to eliminate the patient’s “right of consent” altogether.
There is only one solution: We, as individuals, must insist on the right to control our own e-health records. Not only must the “right of consent” be reinstituted by law, but wide-ranging privacy protections must be put in place as well. We must have the right not merely to “opt-out” of any requests for our health information, but to “opt-in” to data sharing only when we choose to do so.
The good news is that award-winning software technology that allows patients to do just this already exists. Singled out for excellence at the Patient Privacy Summit was a Dallas-based company called Jericho Systems, whose software puts the patient in charge, allowing him to specify what doctors, practices, and institutions are allowed access to his medical records. In fact, the technology extracts only the data that he wants to share, and withholds information about his medical history that he prefers to keep private.
In other words, the technology keeps all of the advantages of electronic medical records—timely sharing between specified providers and institutions in the even of a health crisis—while eliminating the danger to the patient of indiscriminate or inadvertent disclosure of private health information.
It could do other things as well, such as allow patients to act on their pro-life principles. People of pro-life sentiments, for instance, could refuse to allow their health records to be used in studies by pharmaceutical companies that manufacture and produce abortifacient drugs.
This is already being done in the U.K. In 2009, the English bishops objected to the use of women’s gynecological records (obtained without consent) to develop abortifacient contraceptives. The result of their successful intervention was the imposition of new and more stringent privacy standards.
Catholics in the U.S. likewise need to stand up and demand that our electronic health records be safe from prying eyes and immoral research.