Skin in the game: a different approach to guaranteeing health data privacy

A popular branch of technology at the moment is AI, though the name is only half right. It's certainly artificial, but there's not much that's intelligent about it. Automated pattern recognition is a more accurate term because AI systems are getting very good at recognising patterns, but they can't do much else.

Still, pattern recognition is useful. For example, you can drive cars with it. Uber, Tesla and Google are dead keen on building a self-driving future in which our roads will be safer and pleasantly free of congestion. We'll also have more time to look at our devices.

Unfortunately, they have already had accidents, some fatal. It's too early to tell if the rate of self-driving car accidents is higher or lower than for human-driven, but if the experience from aviation is applicable, then we can expect an initial increase in adverse events before it becomes safer.

The tech companies can blog all they like about the positive statistics but, people being human, they aren't that reassured. Apparently, we think there's a fair chance Herbie might turn into Christine. We can tolerate drunks and speeders killing every day, but the thought of death by car robot is too dystopian.

One thing companies could do to alleviate fears is to take a different approach to testing. Uber was testing on roads without any public announcement about what they were doing, which is not just rude but is also putting all the risk on to those who know nothing about the risk they're taking.

What if Uber, Tesla and Google were only allowed to test self-driving cars in areas where their children were going to school? Nothing would focus the mind harder. It's not hard to imagine a change in approach.

Another technology that's being worked on is using personal health data for purposes other than direct care. Like self-driving cars, this could make our future better. The expectation is of safer, more effective treatments, ill-health identified quicker, and more effective ways to prevent onset. Doing this well depends on people with different types of expertise working together, clinical and statistical most importantly, but also informatics and computer science. Good practitioners will bring with them wisdom and a dollop of philosophy, plus a deep connection to community.

There is probably little about this technology that is hazardous to life, though misinterpretation is a constant and present danger and could cause harm. Instead, the biggest concerns are around privacy, consent and trust. Most people are more than happy for their data to be used for the greater good, but only on condition that their participation is respected and not exploited. As with all technology, great attention must be paid to the non-technological dimension before there is a chance of being successful.

The government is currently hoping to be successful in this type of project. The Department of Health recently published a framework for the secondary use of My Health Record data, which will be the mechanism for making data from the My Health Record accessible to researchers. The data could be de-identified or identified, the latter only under certain conditions, with ethics approval and patient consent.

While the framework outlines guiding principles for how this will all happen, it doesn't have much detail on the processes. DoH is working on the detail now, and it will have much to think about. There are many intricate tasks involved in transporting data from a very locked-down system to a third party.

To alleviate fears about any of these steps going wrong, the government will no doubt develop compliance, regulation, monitoring and auditing mechanisms. Plenty of money will be spent (mostly on consultants) and piles of documentation written.

But will all of this guarantee much against slippage? It is often far too easy for those involved to find ways to shift accountability somewhere else if something goes wrong, with the resulting finger-pointing resembling the Mexican stand-off scene in Reservoir Dogs.

Consultants can wash their hands of it once the contract has ended. If it's easy for party A to say it was party B's fault, they will. As with self-driving cars though, perhaps there is a way to drastically reduce the expenditure and guarantee focus.

The My Health Record can only work if other systems can unambiguously find the correct record for an individual. This is made possible by the Healthcare Identifiers Service. Every Australian has an identifier called an Individual Healthcare Identifier (IHI). In theory (and hopefully in practice), one IHI equals one My Health Record.

One key step of the secondary use process will be to develop the criteria for determining the subset of the My Health Record data to transmit to the researcher. What if the IHIs of everyone involved in secondary use were saved into a list, and this step used the list to force those records to also be included, whether they met the criteria or not?

Everyone means everyone. For life. The members of the data governance board. The department director who signed off on the process. The politicians who voted for it (should it need legislative change). The database administrators of My Health Record. The members of the ethics committee that approved the research. The managers and staff in the data custodian teams at Australian Institute of Health and Welfare. None of them would be allowed to opt out, and if they did, they have to opt back in.

Whether the data is identified or de-identified, most of these people would care enough to make a difference and make sure the public’s privacy is protected. After all, they're also protecting their own privacy. There are scads of evidence that enforcement and structures are far less effective and much more costly than using some simple mechanism of trust and accountability. Will someone take a brave step out of the top-down, command and control paradigm and try this out?

