Bioethics and Information Technology

This section features original work on the ethical, legal, policy, and
social aspects of the use of computing and information technology in
health, biomedical research, and the health professions. For submissions,
contact Kenneth Goodman at [email protected].

How Should Health Data Be Used?

Privacy, Secondary Use, and Big Data Sales

BONNIE KAPLAN

Abstract: Electronic health records, data sharing, big data, data mining, and secondary use
are enabling exciting opportunities for improving health and healthcare while also exacer-
bating privacy concerns. Two court cases about selling prescription data, the Sorrell case in
the U.S. and the Source case in the U.K., raise questions of what constitutes “privacy” and
“public interest”; they present an opportunity for ethical analysis of data privacy, com-
modifying data for sale and ownership, combining public and private data, data for research,
and transparency and consent. These interwoven issues involve discussion of big data ben-
efits and harms and touch on common dualities of the individual versus the aggregate or
the public interest, research (or, more broadly, innovation) versus privacy, individual versus
institutional power, identification versus identity and authentication, and virtual versus
real individuals and contextualized information. Transparency, flexibility, and accountability
are needed for assessing appropriate, judicious, and ethical data uses and users, as some
are more compatible with societal norms and values than others.

Keywords: confidentiality; health data privacy; health records; secondary use; big data;
data mining; pharmaceutical marketing; Sorrell v. IMS Health Inc.; R v. Department of Health,
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

Ex Parte Source Informatics Ltd.

Introduction United States, provide opportunities

Electronic health records, data sharing, for thinking through ethical issues
big data, and secondary use of health related to these developments. Each
data enable exciting opportunities case involved selling data for market-
for improving health and healthcare. ing prescription drugs, and in each case
They also contribute to new concerns the court decided in favor of selling the
over privacy, confidentiality, and data data. However, the cases were decided
protection. Two court cases, one in on different grounds, raising more gen-
the United Kingdom and one in the eral issues of secondary use of health

I am grateful for the thoughtful contributions to the panel I organized on the Sorrell case for the 2011
American Medical Informatics Association Annual Symposium and for comments on a very early draft
of some portions of this article by Paul DeMuro, JD, CPA, MBA, MBI, PhD, Broad and Cassel, Fort
Lauderdale, FL; Kenneth W Goodman, PhD, FACMI, University of Miami, Miami, FL; and Carolyn
Petersen, MS, MBI, Mayo Clinic, Rochester, MN. I also am grateful to privacy lawyer Joel S. Winston for
sharing drafts of his reporting with me, and to the editor for helpful suggestions.

Cambridge Quarterly of Healthcare Ethics (2016), 25, 312–329.

© Cambridge University Press 2016.
312 doi:10.1017/S0963180115000614
 Bioethics and Information Technology

data and the growth of health-related for data mining, research, and sale.
databases, data sharing, data aggrega- Throughout, I highlight potential ben-
tion, and biometric identification. efits and harms and argue that trans-
Significant health data protection, pol- parency, flexibility, and accountability
icy, and ethical considerations are inher- is needed. Ethical and policy analysis
ent in these cases. The cases call into should assess data uses and users, as
question just what constitutes “privacy” some are more compatible with societal
and “public interest,” and considerations norms and values than others.
for balancing them. They provide an Considering how health data should
opportunity to weigh privacy against the be used in light of these issues suggests
numerous beneficial uses of data: for policy opportunities concerning patient
individual patient care, public health, data and privacy protection. As the use
research, biosurveillance, and market- of electronic health records, electronic
ing. The cases prompt ethical questions medical devices, mobile and e-health
of commodifying medical information applications, and biometric, social and
and of harmonizing policy across juris- behavioral, and genomic data spreads,
dictional boundaries. They raise con- these considerations are becoming more
cerns of how health data can, and should, relevant worldwide.
be used. Their consequences may affect
biomedical informatics, patient and pro-
What’s Special about Health Data?—
vider privacy, and regulation in ways
International Principles
this article explores, both in the United
States and elsewhere. All countries recognize confidential-
How health data can, and should, ity as a patient’s right2 that is good for
be used is at the intersection of public individual patients and clinicians, and
health, research, care, privacy, and eth- for society as a whole.3 Intimacies are
ics. This article provides an ethical anal- revealed in the interest of good health-
ysis of these interwoven ethical issues care, so clinicians’ professional and
involving appropriate, judicious, and fiduciary duties include a duty of confi-
ethical secondary data use, reflecting dentiality. Therefore, health information
a more general discussion of big data is given special protection internation-
benefits and harms, and touching on ally, though specific ways of achieving
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

common dualities of the individual ver- it differ. Lifestyle choices, reproductive

sus the aggregate or the public interest, abilities, and stigmatizing conditions are
research (or, more broadly, outside the considered highly sensitive. But what
health field, innovation) versus privacy, is included in these categories differs
individual versus institutional power, with cultural background, from place
identification versus identity, identifi- to place, and from time to time. What is
cation versus authentication, and virtual considered very private, embarrassing,
versus real individuals and contextual- stigmatizing, or grounds for discrimi-
ized information.1 nation varies among individuals and
I start by discussing what makes health groups.4 Countries, likewise, vary in
data special, including international what personal information is treated as
consensus on the importance of the cli- needing restricted collection, use, and
nician’s duty of confidentiality and on disclosure.5,6 They also balance privacy
health data privacy or protection. Next and other considerations differently;
I summarize the court cases. Then I con- thus privacy protection is more lax in
sider who benefits from data disclosure some places than in others. In India,
and aggregation, and secondary use for example, the judiciary considers

313
 Bioethics and Information Technology

privacy on a case-by-case basis, as an The European Union takes a more

exception to the rule that permits gov- comprehensive general approach to
ernment interference in private life. privacy; Article 8 of the European
Unlike in Europe and the United States, Convention on Human Rights includes
public interest, welfare, and safety take the right to data protection. This right is
precedence over individual rights, lib- embodied in the 1995 Directive 95/46/
erty, and autonomy.7 EC on the Protection of Individuals with
Yet, as discussed subsequently, even Regard to the Processing of Personal
if individual clinicians scrupulously Data and on the Free Movement of
meet the professional obligation of Such Data.12 Member states implement
confidentiality, confidentiality can be directives differently, but the EU Data
compromised by legal requirements Protection Regulation establishes a sin-
to collect, document, and disseminate gle set of rules for data protection across
personal health information, especially the EU; the final texts are expected to
when maintained in computer data- be adopted by the European Parliament
bases that can be combined easily with at the beginning 2016 and the new
other sources of information about rules to become applicable two years
the person.8 What patients reveal for after.13,14
the purpose of healthcare may then be Despite their differences, both the
used in ways they never intended. United States and the EU construe pri-
Privacy practices have not caught up vacy ascontrol and protection of data
to these trends. rather than other conceptions of pri-
vacy.15 Both the United States and the EU
also make special note of health informa-
Fair Information Practices and
tion, and both rely on stripping data of
De-Identification
content presumed to identify the individ-
The same Fair Information Practices(FIPs) ual represented by the data. As Paul Ohm
underpin privacy policies in both the points out: “In addition to HIPAA and
European Union and the United States. the EU Data Protection Directive, almost
The European Union and the United every single privacy statute and regula-
States each protect personal data, includ- tion ever written in the U.S. and the EU
ing data concerning health, albeit embraces—implicitly or explicitly, perva-
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

