It has been an incredible DC Health Innovation Week. First @TheWalkingGallery then a busy day on Wednesday with an incredibly vibrant HealthCa.mp/dc at the beautiful and inspirational Kaiser Permanente Center For Total Health (#kpcth). Yesterday (Thursday) saw me visiting The National Institutes of Health for the 2nd annual DataPalozza that was organized by Todd Park's team at the Department of Health and Human Services. Ahman Bhandari, Cristian Liu, Julie Eisenman and others put on an incredible event. The Nacher building was at the Epicenter of Health Trending Topics on Twitter and the spirit of innovation was bubbling over for the entire day.
The day wrapped up with a discussion that included Aneesh Chopra and Tim O'Reilly and, as ever, It was Tim that left an indelible mark in my consciousness. His comments still have me thinking because they resonate with ideas I have been having about Health data privacy for some time.
Tim talked about the need to rethink Health Data Privacy. He pointed out that "All data is known or knowable via triangulation". Going on to say that we need to rethink legislation so that rather than focusing on penalizing people for having health information, instead focus on applying penalties for inappropriate USE of health data.
While HIPAA was necessary to place some controls around Health Data use by the industry the Act has been seized upon as the greatest excuse for stifling innovation yet in the title of the Act the "P" stands for Portability and not Privacy!
The most prophetic comment from Tim O'Reilly was that we have built a Maginot Line for Health Data. For those who are not History buffs, the Maginot Line was a defensive wall erected by the French after World War 1. The problem was that the Germans simply went around the wall. The point is that data can be triangulated in such a way that it is effectively impossible to anonymize data. The gaps can be filled in through data mining other sources.
Just as we have norms of social behavior we need the same in the world of Health data. If we accept that we can't keep Health Data private, indeed there are massive advantages to be gained by making it easier for an individual to share their data, then it is a fool's errand to police organizations and apply penalties when failures occur. This is a case of shutting the stable door after the horse has bolted.
No, we need to switch to applying severe penalties for inappropriate use and/or lax management of health data.
When you look at HIPAA rules I keep coming back to the fact that when we put the patient at the center, and in control of their data, much of the regulation and controls in the Act are set aside. While an organization has strict controls, once in the hands of the patient they can decide whatever they want to do with their data.
Putting the patient at the center in Health Care is the essential step in moving health care forward and really powering innovation. This is why I am a big proponent of the "Rainbow button Initiative" and the growing use of the Blue Button. The simple button metaphor will make it easier for patients to get hold of, and manage, their data. We want to expand the metaphor with the Green button to be able to anonymously donate our data to an organization, the White button to send our data to someone else (this is Jamie Haywood and PatientsLikeMe's reverse blue button) and a Red button to lock down our data.
The Green button concept was the subject of a great discussion at HealthCa.mp/dc. One idea that surfaced was to put forward the idea that our Health Data should be classified as an organ and therefore covered by the Organ Donation process at the DMV. Imagine if we made it that easy to donate our lifelong health data to science when we pass on.