Measuring Health Privacy – Part II

Promises and Perils of Emerging Health Innovations Blog Symposium

We are pleased to present this symposium featuring commentary from participants in the Center for Health Policy and Law’s annual conference, Promises and Perils of Emerging Health Innovations, held on April 11-12, 2019 at Northeastern University School of Law. As a note, additional detailed analyses of issues discussed during the conference will be published in the 2021 Winter Issue of the Northeastern University Law Review.

Throughout the two-day conference, speakers and attendees discussed how innovations, including artificial intelligence, robotics, mobile technology, gene therapies, pharmaceuticals, big data analytics, tele- and virtual health care delivery, and new models of delivery, such as accountable care organizations (ACOs), retail clinics, and medical-legal partnerships (MLPs), have entered and changed the healthcare market. More dramatic innovations and market disruptions are likely in the years to come. These new technologies and market disruptions offer immense promise to advance health care quality and efficiency, as well as improve provider and patient engagement. Success will depend, however, on careful consideration of potential perils and well-planned interventions to ensure new methods ultimately further, rather than diminish, the health of patients, especially those who are the most vulnerable.

In this two-part post for the Promises and Perils of Emerging Health Innovations blog symposium Ignacio Cofone engages in a discussion centered on the importance of addressing patients’ concerns when introducing new health technologies. While privacy risks may not always be avoided altogether, Cofone posits that privacy risks (and their potential costs) should be weighed against any and all health benefits innovative technology and treatments may have. To do so, Cofone introduces the concept of using health economics and a Quality-Adjusted Life Year (QALY) framework as a way to evaluate the weight and significance of the costs and benefits related to health technologies that may raise patient privacy concerns.

Measuring Health Privacy – Part II

by Ignacio N. Cofone

In Part I of this blog post, I argue that to adequately measure privacy concerns in e-health, we need to embed the cost of privacy in health states’ measurements. I propose a method to incorporate privacy concerns into a standard health impact evaluation, based on Quality-Adjusted Life Years (QALYs). Using the Visual Analogue Scale, Standard Gamble, and Time-Trade-Off methods, with minor alterations, yields a more complete measurement of any given health state, including the level of privacy invasion. Under this framework, the costs and benefits of treatment are explicitly measured, and treatments with a high amount of data collection and a higher probability of making sensitive data public are given a concrete penalty, which allows for a better comparison between potential medical interventions.

This method provides a better way to estimate privacy concerns and balance them with a treatments’ health benefits. Hence, it can guide health professionals and policymakers in incorporating privacy considerations and making better choices regarding e-health programs. Here, I explore why QALYs are particularly well suited to do this, as well as the policy and doctrinal consequences of this proposal.

Advantages of Incorporating Privacy in QALYs

Endless surveys and experiments have attempted to quantify privacy concerns. But it is difficult for people, both in surveys and in a laboratory, to allocate a monetary value to something as abstract as privacy.

There are several good reasons for using the QALYs method to capture privacy concerns instead. For one, health states are more easily comparable between each other than are privacy versus monetary benefits. Consequently, individuals can better grasp how much they value a privacy-invading technology when it is presented in a trade-off between different health states, as opposed to a trade-off between privacy and money.

Under the law, the QALYs method has been proposed as a useful technique that forensic experts can apply to help guide jury valuations on quality of life losses. Vaia Karapanou & Louis Visscher, Towards a Better Assessment of Pain and Suffering Damages, 1 J. Eur. Tort L. 48, 49 (2010). Quantifying damages for pain and suffering can be difficult, especially in jury trials, and QALYs  are helpful in providing a more objective way to compare different kinds of immaterial losses. Id. at 53.

The QALYs method is well-suited to quantify immaterial losses in fields where decision-makers need some measurement to take these losses into account—and like immaterial losses in torts, privacy in e-health treatments falls within these parameters. QALYs exist precisely to measure costs and benefits of any treatment when faced with aspects that are difficult to quantify. To ensure patients’ well-being, there is no reason to consider solely the monetary costs and benefits of each possible treatment. Similarly, in the face of growing concerns about e-health privacy, there is no reason to ignore this dimension of patients’ well-being.

With this suggested policy, the QALY values of treatments will better reflect patients’ privacy preferences. Imagine two potential treatments that are equal in terms of health benefits, but one of them involves the collection or dissemination of patient data among a network while the other does not. Current QALY calculations will mistakenly give the impression that both treatments are identically beneficial for patients. However, if patients prefer not to have their health data collected or distributed, the treatments will not be equally beneficial. The calculation should be different because the patient’s well-being may be different under each treatment.

Advancing Policy Discussions

Another advantage of this method is that it would allow for better estimations of privacy costs, thereby advancing the broader discussion surrounding privacy and e-health. So far, there is little indication of how important privacy really is to patients and how important it should be for healthcare professionals and policymakers, especially in the face of possible health gains. By including privacy concerns through the use of QALYs, they would be able to provide a concrete measure of the importance of privacy.

