Health Data Sharing & Privacy: Go Private to Stay that Way

The COVID-19 pandemic has accelerated the journey into digital health care. Video calling remote appointments were already becoming a standard in GP practices but the pandemic has catapulted the health system into a new age.

There is no digital health without sacrificing a part of your privacy

As the healthcare landscape shifts and changes to bring digital healthcare along with it, patients and clinics will find that there is no digital health without sacrificing a part of your privacy. Traditionally, healthcare institutions and organisations protected patient data. Physical records and digital records were secured and only accessible to those with permission. Now that healthcare is fully digitising, can these same institutions and organisations guarantee the same level of security?

What you may not know is that medical information is one of the most valuable items one can buy on the black market. Often bought by counterfeiters, medical information can be used to file false insurance claims and purchase medical equipment illegally. According to the 2019 Trustwave Global Security Report, Healthcare data is valued at up to $250 per record on the black market. As records switch to digital and security falters in catching up, there has been an increase in compromised healthcare records. Over 25 million potential patient record breaches were registered in the first half of 2019 alone.

Recently, NHS Digital announced a new data-sharing requirement for GP practices. The new requirement tells GP practices to centralise all nationwide medical records via NHS Digital. The intention is to improve the connection and handover of care between different clinics, practices and hospitals. With improved information-sharing, the NHS hopes for improved patient care. A debate has started around privacy concerns relating to how your data will be used for research purposes or shared with private providers to the NHS.

When you are examined by an NHS provider, your data is added to the national database. This aids efficiency in sharing data with other clinics but poses privacy and confidentiality issues for many patients unaware of the fact. When you are examined by a private GP practice, such as Harley Street Health Centre, your data is not shared on the national database. Instead, the patient is in total control of their health information and is informed of every data-sharing decision before it can even happen. The control one has with their own healthcare choices and data is far greater with private services like Harley Street Health Centre.

How Private clinics have responded to data sharing & privacy

patient privacy

Private clinics will not be taking part in data sharing with NHS digital by default

Private clinics will not be taking part in data sharing with NHS Digital unless the patient explicitly tells the clinic in writing that it is something they would like to do. In this instance, the private clinic will share your medical records with your GP, who will then share your information with NHS Digital.

Harley Health Centre is a private GP clinic I spoke to. Harley Street Health Centre’s position is that patients have not been given enough time to consider their options regarding the data-sharing requirement. As a result, they have decided to not participate in the programme unless directly asked to by the patient. The Centre states that they fully support information sharing between organisations for the purpose of effective patient care but are adamant about patient confidentiality and permission above anything else.

How politicians and government will respond

Broken promises

can there be guarantee the data will not be sold to companies for profit?

When Mark Zuckerberg was yanked into the capital to face Senators during the Facebook Cambridge Analytica scandal, it became abundantly clear that some politicians do not understand digital operations and how they generate revenue.

The political landscape has yet to educate itself on modern platforms, technologies and data. This does not bode well as our healthcare systems go digital, these same issues and debates will open around the sharing of medical data. Senators and politicians must have a mandate when that watershed moment rolls around because, unless Facebook’s scandal, a medical data breach could put human lives at serious risk.

Whilst the aforementioned hearing is a worrying case study of a government’s handling of a data breach, we can look to other examples for clarity. In Iceland, a private genetic sequencing company called DeCode Genetics, found that they could identify all of the county’s inhabitants who are at risk of breast cancer.

They could do this by locating a defective inherited gene in genetic data sequenced from the Icelandic population during a previous study. However, they could also identify some people who didn’t take part in or knew about the research because of shared data. Iceland’s regulators decided that neither the government nor the private company should inform the individuals of such risks because they did not have prior consent to access their genetic data.

Other countries such as England, Saudi Arabia, Estonia and India are trying to fast-track the adoption of human genome sequencing. This process allows patients to learn about the level of risk they have for certain ailments and will allow them to tailor their diet and lifestyle. However, such measures raise ethical and legal questions. How is the sequenced data going to be stored? And can there be a guarantee the data will not be sold to companies for profit?

Estonia secured their genetic data with blockchain technology. As everything is recorded on the blockchain, patients and authorities get to know who looked up their data. If someone is found to do so without proper authorisation they can get fined or fired. This measure builds trust between average citizens and healthcare professionals.

The situation in Iceland will become a recurring one as sensitive medical information becomes shareable between a whole host of clinics and services. Whilst American senators have yet to wrap their heads around online data and the permissions surrounding them, Iceland has shown us how privacy can still be made a priority.

What have private tech companies done?

Better safe than sorry

it raises the question of how seriously do companies take the issue of data security

The digitisation of healthcare is not only record-based. Individuals are now supplying health information by the second with wearable tech such as smartwatches. These devices are juicy targets for third-party hackers. Garmin, a wearable fitness company, was targeted by hackers in 2020. User data was threatened and the company paid $10 million to the hackers to free the system. This instant was made public but there have most definitely been other cases in the shadows.

These are major tech companies with a wealth of funding behind them and they are still liable to cyberattacks. Not only does this not bode well for the security of patient data by smaller organisations than say Garmin, but it also raises the question of how seriously companies take the issue of data security. Do they deem it harmless and would rather foot the ransom money than the maintenance cost? This is where the onus must be put back on the consumer first and foremost.

How the patient can take back control

Private data

a lot of people share their medical and health data willingly but aren’t so aware of what’s done with said information

A peculiar case with medical records and authorities is the seemingly difficult process of obtaining and viewing one’s own medical information. Epic, the largest electronic health record (EHR) company in the US, fought back against the federal government’s effort to enable easier access to your own electronic health data. Epic’s CEO disapproved of the proposed rules and even tried to lobby hospital administrators to their side. Epic’s stance is not one unique to them as different EHR systems have shown patterns of information blocking, limiting information and in some cases giving out blatant misinformation regarding record retrieval.

By giving patients control over their digital health information, you move the burden and decision of data sharing onto the patient. They can get second opinions more easily, switch providers if they want and down the data each individual institution has of them. This way, patients stay more informed and are in control of every data-sharing decision. Unfortunately, for the patient to regain control, major players such as different HER systems have to allow them to do so.

Some examples of this include Apple’s Health app allowing its users to view all their health data and delete the data permanently should they want to. The Hugo Health platform allows a patient to view all their medical data and only shared data with their explicit permission. With the help of legislation, access to data can be put squarely on the patient so they can make an informed personal decision.

The pandemic and technological advances have led to big, big questions about data privacy and sharing. In truth, a lot of people share their medical and health data willingly but aren’t so aware of what’s done with said information. The hope is that with governments, private clinics, companies and patients working together, the same level of confidentiality can remain. If we can learn from Estonia and Iceland in their handling of patient data, we can ensure that privacy is still king.