differently. sively or only incidentally—the assump-

The United States approaches privacy tion that anonymization protects privacy,
by sector; separate laws address con- most often by extending safe harbors
fidentiality in distinct domains, such as from penalty to those who anonymize
finance and healthcare. Health data pri- their data.”16
vacy collected in the course of clinical As these safe harbors stipulate,
care is governed by the U.S. Health neither HIPAA nor the EU Data Pro-
Insurance Portability and Accountability tection Directive applies after data are
Act (HIPAA) of 1996, extended by the de-identified. However, relying on de-
HIPPA Privacy Rule in 2001 and again identification contributes to what is
in 2013 by changes mandated by the considered an inadequate and prob-
2009 Health Information Technology for lematic legal framework for data pro-
Economic and Clinical Health (HITECH) tection.17 Addressing concerns over
Act (part of the American Recovery de-identification “would require a sig-
and Reinvestment Act [ARRA] of 2009) nificant shift in approach towards data-
and the Genetic Information Non- protection across Europe.”18 Similar
Discrimination Act (GINA) of 2008.9,10,11 deficiencies plague the United States.19,20

314
 Bioethics and Information Technology

Privacy protection, then, depends patients.27 The WMA Declaration of

not merely on de-identification but Helsinki—Ethical Principles for Medical
on expectations, transparency, and Research Involving Human Subjects
how data are used. De-identification, (revised 2013) places a duty on physi-
or anonymization, presumes that it cians “to protect the life, health, dignity,
is possible to identify and enumerate integrity, right to self-determination,
the kinds of data that might contrib- privacy, and confidentiality of personal
ute to privacy risks and to specify information of research subjects . . . even
how to prevent harms,21 that such a though they have given consent.”28
list is static and sufficient in all con- Recognizing that this personal infor-
texts,22 and that there are no privacy mation, whether collected for research or
harms if the individual is not identi- clinical practice, increasingly is held in
fied, even though individuals may databases, in 2002 the WMA adopted
object to uses of their personal data the Declaration on Ethical Considerations
even if they themselves are anony- Regarding Health Databases: “Con-
mous.23 Furthermore, HIPAA permits fidentiality is at the heart of medical prac-
secondary uses of data for research, tice and is essential for maintaining trust
public health, law enforcement, judi- and integrity in the patient-physician
cial proceedings, and other “public relationship. Knowing that their privacy
interest and benefit activities,” with- will be respected gives patients the free-
out individual authorization, thereby dom to share sensitive personal informa-
assuming that “public interest” is clearly tion with their physician.”29
understood.24,25 All are questionable In this 2002 declaration, the WMA
assumptions. reaffirmed that violating this duty could
“inhibit patients from confiding infor-
mation for their own health care needs,
Duty of Confidentiality
exploit their vulnerability or inappro-
Health data privacy relates not only to priately borrow on the trust that patients
expectations about privacy in general invest in their physicians” while at the
but also to norms involving professional same time recognizing the value of
practice, privilege, autonomy, paternal- secondary health data use for quality
ism, and protected communication and assurance, risk management, and retro-
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

the duty of confidentiality, as well as to spective study.30

requirements for data collection, dis- Thus, a key reason for treating health
semination, and retention. data as requiring special protection is
Physicians and nurses have duties to maintain trust between clinician and
both to their individual patients and to patient in the interest of both social and
the health of their communities.26 At least public order as well as better care for
since the time of the Hippocratic Oath, each individual patient. In recognition
it is believed, societal norms and com- of this ethical duty, confidentiality is
mon law have recognized that clinicians’ seen worldwide as a health profes-
duty to patients includes maintaining sional’s legal duty, one that protects the
confidentiality, except where protecting professional from giving legal testi-
the public interest or other individuals mony, thereby serving the interests of
requires overriding it. The International patient and public by maintaining trust
Code of Ethics of the World Medical during medical encounters. Nowhere
Association (WMA) makes respecting can private data about a patient rightly
the right to confidentiality a duty inte- be passed to a third party without that
gral to a physicians’ responsibility to patient’s permission, except as required

315
 Bioethics and Information Technology

by law. French criminal law makes this knowledge. Patients benefit from hav-
universal spirit apparent by criminaliz- ing their record information available
ing a physician’s breach of confidential- from previous clinical visits, whether
ity even in court testimony, even if the or not those visits were with the same
patient would allow it.31 clinician or in the same facility, because
How people value and respond to clinicians can make better care deci-
concerns about health data privacy is sions in light of fuller understanding
affected by context and common expec- of their patients’ past clinical histo-
tations of privacy.32 Many recognize that ries. Patients also benefit from public
clinicians need highly personal infor- health surveillance and research that
mation in order to care for them, and, depends on combining health infor-
because of the long-standing history mation from individual patients to
of trust in professional confidentiality, improve public health and develop
such patients willingly share sensitive better treatments. Patients may bene-
information with those who treat them. fit from making identifiable informa-
As Deryck Beyleveld and Elise Histed tion concerning adverse drug events
eloquently point out: available to pharmaceutical compa-
nies so that those companies can fol-
Information that patients provide low up with patients and improve drug
for their treatment is about very safety, as Source Informatics argued
personal and sensitive areas of in the U.K. court case discussed sub-
their lives. Indeed, it relates to sequently, and as the International
their very existence, both physi- Pharmaceutical Privacy Consortium
cally and symbolically. As such,
argues more generally.34,35 Data aggre-
it is not information that they may
be presumed to be prepared to
gator IMS Health Canada (IMS Health,
disclose or have used freely. It is Inc., was a plaintiff in one of the court
their vulnerability, constituted by cases) unsurprisingly takes the position
pain and distress, or fears about that analyzing doctors’ prescribing hab-
their health and lives, that leads its contributes to patients becoming
them to disclose this information informed consumers.36
to health professionals. At the Yet patients can be harmed when
same time, people are apt to attach data about them are used to violate
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

great importance to intimate infor- privacy: to deny employment, credit,

mation about themselves and their housing, or insurance, and for identity
bodies, and this can be associated
theft and other unsavory purposes. Some
with mystical and religious beliefs,
which by their very nature can be
fear that patients who are insecure about
idiosyncratic.33 the confidentiality of prescription or
other health record information may
withhold information, refuse diagnos-
tic and genetic testing, or decline elec-
Patient Benefits and Harms
tronic prescriptions.37,38,39 People do
Individuals also may provide health change their behavior and withhold
information freely via health-related information in order to protect their
social networking, web postings, and health information privacy.40 Even before
searches; or because it is required legally, the widespread use of electronic health
as for prescriptions. Such information records, a 2000 Gallup poll indicated
could be consolidated and linked with that the vast majority of people in the
other data for beneficial or nefarious pur- United States opposed third-party access
poses, sometimes without individuals’ to medical data without a patient’s