In failing to consider privacy concerns, health policies often result in significant amounts of wasted efforts and money. While policymakers may care about privacy, they have historically lacked a tool to estimate the weight to give to privacy concerns. Therefore, QALYs would not only benefit patients, but would also protect policies from potential failure after the government has already invested significant money and resources. Even if it turned out not to be an inaccurate proxy at predicting constituents’ privacy concerns, it could still show that privacy concerns were seriously considered, therefore eliminating the discussion’s dichotomy and providing a common ground for deliberation.

The expected outcome of this change is that e-health treatments involving patient surveillance would rank lower than in standard tests, accounting for the introduced privacy violations. It is uncertain, however, how much lower they would rank, and it will remain so until these evaluations are performed. Even when incorporating privacy elements, medical treatments would retain some, if not most, of their usefulness. Either way, such tests would push forward the discussion of health privacy. Such tests would also indicate if and how much we should take health privacy concerns into account.

Doctrinal Implications

Health data is on average riskier and more sensitive than other personal data, and special legal protection recognizes this increased importance and sensitivity. See Bonnie Kaplan, Patient Health Data Privacy, (Yale Univ. Inst. for Soc. and Policy Studies Working Paper No. 14-028, 2014). In the U.S., patients’ health data is protected by the Health Insurance Portability and Accountability Act (“HIPAA”). Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C.S. § 1320d-4 (1996). But HIPAA covers only the privacy and security of clinical data (not commercial data) that is managed by a healthcare organization.

The key aspect of health data’s special protection, when compared to other forms of data, revolves around the patient’s informed consent. See, e.g., Christine Nero Coughlin, E-Consent: Can Informed Consent Be Just a Click Away?, 50 Wake Forest L. Rev. 381 (2015); Melissa M. Goldstein, Health Information Technology and the Idea of Informed Consent, 38 J. L. Med. & Ethics 27 (2010); Bonnie Kaplan & Sergio Litewka, Ethical Challenges of Telemedicine and Telehealth, 17(4) Cambridge Q. Healthcare Ethics 401, 406-07 (2008). This is particularly true when transferring medical data to a third party. Timothy S. Jost, Readings In Comparative Health Law And Bioethics (Carolina Academic Press 2007). However, HIPAA ambiguously mandates informed consent “as appropriate.” HIPAA also allows for secondary use of information without consent when it is necessary for public interest activities such as public health and research.

The consent requirement ensures that patients are informed of all aspects of the technology, theoretically including privacy implications. However, it is impossible for healthcare providers to inform patients of a treatment’s privacy consequences if they ignore the consequences as healthcare providers. By making privacy costs salient to healthcare providers, this method enables them to better communicate medical treatments’ implications to patients. Therefore, this proposal would allow for more meaningful consent, pulling doctor-patient consent relations closer to HIPAA standards.

Additionally, the substantive interpretation of widespread fair information practice principles (“FIPPS”)—in particular, the collection limitation principle and the purpose specification principle, supports this proposal. The collection limitation principle suggests that information collection must be minimal for the purpose to which the collection takes place. Org. Econ. Co-operation and Dev., Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 55 (2013); Linda Koontz, Information Privacy in the Evolving Healthcare Environment 7-10 (2d ed. 2017). The purpose specification principle establishes that the collection of data must be relevant for its stated aim. Id. A policy that approves medical treatments without measuring all competing treatments’ impact on privacy most likely breaches these principles, as it is blind to data collection and processing. Currently, it is impossible to know whether a treatment is necessary or proportionate compared to competing, less privacy-invasive treatments. In the simplest case, where both treatments would achieve the same result, some accounting of the privacy implications of each would help a patient to choose one of them over the other. In more complex cases, where the more privacy-invasive treatment provides a better health benefit, this proposal would allow patients to compare the magnitude of these differences in accordance with FIPPS.

Conclusion

QALYs are particularly well-suited to estimate privacy concerns in e-health. QALYs were in fact developed to estimate aspects of medical treatments that cannot be quantified, such as pain and discomfort. QALYs that take privacy concerns into account would lead to more nuanced policy discussions about the possibility of incorporating different treatments. Moreover, the use of QALYs for privacy concerns would improve the meaningfulness of patient consent to treatments both in terms of HIPAA and FIPPS.

This is Part II of a two-part blog post. Many of these ideas are developed in more detail Ignacio Cofone, A Healthy Amount of Privacy: Quantifying Privacy Concerns in Medicine, 65 Cleveland State L. Rev. (2016). I thank the participants of the Northeastern University School of Law 2019 Annual Health Law Conference for their helpful comments and Malaya Powers for her excellent research assistance.

Bio: Ignacio Cofone is an assistant professor of law at McGill University’s Faculty of Law.

Handle: @IgnacioCofone