We've seen some pretty poor behaviour lately. HealthEngine apparently doesn't understand the difference between "express consent" and "informed consent". Other government initiatives haven't gone as well as ministers would like. The traditional methods for avoiding failure don't seem to be working. Perhaps it's time we tried a different approach.

Brendon Wickham is a health informatician who works in primary care.

Are you a CHIA member? Reading this Pulse+IT article entitles you to CPD points. Click here to record your participation.

Posted in Australian eHealth

Tags: My Health Record


# Peter Gee 2018-07-09 12:13
I think the potential for secondary use of this technology to benefit our society is often understated.
In 2013 we started the RedUSe project. We provided an intervention to 150 aged care facilities across the country to help reduce the use of sedative medicines.
We provided an audit of sedative medicines used by facilities at three time points.
Getting this data was a major technical challenge. There were six vendors to get the data from, and no standards were used by any vendors. Consequently, the cost of getting and cleaning this data was substantial. Without significant funding we would not have been able to do this project.
We found that many ‘high sedative use’ homes first thought their rate of use was normal and warranted. Without any other information they were happy to think it was ‘normal’. Giving data to these homes showing how other homes had less sedative use helped change attitudes to the use of sedative medicines which helped make our intervention successful. My points are it is really expensive to do research, that having and disseminating information is useful, and you don’t know what you don’t know.

While there are obvious privacy concerns researchers deal with these issues with oversight every day. Indeed, we are not able to publish without having ethical oversight.

As for IHIs, if you are doing ‘minimal impact’ research without individual consent, no researcher would actually need the IHI. An obfuscated identifier would do just as well to uniquely identify an individual, provider or organisation, and such an identifier would be technically trivial to implement for secondary data use.
In many cases researchers don’t even need atomic data. Researchers are interested in results. What if researchers could simply query the dataset and get aggregated results. Ask a repository a question and get a response with no access to the underlying dataset at all?
It would have been very useful in our RedUSe project to ask the question: What is the percentage of people using sedative medicines in aged care homes across the country?
Having access to such a service would be an invaluable tool for researchers to hone their research questions, target areas for research interventions, or to help generalise the applicability of their findings.
Once secondary access to the health record is available to researchers who have undertaken appropriate training, get appropriate ethical approvals, and follow the guidance the ability to *cheaply* answer questions about health in our country will herald a new era of research opportunities.

The thesis that taking away some people’s right to choose if their data is included in secondary data collection is the wrong approach. Personal control is the cornerstone of the eHealth record. To undermine this tenant is to undermine the trust the system is trying to engender.
The eHealth record is not a game to have skin in. It is about using technology to make the people of our nation healthier and enjoy a better quality of life at a more affordable price.

Ling T, Gee P, Westbury J, Bindoff I, Peterson G
An Internet-Based Method for Extracting Nursing Home Resident Sedative Medication Data From Pharmacy Packing Systems: Descriptive Evaluation J Med Internet Res 2017;19(8):e283
# Brendon Wickham 2018-07-12 14:50
Peter, I don't think that the potential of health data is ever understated. It's been a focus and priority of many minds for a number of decades. Research is one part of it. But so is re-use of data to better coordinate and automate direct care.
The problems you raise are well known and are nothing to do with making data available for research and everything to do with design principles. If vendors planned for their product to have APIs from the very beginning, we'd be in a better situation. They don't (some are starting to now), and so standardisation does not emerge and integration is almost impossible.
My point about the IHI was to guarantee a way to identify the records that must be transferred. It was not that IHIs are used in research, nor that the individuals' records are used in research. Your perspective is of a researcher's, yet there many stakeholders and processes involved to make it possible to get the data from the source to the researcher. And of course the most important stakeholder is the patient themselves. It's their data. It came from them. Breach of trust, poor communication, lack of respect, coding errors; these have all already happened more than once, and the impact of these events has been to set back research projects. Compliance and auditing is known to be less effective and more expensive. So, contrary to what you say, I think skin in the game is absolutely essential if we are going to realise the population benefits of using individuals' data sooner rather than later.

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2018 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.