316
 Bioethics and Information Technology

permission, and, furthermore, that 67 patient’s individual interest in proper

percent of those polled opposed the healthcare. Yet, removing identifying
release of data to medical researchers.41 information from patient records may
Similarly, the Pew Internet and American not alleviate concerns, especially in light
Life Project reported that, to protect pri- of increasing public awareness of pri-
vacy, according to a 1999 survey, nearly vacy violations surrounding big data
one in six patients withheld informa- and the ease with which data sets that
tion, provided inaccurate information, were meant to be kept apart now are
doctor-hopped, paid out of pocket combined and used for reidentifica-
instead of using insurance, or even tion.45,46,47,48,49 Further, without trans-
avoided care. Eighty-five percent feared parency, consent is meaningless.
that seeking health information on the
Internet would result in changes in
Two Court Cases
insurance coverage or otherwise reveal
their information.42 Two court cases provide occasion for
thinking about the ethical implications
of data sale and secondary use in light
Transparency and Consent
of international principles of health
As information resources become more data privacy and protection. Each case
ubiquitous and information sharing involves selling prescription data for
becomes more profitable, more thought pharmaceutical marketing. In both the
is needed concerning which data uses United States and the United Kingdom,
are acceptable and what control indi- data aggregators successfully challenged
viduals should have over data about restrictions on such data use and sale.
themselves. Privacy violations may com- The 2011 U.S. Supreme Court case
promise patient care, the information in Sorrell v. IMS Health Inc. et al.50 was
patients’ records, and patient-clinician decided on free speech grounds.
relationships. The principles of data Although the legalities involve unique
protection—transparency, legitimacy, features of U.S. constitutional law,
and proportionality—embodied in the a similar case in the U.K. in 2000, R v.
EU Data Protection Directive, therefore, Department of Health, Ex Parte Source
specify that the person from whom Informatics Ltd.,51 points to the interna-
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

data are obtained should be informed tional nature of the ethical issues.
of what will be done with this informa- That case was decided on the grounds
tion and to whom it will be disclosed. that selling anonymized (de-identified)
This allows the individual to consent data did not violate pharmacists’ duty
or object and to withdraw or correct the of confidentiality.
data. Also, according to the directive, The decision in each case runs coun-
the data should be kept only as long as ter to public expectations of health data
necessary for the specified purpose,43 confidentiality. The public is hardly
even though that could compromise later aware that aggregating and selling
retrospective research. prescription and other health data are
Patients’ privacy concerns are exac- an international enterprise. Thus, the
erbated when patients, and even clini- Sorrell and Source cases raise more
cians, have little idea of what becomes general global concerns of privacy
of their data, or just what is protected and data protection, on the one hand,
and what is not.44 Withholding infor- and appropriate use and secondary
mation from one’s clinician is neither in use of data for data mining, marketing,
the public interest nor beneficial to that research, public health, and healthcare,

317
 Bioethics and Information Technology

on the other. Elsewhere I address data their knowledge or permission. Even in

de-identification, prescription and other light of arguments that patients should
health data aggregation and sale, and be required as a condition of treatment
issues more specific to these two cases.52 to allow data about them to be used
This article explores other ethical issues for research—a requirement counter to
related to the cases—the benefits and professional norms to provide care—it
harms of data sale; the trade-offs among seems improper to require either
privacy, individual health, and public patients or clinicians to disclose data
health; and the need for transparency— they would otherwise choose to keep
so ethical dimensions of responsible and private so that others may financially
ethical health data collection and use can profit from them, whether or not the
be assessed. data are de-identified.
Secondary use and big data analyt-
ics also are affected by the costs of col-
Who Benefits?
lecting, storing, and organizing data,
Clinical data include data that patients as well as by the costs of meeting regu-
are required to provide to receive care. latory requirements. To reduce costs,
In both the Sorrell and Source cases, pre- health data processing is outsourced
scription data was aggregated and sold. from countries with stronger privacy
Patients, prescribers, and pharmacies protections to countries with weaker
are required by law to collect informa- ones, despite its sensitive nature and
tion related to prescribing. Data aggre- consequent privacy risks.53 Also to
gators perform a valuable service in reduce costs, U.S. marketing organiza-
collecting, cleaning, and combining these tions oppose opt-in consenting on the
and other data into useful resources, grounds that it would increase the
though the value does not accrue directly cost of doing business.54
to those who are the original source of But costs must be paid somehow. Both
the data. Data aggregators should be the Source and Sorrell cases were fought
compensated for the value added, but to protect the commercial value of health
the sources deserve some benefit as well. information. One way of recovering
Currently, they primarily bear costs, both costs is by selling these data. Though
financially and in privacy. some sources provide some data sets at
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

The combination of required disclo- little or no cost to researchers, cost could

sure of personal data and the ease with make it easier for pharmaceutical com-
which data can be collected and dis- panies and other commercial enterprises
seminated is not unique to pharmacies. than for researchers to access data.55,56
It is a cost of healthcare to collect and Some fear that the trend toward treating
store patient records, a cost passed on data as private property could make it
to patients and payers, whether private more difficult to develop comprehen-
or governmental. The organizations sive databases crucial for public health
providing these data obtain it from and research.57
those legally required to provide it— Research, trade, and innovation, as
from individuals who pay directly, or well as the globalized healthcare indus-
indirectly through their private or pub- try, provide considerable public benefit.
lic insurers, for its collection and main- There are ethical as well as economic
tenance. These individuals gain little costs to privileging privacy, but economic
direct benefit from the aggregation and value may not be more important than
sale of data about them, and they may be privacy or other considerations. Law
harmed by it. It mostly occurs without and common ethical practice prevent

