What Does a Five-Year-Old Know that Our Privacy Laws Don’t?
I have three children: twins Rachel and Abby, both age 16 and Jacob, age 14. While in my second year at Eli Lilly and Company nearly a decade ago, my wife, Melisa, had a medical procedure. Jake and I drove Melisa to the doctor’s office for the colonoscopy (although HIPAA does not apply, rules of matrimonial harmony do, so I have received a verbal consent for this disclosure).
When Melisa had safely exited the car, Jake began the interrogation: Is mama getting a shot? No. Then why is she going to the doctor? To get a picture of her tummy. The outside? (Pause, and fatal decision to be honest.) No, the inside. How? (Longer pause.) A camera. How do they get it inside? (Faint awareness of a prior bad decision, but plowing ahead.) It’s a tiny camera and it goes into her bottom.
Fast forward to picking up mama and the girls. As they entered the sliding door of the van, Jake unbuckled his car seat (when did he learn that skill and why have I been jumping out and racing to unbuckle him at every destination all day??) and jumped down, he said, “guess what? Mama had a camera put up her bottom!” Then he added the fatal blow: “BUT DON’T TELL ANYONE!”
At that moment, Melisa, herself an Indiana University Law graduate, looked at me from the front passenger seat and said to me, the CPO of a major multi-national corporation, “Well, at least someone knows something about privacy.”
And that’s the point, isn’t it? Even a five year old has the basic wisdom to understand the idea of human dignity and those things that should be held privately. The concept of privacy is intuitive. It is pure.
I am a privacy advocate, but privacy laws and regulations are not intuitive. In the data privacy space, we adults have royally screwed this up. We’ve taken a basically intuitive and practical principle and turned it into a labyrinth of thousands of national and local laws, regulations, rulings and opinions. We’ve turned the clear into muddy, the pure into politics.
And despite my story, in healthcare—an area in which I’ve spent my entire career—it isn’t funny. Not even remotely. People are suffering and people are dying.
We restrict health data flows, not from fear of human indignity or harm, but because the regulations say we need a piece of paper with specific words signed by someone who can’t possibly hope to understand the complexities of data analytics. And people continue to suffer and die.
That’s not overly dramatic. It’s a fact.
The National Institute of Health has published data on deaths due to information error. Errors that could be erased with better sharing of information that we’ve had in our possession for as long as records have been kept. And we could share it with technology that’s been available for 20 years. The numbers are staggering: 100,000 deaths a year from healthcare errors.
Of course, privacy regulations are not the sole cause of the reluctance to share data – probably not even the primary reason data is not shared more widely. But there. See. That’s the trap.
We’ve laid our wisdom at the doorstep and instead of saying, “how can we prevent 100,000 deaths a year,” we say, “not our fault, we have to protect privacy of patients and this really doesn’t have a negative impact.” But the regulations aren’t designed to protect privacy, they’re designed to restrict data flows so that privacy can’t be assailed. They’re not the same thing.
If someone robs an ATM, you don’t restrict the money flow to stop it. You construct measures to catch the bad guys and prosecute them.
But in health data, when bad guys steal data, we construct massive regulations designed to constrict data flow to a small enough trickle so we can protect a regulatory definition of privacy – not the pure intuitive concept of privacy. And by abdicating our intuition, we require consent from people who don’t understand what they’re consenting to. We force “covered entities” to spend billions of dollars to put in place privacy policies that no one reads.
We’ve lost our way. Our wisdom has given way to regulation.
I think it’s time our profession steps back into the ring and makes a real difference in the lives of patients. Either you believe in the vision of trying to make people better or you don’t. If you believe in that vision, then we need to find a way to enable it and not sacrifice our privacy wisdom for the next round of data stultifying regulations. We understand what matters intuitively.
First, secure the data. Everywhere, not just in magic entities that fit some contrived notion of regulatory jurisdiction gerrymandering. Everywhere by everyone. Then we need to undertake the very difficult task of figuring out what data use is good and appropriate and worthy and what uses are not. Then we can figure out how to inform people. Not through ridiculous consent processes that no one understands but through real education and outreach.
It’s a siren call for our profession. It is the difference between being a traffic cop in your company and a visionary leader.
About the Author
Stan Crosley is director of the Indiana University Center for Law, Ethics and Applied Research (CLEAR) in Health Information, counsel to Drinker Biddle & Reath as well as a principal in Crosley Law Offices, LLC. He is the former chief privacy officer for Eli Lilly Company, where he initiated Lilly’s global privacy program in 1998. The program received the 2007 Innovation Award from the IAPP. Crosley also co-founded and served as chair of the International Pharmaceutical Privacy Consortium and was a member of the IOM Medical Research and Privacy Committee. He serves on the boards of the Indiana Health Informatics Technology, Inc., the IAPP and The Privacy Projects. Crosley is a member of the Brookings Institute’s Active Surveillance Implementation Council, which is providing guidance to the U.S. Food and Drug Administration (FDA) on issues surrounding medical product surveillance and the FDA’s Sentinel project. He is a member of the board of Shepherd Community Center, dedicated to breaking the cycle of poverty on Indianapolis’s east side, and is active in his church and community. You can find him on Twitter @crozlaw