Secondary Health Data Use Fails to Account for Clinical Ethics

March 03, 2022 - Electronic health data functions primarily to enable the delivery of healthcare services, a viewpoint article published in JAMA Network argued. Sharing that data for research and public health are secondary functions.

But those secondary functions continue to expand as more tech companies enter the healthcare market, some of which may not have the patient’s best interests at heart. When HIPAA was enacted more than 25 years ago, policymakers could not possibly predict the expanded use cases for health data and its growing applications in the business world.

“The largest technology companies in the world today are aggregating massive stores of medical data to advance business priorities. The risk is that secondary use can harm or exploit individuals,” the article stated.

For example, Apple, Google, and Fitbit collect protected health information via wearable devices and health apps. But privacy standards for tech companies are naturally different than those in the healthcare sector.

Covered entities also play a huge part in aggregating and disseminating deidentified data to sell to these tech companies, but business decisions can sometimes conflict with ethical principles. Clinical ethics should play a significant role in partnerships between HIPAA-covered entities and businesses collecting data for secondary use. But the article argued that HIPAA’s shortsightedness dismisses key ethical considerations when it comes to sharing patient data.

“Patient legal protections, namely the Health Insurance Portability and Accountability Act (HIPAA), attempt to bridge bioethical principles with corporate actions,” the article continued.

“But HIPAA does not apply to all who use health care data. Furthermore, ethical concerns about secondary data use may persist despite HIPAA.”

The article identified the four moral tenets of clinical ethics: beneficence, justice, nonmaleficence, and respect for autonomy. Beneficence requires secondary data use to benefit patients or public health. Nonmaleficence implies that the secondary data use will not cause harm, and justice ensures that the benefits and burdens associated with secondary use are shared equally. Respect for autonomy makes sure that patients have some level of control over their health data.

The authors suggested that secondary data use would be far more equitable and less susceptible to patient exploitation if the organizations that use health data were guided by the same principles.

“Instead, most health care institutions are legally bound by HIPAA, which limitedly enforces these principles,” the article asserted.

The article supported this statement with three reasons why HIPAA fails to hold institutions to the standards set by clinical ethics:

1. First, the scope of HIPAA is narrower than the scope of clinical ethics because HIPAA was designed primarily to limit disclosure of identified patient health information. 
2. Second, HIPAA allows exchange of patient health information with data recipients that operate under a business associate agreement (written agreements that specify involved parties’ responsibilities related to patient health information), allowing recipients to access patient health information for any purpose in their contract. For instance, a hospital can share patient health information via a partnership with a third-party wellness program to facilitate patient participation in that program.
3. Third, HIPAA does not regulate the sharing of anonymized data.
4. Fourth, only the federal government, not individuals, can sue claiming a HIPAA violation.

The authors suggested that legislators should advocate for patients regarding data use, and healthcare organizations should prioritize ensuring patient trust as we move into a big data revolution. In addition, the article recommended that organizations invest in research funding to explore efficient technological approaches to protecting patient data.  

HIPAA’S limitations have been repeatedly underscored over the past few years, especially concerning big tech companies. It is important to understand where HIPAA falls short and to look for guidance from other regulations and regulatory agencies with a further reach, such as the Federal Trade Commission (FTC).

Ensuring patient data privacy across healthcare and business will require a collaborative effort by multiple stakeholders and governing bodies.

“Aggregated patient data are an important tool to advance human health. At the same time, the trust of individuals and the public must be maintained and advanced,” the article concluded.

“Health care can succeed only in the context of trusting relationships with patients. Health care cannot succeed as a transaction. To that end, clinicians and health care organizations must identify means to protect the best interests of all patients.”