318
 Bioethics and Information Technology

releasing medical information without a U.K.’s National Health Service (NHS),

patient’s permission, but U.S. law does Royal College of Physicians, and the
not prevent selling or transferring rights Wellcome Trust led a coalition of leading
to records.58 Data that can be sold, can be medical research organizations opposed
sold and replicated anywhere and, once to the proposed European General Data
sold, may be used for good or ill. Tracing Protection Regulation, which, unlike
the chain of data sales and use is diffi- the Data Protection Directive it would
cult, making transparency and consent replace, would bind all 28 member
nearly impossible the further data are countries. The proposal was accept-
transferred from the original source. able to most EU nations; the European
Parliament approved the committee
report in full in 2014.60
Health Data Uses: Big Data, Data
The regulation affects any organization
Mining, Research, and Biosurveillance
that gathers, processes, and stores data,
Electronic health records and health whether operating within the EU, doing
information networks provide a wealth business with organizations within the
of data for public health, health outcome EU, or storing data in EU-member coun-
improvements, and research. Data could tries. As of this writing, most organiza-
be used for a range of beneficial pur- tions were not ready for compliance.
poses, from outcomes and comparative Research organizations were among
effectiveness research to designing clin- those concerned about its impact. It is
ical trials and monitoring drug safety. especially relevant here that the regula-
The benefits of these data for public tion defined personal data as any infor-
health, marketing, research, drug devel- mation about an individual, whether it
opment, identifying adverse effects, relates to his or her private, professional,
and biosurveillance; for reducing costs or public life; and thus such data includes
and overprescribing; and for regulat- medical information. Much of these
ing devices and software all are inter- personal data—a name, a photo, an email
twined with privacy concerns. For some address, bank details, posts on social
of these purposes, it is crucial to be able networking websites, or a computer’s
to identify individuals and link together IP address61—too, are part of medical
an individual’s records, so a require- records. The original proposed regula-
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

ment for de-identification may further tion, therefore, increased health data pro-
impair research. tection and would have made illegal the
However, there also could be harms. NHS mass database of citizens’ health
Patients may withhold sensitive infor- information, which could provide a valu-
mation if they fear it will be used against able resource for improving care.62,63,64
them, even though it may be useful Opposition from the NHS and other
for other purposes. Studies based on research organizations contributed to
analyzing large data sets could be com- changes put forward by the EU justice
promised if individual prescribers or ministers in March 2015 to improve
patients withhold information or their data sharing across healthcare services.
consent for data use.59 They also tabled amendments regard-
Privacy advocates, researchers, and ing how to manage such special forms
public health officials can be at odds of data as health and genetic data, and
over how to achieve benefits while when patient consent is needed.65 The
protecting privacy; their disagreements European Parliament, the Council, and
may stem from different values and the Commission agreed on the new regu-
historical legacies. For example, the lation late in 2015 and it is expected to

319
 Bioethics and Information Technology

be adopted by the European Parliament publishable material on patient outcomes

at the beginning of 2016.66 and comparative effectiveness, which
This NHS database also provokes pri- is valuable for effectiveness research.
vacy concerns while providing finan- Epidemiologic trends also can be identi-
cial benefit, as the NHS sells the data.67 fied through social media postings.75,76,77
Individuals can opt out of the new care. Those engaging in this social networking
gov database, which was to contain, presumably feel it is beneficial to them.
for the first time, records from primary Even so, it would be better if they were
care (GP) practices. Privacy concerns aware of what is done with their data,
delayed including those GP records.68 instead of being surprised if they have
Although other rules allow greater third- not read subscription agreements care-
party access to other NHS databases,69 fully enough to know that PatientsLikeMe
insurers, pharmaceutical companies, sells data to pharmaceutical and other
and other private commercial enter- companies and that sites such as
prises will receive “pseudoanonymized” Facebook are not private places.78,79
records that the NHS claims “will not
contain information that identifies you,”
Who Sells and Uses Data? One Man’s
but that instead include NHS numbers,
Bread is Another Man’s Poison
birth dates, postcodes, and ethnicity and
gender information.70 The database was As is evident from the multiplicity
created, according to the NHS England of uses, health data are valuable.
website, to improve NHS services,71 and Internationally, the idea of “liberating”
to “drive economic growth by making data for secondary use is recognized
England the default location for world- as beneficial for individual and public
class health services research.”72 benefit, research, entrepreneurship, and
In the United States, too, researchers policy. Though transborder data flow is
and bioethicists recognize that privacy regulated by international agreements,
protections can impede research and such as the EU Data Protection Directive,
healthcare quality improvement, with presumably health data could be sold
calls from such influential agencies as worldwide, to anyone, for any purpose.
the Institute of Medicine to change Balancing this with privacy concerns
the HIPAA Privacy Rule to allow for is fraught.80 Strong privacy protection,
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

information-based research—that is, such as the rights-centric approach of

research using medical records or stored the European Court of Human Rights,
biological samples.73 could adversely affect the globalized
Some innovative approaches to meet- healthcare industry, and innovation and
ing privacy, research, and commercial trade.81,82,83,84
needs for data sharing include the new Entire patient records are among the
international Open Humans Network, many possible sources of data for which
which “attempts to break down health there is a lucrative market, for laudable
data silos through an online portal that as well as unsavory purposes. Incidents
will connect participants willing to share of medical identity theft increased by
data about themselves publicly with more than 20 percent in 2014 compared
researchers who are interested in using to 2013.85 In the active black market in
that public data and contributing their identifiable medical record information,
analyses and insight to it,”74 and busi- health information is more valuable than
nesses based on similar ideas, such U.S. Social Security numbers for iden-
as PatientsLikeMe. Using the data tity theft.86,87 Though prices vary, such
people post, PatientsLikeMe produces information sells for about ten times

320
 Bioethics and Information Technology

more than credit card numbers (which enforcement, immigration control, and
typically sell for no more than a few U.S. homeland security.98,99
dollars) because it can be monetized Organizations, too, may benefit finan-
by getting treatment paid for via iden- cially while providing social benefit
tity theft or to extort money from hacked through data sales. The American
corporations.88,89 Medical Association and the U.S.
Electronic records also make it possi- Centers for Medicare and Medicaid
ble for computer or software vendors, sell provider data, whereas state
intermediaries, or newly created orga- Health Information Exchanges (HIEs)
nizations to bundle and sell rights and sell secondary data.100,101,102 The U.K.’s
data,90 a practice useful for research, National Health Service, too, sells
policy, marketing, and business. In the data.103 Insurance companies or health
United States, there is an exhaustive list information technology vendors might
of organizations that can use and legally aggregate and sell provider-identified
sell health information,91 some for pur- data on performance and quality mea-
poses patients and clinicians would not sures, the number of procedures per-
anticipate. Data sold by both U.S. state formed, U.S. meaningful use criteria,
and federal agencies can be linked to data security breaches, and other useful
individuals by using publicly available compilations. Cash-strapped commu-
information, even if some of the data nity health organizations, state Regional
are de-identified.92,93 Extension Centers (RECs), county hos-
Some may consider what is done pitals, the U.S. Veterans Administration,
with these data as harmful to some of the Indian Health Service, the Joint
the individuals who have provided Commission, or hospital associations
the data and, at the same time, as ben- also could sell data for similarly benefi-
eficial to other individuals, depending cent purposes. Hospitals routinely sell
on what the data reveal. This combina- birth records.104
tion of benefits and harms is evident in Genetic data are also double-edged.
a variety of examples in which one’s Such data are needed for research, per-
records affect one’s services and costs. sonalized medicine, and biobanking
In the United States, where private but also can make individuals and com-
medical insurance is the norm, private munities vulnerable. For example, in
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

insurers use prescription and other 2000, Iceland’s parliament sold exclu-
claims data to deny insurance, charge sive rights to all the genetic and genea-
differential premiums, or exclude some logical data from each of its 275,000
conditions.94 Businesses often check citizens to the U.S. company deCODE
the MIB (Medical Information Bureau) Genetics. Soon thereafter, deCODE
for job applicants’ underwriting data.95 signed a $200 million contract with
Aggregators purchase and combine data Hoffman LaRoche to search for several
from the states as well as from pharma- common human genetic diseases.
cies.96 Credit agencies are the most Iceland had an opt-out policy, and the
frequent buyers of multistate health data were encrypted to de-identify
profiles, though IMS Health also pur- individuals. Nevertheless, the Icelandic
chases data from the states.97 Government Supreme Court later ruled that creating
fusion centers, designed to promote the database was unconstitutional because
data sharing among federal agencies and it did not adequately protect personal
state and local governments, combine privacy.105
data from multiple sources—including Clearly, provider or patient informa-
health record information—for law tion is valuable. Hospitals could purchase

321
 Bioethics and Information Technology

data about competitors, providers As a way of raising additional consid-

could identify populations for treat- erations, I pose possibilities that might
ment, researchers could conduct stud- occur were there unrestricted selling
ies involving healthcare and public of health data. Abortion opponents pre-
health practices, and government agen- sumably could buy aggregated pre-
cies could identify and influence health scription information for medications
trends. If such sales were restricted, that cause abortions, or animal rights
some fear, the data would not be col- activists could buy information about
lected or maintained at all, which could researchers’ animal or veterinary medi-
compromise research and new drug cine purchases. Depending on who buys
development.106,107 The Iceland genetic it and their purpose, such information
database sale, for example, led to could threaten or protect researchers’,
identification of genes linked to dis- clinicians’, and patients’ safety and
ease,108,109 though capitalizing on these might have adverse effects on research
kinds of discoveries was limited to the and clinical practice or might open new
company with exclusive rights to this avenues. Physicians, patients, hospi-
gene discovery. DeCODE’s 2009 bank- tals, and so on, in one country may be
ruptcy and the consequent database targeted for marketing by commercial
ownership change from a scientific ventures or medical tourism facilities in
research company to Saga Investments another. Some may welcome learning of
LLC, and the subsequent sale of the such opportunities, whereas others may
database in 2012 to biotech pioneer feel harassed or violated. Individuals in
Amgen, again raised questions about one country may experience salutary or
data privacy and use.110,111 salacious effects from having (identified
Countries as different as Canada, or possibly re-identified) data available
Estonia, Sweden, Singapore, and the elsewhere. But without transparency,
Kingdom of Tonga have developed there is little chance of gaining indi-
various models for protecting privacy vidual consent or, on both individual
and differing policies regarding com- and societal levels, assessing harm or
mercial involvement and rights to benefit.
samples for gene banks, all with the
goal of improving the public health of
Ownership, Commodification, and
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

the studied population, and, in some

De-Contextualization
cases, to generate revenue for national
healthcare budgets. Though all these The right to sell data is muddied by
policies are intended to maintain lack of clarity over the legalities of data
confidentiality, all of the data uses ownership. Law in and outside the
require personal identifiers so as to United States does not address health
link individuals’ records from genetic, data ownership clearly; it is not clear
medical, genealogical, and lifestyle who the owner should be, or whether
databases. International controversy ownership is better than current or
over such databases, therefore, centers alternative approaches.115,116 It also is
around confidentiality, consent, to what not clear where those who sell data
extent commercial interests should analytics services obtain the data, or
influence policy, and whether commer- how they might use them.117 Well-
cial ownership facilitates or impedes known electronic health record vendors
research,112,113,114 all of which are con- have sold de-identified copies of their
cerns related to collecting and selling patient databases to pharmaceutical
healthcare data in general. companies, medical device makers, and

322
 Bioethics and Information Technology

health services researchers.118 Vendor information a person may consider cen-

contracts are unusual in that some tral to the self.
vendors lay claim to patient record
data, whereas businesses and finan-
Conclusions
cial institutions typically do not give
up their data to their software ven- Widespread use of electronic patient
dors.119 Regardless of whether the data record systems enables opportunities to
themselves or the means of access to improve healthcare through data shar-
them are owned by electronic health ing, secondary use, and big data analyt-
records vendors, some academic medical ics. Multiple healthcare professionals,
centers pay to get data from their own payers, researchers, and commercial
patients’ records. Vendors often consider enterprises can access data and reduce
their contracts intellectual property and costs by eliminating duplication of ser-
do not reveal these and other contract vices and conducting research on effec-
provisions, a practice the American tive care. However, widespread use of
Medical Informatics Association con- electronic patient records systems also
siders unethical.120 creates more opportunities for privacy
If health data are property, presum- violations, data breaches, and inappro-
ably, whoever owns the data can sell priate uses.
them. Some advocate clearly defined Ethical and policy analysis related
property rights in medical information, to health data and informatics should
giving patients the right to monetize consider benefits and harms, taking into
their access and control rights, as a way account both the uses and users of
for individuals to control and benefit the information.126,127 Embarrassing an
from what happens to data about estranged spouse by publishing his or
them.121 Others argue against property her mental health records is more dis-
rights in patient data and advocate tasteful than using those records com-
instead for public ownership akin to a bined with others’ to study and improve
data commons so that data from multi- mental health. As this example suggests,
ple sources can be de-identified and some users (the researcher) are more
combined population-wide for public appealing than others (the spouse).
benefit.122 Commodifying medical infor- Moreover, an uncontroversial use may
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

mation strikes still others as anathema be morally offensive if the user is unsa-
to professional values and the special vory or controversial.128 How should
relationship between doctor and patient. distinctions be made so that some data
Privacy is valued because it facilitates uses and users are permissible and some
ideals of personhood involving auton- not? On what grounds? And who is
omy, individuality, respect, dignity, and best placed to make such decisions:
worth as a human being.123 Therefore, the courts or legislators, clinicians
the idea of selling personal health data and researchers who are most familiar
also disturbs those who think the practice with their data needs, companies that
commodifies the self and sullies ideas develop and market new medications,
of personhood.124,125 Compromising of or patients and prescribers, who are
personhood is compounded because most affected by privacy violations and
data in databases necessarily are de- can best weigh the relative importance
contextualized. De-identification is an of various values to themselves.129
attempt to remove any connection with Those most familiar with, closest to,
the person, but even identifiable health and affected by the potential use should
record data typically do not include all have a strong say. They need to know

323
 Bioethics and Information Technology

about those uses, though, to express their such as appropriate secondary use of
preferences in an informed, thoughtful data; patient and clinician relationships
way. Many patients do not know what is, in light of the growth of electronic health
or can be, done with data about them, records and health information tech-
but keeping them ignorant is not the way nologies;134,135,136 reliance on increasingly
to address concerns. Lack of account- untenable de-identification; burgeoning
ability and transparency about health electronic data collection, sharing, trans-
data uses feeds the public’s privacy mission, and aggregation; data use for
concerns,130 undermines the possibil- public health, research, and innovation;
ity of informed consent, and impairs and the privacy and security of health
research, care, and public health. data.
Ethical considerations over data use As health information exchanges
will, and should, evolve as the public and health tourism develops; as life-
becomes more aware of the value and time electronic health records that fol-
pitfalls of data sharing, data aggrega- low patients across governmental and
tion, and data mining. Cases like Source institutional boundaries are used more
and Sorrell encourage debate over pro- widely; as databases grow and biobanks
priety and values related to different become digital; as biometric identifica-
kinds of data use. They also lead to tion becomes more common; as radio
examining when it is in the public inter- frequency identification devices (RFIDs)
est for personal health data to be made are embedded in medical devices, smart-
available, just what that “public interest” pills, and patients; as home sensors
is,131,132 and, for that matter, just what and monitors are increasingly used; as
“privacy” comprises and entails as mobile, wearable, and e-health applica-
norms evolve.133 The issues include tions expand; and as health information
considering, in a healthcare context, the exchanges develop,137,138,139,140 informati-
dualities playing out with respect to big cians can add to the conversation among
data in domains other than healthcare: governments, courts, regulatory agen-
the individual versus the aggregate, cies, professional societies, and other
research versus privacy, individual ver- organizations to consider responses
sus institutional power, identification to issues involving health-related data.
versus identity, identification versus Combining legal and ethics scholarship
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

authentication, and virtual people versus with informaticians’ expertise concern-

real people and contextualized infor- ing judicious and ethical data collection
mation. They involve big data harms and use, together with their technical
and benefits related to innovation and knowledge of data aggregation and
economic advancement, power shifts, identification, can contribute to more
access to knowledge, and freedom of informed policies.
communication. The Source and Sorrell court cases can
Societies and governments need to provoke an initial reaction of outrage
grapple with these ethical issues, ten- over privacy violations and data use
sions between privacy and other con- without consent. Consequently, they
siderations, and shifting norms. The call into question just what constitutes
numerous cross-cutting issues suggest “privacy” and “public interest” and
that other areas of law, ethics, and social stimulate considerations as to how to
policy also can inform related ethical and balance them. They provide an opportu-
legal considerations. For some time, the nity to weigh privacy against numerous
legal, bioethics, and informatics com- beneficial uses for data. Transparency
munities have been considering issues and accountability are needed so that

324
 Bioethics and Information Technology

harms and benefits can be judged 9. United States Government, Department of

through public discussion and so that Health and Human Services, Office for Civil
Rights. Summary of the HIPAA Privacy Rule;
individual as well as societal decisions available at http://www.hhs.gov/ocr/
can be made on more informed and privacy/hipaa/understanding/summary/
thoughtful grounds. Using data collected (last accessed 30 June 2013).
for one purpose (such as prescriptions) 10. United States Government, Department
for another purpose (such as pharma- of Health and Human Services, Office for
Civil Rights. Standards for Privacy of
ceutical marketing) can undermine Individually Identifiable Health Information;
public confidence, especially if the available at http://aspe.hhs.gov/admnsimp/
public is unaware of the reuse. Doing final/pvcguide1.htm (last accessed 19 Jan
so without individuals’ permission 2014).
11. United States Government, Department of
violates international principles of data
Health and Human Services, HSS Press
privacy.141,142,143,144,145 The court cases Office, New rule protects patient privacy,
prompt ethical questions about com- secures health information 2013 Jan 17; avail-
modifying medical information and har- able at http://www.hhs.gov/about/news/
monizing policy across jurisdictional 2013/01/17/new-rule-protects-patient-
privacy-secures-health-information.html
boundaries. Their consequences may
(last accessed 1 Jan 2016). See also United
affect biomedical informatics, patient States Government, Department of Health
and clinician privacy, and regulation and Human Services, Office of the Secretary.
in ways this article explores, in the 45 CFR Parts 160 and 164: Modifications to
United States, United Kingdom, and the HIPAA Privacy, Security, Enforcement,
and Breach Notification Rules Under the
elsewhere.
Health Information Technology for Economic
and Clinical Health Act and the Genetic
Notes Information Nondiscrimination Act; other
modifications to the HIPAA Rules; final rule.
1. Laura Wexler’s comments as a respondent Federal Register 2013 Jan 25:5565–702; available
at “The Critical Life of Information,” a confer- at http://www.gpo.gov/fdsys/pkg/FR-
ence at Yale University, April 11, 2014, outlined 2013-01-25/pdf/2013-01073.pdf (last accessed
dualities related to big data; see http://wgss. 2 July 2014).
yale.edu/sites/default/files/files/ 12. European Union. EU Directive 95/46/EC—
Critical%20Life%20of%20Information%20 The Data Protection Directive; available at
Program%20spreads.pdf (last accessed 19 http://www.dataprotection.ie/docs/EU-
Aug 2014) for conference information. Directive-95-46-EC--Chapter-2/93.htm (last
2. Jost TS. Readings in Comparative Health Law accessed 23 Mar 2014).
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

and Bioethics. 2nd ed. Durham, NC: Carolina 13. European Commission, Directorate General
Academic Press; 2007. for Justice and Consumers. Agreement on
3. Institute of Medicine (IOM). Beyond the HIPAA Commission's EU data protection reform will
Privacy Rule: Enhancing Privacy, Improving boost Digital Single Market 2015 Dec 15;
Health Through Research. Washington, DC: available at http://europa.eu/rapid/press-
The National Academies Press; 2009, at 78. release_IP-15-6321_en.htm (last accessed
4. See note 3, IOM 2009, at 79. 5 Jan 2016). See also European Commission,
5. Jones P. Permission-based marketing under Directorate General for Justice and
Canada’s new privacy laws. Franchise Law Consumers. Reform of EU data protection rules;
Journal 2004;24(2):267–303. available at http://ec.europa.eu/justice/
6. Walden I. Anonymising personal data. data-protection/reform/index_en.htm (last
International Journal of Law and Information accessed 5 Jan 2016).
Technology 2002;10(2):224–37. 14. Rossi B. Countdown to the EU General Data
7. Srinivas N, Biswas A. Protecting patient Protection Regulation: 5 steps to prepare.
information in India: Data privacy law and Information Age 2015 Mar 24; available at
its challenges. NUJS Law Review 2012;5(3): http://www.information-age.com/it-
411–24. management/risk-and-compliance/
8. Kaplan B. Selling health data: De-identification, 123459219/countdown-eu-general-data-
privacy, and speech. Cambridge Quarterly of protection-regulation-5-steps-prepare (last
Healthcare Ethics 2015;24(3):256–71. accessed 13 May 2015).

325
 Bioethics and Information Technology

15. Solove DJ. A taxonomy of privacy. University 36. See note 5, Jones 2004.
of Pennsylvania Law Review 2006;154(3): 37. Powell J, Fitton R, Fitton C. Sharing electronic
477–560. health records: The patient view. Informatics
16. Ohm P. Broken promises of privacy: in Primary Care 2006;14(1):55–7.
Responding to the surprising failure of 38. Schers H, van den Hoogen H, Grol R,
anonymization. UCLA Law Review 2010;57: van den Bosch W. Continuity of information
1701–77, at 270. in general practice: Patient views on confi-
17. Taylor MJ. Health research, data protection, dentiality. Scandinavian Journal of Primary
and the public interest in notification. Medical Health Care 2003;21(1):21–6.
Law Review 2011;19(2):267–303. 39. See note 23, Beyleveld, Histed 2000.
18. See note 17, Taylor 2011, at 303. 40. See note 32, Malin et al. 2013.
19. Kaplan B. Patient health data privacy. In: 41. See note 34, Dunkel 2001, at 70.
Yanisky-Ravid S, ed. The Challenges of the 42. Choy C, Hudson Z, Pritts J, Goldman J.
Digital Era: Privacy, Information and More. Exposed Online: Why the New Federal Health
New York: Fordham University Press; Privacy Regulation Doesn’t Offer Much
forthcoming. Protection to Internet Users. Health Privacy
20. See note 8, Kaplan 2015. Project, Institute for Healthcare Research and
21. See note 16, Ohm 2010. Policy, Georgetown University: Pew Internet
22. See note 19, Kaplan forthcoming. and American Life Project; 2001, at 4; available
23. Beyleveld D, Histed E. Betrayal of confi- at http://www.pewinternet.org/files/old-
dence in the Court of Appeal. Medical Law media/Files/Reports/2001/PIP_HPP_
International 2000;4:277–311. HealthPriv_report.pdf.pdf (last accessed 11
24. Koontz L. What is privacy? In: Koontz L, ed. May 2015).
Information Privacy in the Evolving Healthcare 43. See note 12, EU 2014.
Environment. Chicago: Healthcare Informa- 44. McGraw D. Building public trust in uses
tion and Management Society (HIMSS); of Health Insurance Portability and
2013:1–20. Accountability Act de-identified data. JAMIA
25. See note 19, Kaplan forthcoming. (Journal of the American Medical Informatics
26. See note 8, Kaplan 2015. Association) 2013;20(1):29–34.
27. World Medical Association. International Code 45. Curfman GD, Morrissey S, Drazen JM.
of Medical Ethics; available at http://www. Prescriptions, privacy, and the First
wma.net/en/30publications/10policies/c8/ Amendment. New England Journal of
index.html (last accessed 2 May 2014). Medicine 2011;364(21):2053–5.
28. World Medical Association. Declaration 46. Tien L. Online behavioral tracking and
of Helsinki—Ethical Principles for Medical the identification of Internet users. Paper
Research Involving Human Subjects; available at presented at: From Mad Men to Mad Bots:
http://www.wma.net/en/30publications/ Advertising in the Digital Age [conference].
10policies/b3/ (last accessed 2 May 2014). The Information Society Project at the Yale
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

29. World Medical Association. Declaration Law School. New Haven, CT; 2011.
on Ethical Considerations Regarding Health 47. Benitez K, Malin B. Evaluating re-identification
Databases; available at http://www.wma. risks with respect to the HIPAA Privacy
net/en/30publications/10policies/d1/ Rule. JAMIA (Journal of the American Medical
(last accessed 2 May 2014). Informatics Association) 2010;17(2):169–77.
30. See note 29, WMA 2014. 48. See note 16, Ohm 2010.
31. See note 2, Jost 2007. 49. See note 8, Kaplan 2015.
32. Malin BA, El Emam K, O’Keefe CM. 50. Sorrell v. IMS Health, Inc., et al., 131 S. Ct.
Biomedical data privacy: Problems, perspec- 2653 (2011).
tives, and recent advances. JAMIA (Journal of 51. R v. Department of Health, Ex Parte Source
the American Medical Informatics Association) Informatics Ltd. [C.A. 2000] 1 All ER 786.
2013;20(1):2–6. See also R v. Department of Health, Ex Parte
33. See note 23, Beyleveld, Histed 2000, at 296. Source Informatics Ltd. European Law Report
34. Dunkel YF. Medical privacy rights in 2000;4:397–414.
anonymous data: Discussion of rights in the 52. See note 8, Kaplan 2015.
United Kingdom and the United States in 53. See note 7, Srinivas, Biswas 2012.
light of the Source Informatics cases. Loyola of 54. See note 5, Jones 2004.
Los Angeles International and Comparative Law 55. Baxter AD. IMS Health v. Ayotte: A new direc-
Review 2001;23(1):41–80. tion on commercial speech cases. Berkeley
35. See note 7, Srinivas, Biswas 2012. Technology Law Journal 2010;25:649–70.

326
 Bioethics and Information Technology

56. Pasquale F. Restoring transparency to auto- 71. See note 70, NHS Choices 2014.
mated authority. Journal on Telecommunications 72. Ramesh R. NHS patient data to be made
and High Technology Law 2011;9:235–54. available for sale to drug and insurance
57. Rodwin MA. Patient data: Property, privacy, firms. The Guardian 2014 Jan 19; available
and the public interest. American Journal of at http://www.theguardian.com/society/
Law and Medicine 2010;36:586–618, at 589. 2014/jan/19/nhs-patient-data-available-
58. Hall MA, Schulman KA. Ownership of med- companies-buy (last accessed 24 July 2014).
ical information. JAMA 2009;301(12):1282–4. 73. Institute of Medicine. Beyond the HIPAA
59. Gooch GR, Rohack JJ, Finley M. The moral Privacy Rule: Enhancing Privacy, Improving
from Sorrell: Educate, don’t legislate. Health Health Through Research. Washington, DC:
Matrix 2013;23(1):237–77. National Academies; 2009; available at
60. NHS European Office. Data Protection; 2015 http://www.iom.edu/ ∼ /media/Files/
Mar 24; available at http://www.nhsconfed. Report%20Files/2009/Beyond-the-HIPAA-
org/regions-and-eu/nhs-european-office/ Privacy-Rule-Enhancing-Privacy-
influencing-eu-policy/data-protection (last Improving-Health-Through-Research/
accessed 15 May 2015). HIPAA%20report%20brief%20FINAL.pdf
61. See note 14, Rossi 2015. (last accessed 22 Jan 2014).
62. O’Donoghue C. EU research group condemns 74. Open Humans Network. Open Humans
EU regulation for restricting growth in life Network wins Knight News Challenge: Health
sciences sector; 2014; available at http:// Award; available at http://openhumans.org/
www.globalregulatoryenforcementlawblog. (last accessed 1 July 2014).
com/2014/02/articles/data-security/ 75. Christakis NA, Fowler JH. Social network
eu-research-group-condemns-eu-regulation- visualization in epidemiology. Norwegian
for-restricting-growth-in-life-sciences-sector/ Journal of Epidemiology 2009;19(1):5–16.
(last accessed 23 Mar 2014). 76. Christakis NA, Fowler JH. Social network
63. Farrar J. Sharing NHS data saves lives; EU sensors for early detection of contagious
obstruction will not. The Telegraph 2014 Jan outbreaks. PLoS ONE 2010;5(9):e12948.
14; available at http://www.telegraph.co.uk/ 77. Velasco E, Agheneza T, Denecke K,
health/nhs/10569467/Sharing-NHS-data- Kirchner G, Eckmanns T. Social media and
saves-lives-EU-obstruction-will-not.html Internet-based data in global systems for
(last accessed 23 Mar 2014). public health surveillance: A systematic
64. European Public Health Alliance. [Update] review. The Milbank Quarterly 2014;93(1):
General Data Protection Regulation; available 7–33.
at http://www.epha.org/5926 (last accessed 78. Andrews L. I Know Who You Are and I Saw What
23 Mar 2014). You Did: Social Networks and the Death of Data
65. NHS Confederation. EU ministers table Privacy. New York: Free Press; 2011, at 1–3.
changes to data privacy; 2015 Mar 13; avail- 79. Angwin J. Dragnet Nation: A Quest for
able at http://nhsconfed.org/news/2015/ Privacy, Security, and Freedom in a World of
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

03/eu-ministers-table-changes-to-data- Relentless Surveillance. New York: Times

privacy-laws (last accessed 14 May 2015). Books, Henry Holt; 2014, at 33–4.
66. See note 13, European Commission 2015. 80. Geissbuhler A, Safran C, Buchan I, Bellazzi R,
67. Doctorow C. UK set to sell sensitive NHS Labkoff S, Eilenberg K, et al. Trustworthy
records to commercial companies with no reuse of health data: A transnational perspec-
meaningful privacy protections—UPDATED; tive. International Journal of Medical Informatics
2014 Feb 4; available at http://boingboing. 2013;83(1):1–9.
net/2014/02/04/uk-set-to-sell-sensitive- 81. See note 7, Srinivas, Biswas 2012.
nhs-r.html (last accessed 5 Feb 2014). 82. See note 17, Taylor 2011.
68. Donnelly L. Hospital records of all NHS 83. Bambauer JR. Is data speech? Stanford Law
patients sold to insurers. The Telegraph 2014 Review 2014;66:57–120.
Feb 23; available at http://www.telegraph. 84. Zarsky TZ. The privacy/innovation conun-
co.uk/health/healthnews/10656893/ drum. Lewis & Clark Law Review 2015;19(1);
Hospital-records-of-all-NHS-patients-sold- available at http://ssrn.com/abstract=
to-insurers.html (last accessed 24 July 2014). 2596822 (last accessed 19 May 2015).
69. See note 68, Donnelly 2014. 85. Dvorak K. Med identity theft continues to
70. NHS Choices. Your records: Better informa- rise; 2015 Feb 23; available at http://www.
tion means better care; available at http:// fiercehealthit.com/story/med-identity-
w w w. n h s . u k / n h s e n g l a n d / t h e n h s / theft-continues-rise/2015-02-23?utm_
records/healthrecords/pages/care-data. medium=nl&utm_source=internal (last
aspx (last accessed 24 July 2014). accessed 14 May 2015).

327
 Bioethics and Information Technology

86. Avila J, Marshall S. Your medical records patient-privacy-in-jeopardy/ (last accessed 19

may not be private: ABC News Investigation. Jan 2014).
ABC News 2012 Sept 13; available at http:// 98. Bady A. World without walls—privacy laws
abcnews.go.com/Health/medical-records- should be recrafted for the data fusion age.
private-abc-news-investigation/story?id= Technology Review 2011;114(6):66–71.
17228986&page=2 (last accessed 22 Mar 99. United States Government, Department of
2014). Justice. Fusion Center Guidelines: Developing
87. Nguyen V, Nious K, Carroll J. Your medical and Sharing Information and Intelligence in a
records could be sold on black market: New Era; 2006; available at http://www.
NBC Investigative Unit surprises strang- it.ojp.gov/documents/fusion_center_
ers with private medical details. NBC Bay guidelines.pdf (last accessed Mar 2012).
Area 2013 June 18; available at http://www. 100. See note 45, Curfman et al. 2011.
nbcbayarea.com/news/local/Medical- 101. United States Government, Department of
Records-Could-Be-Sold-on-Black-Market- Health and Human Services, Centers for
212040241.html (last accessed 22 Mar Medicare and Medicaid Services. Agreement
2014). for Use of Centers for Medicare & Medicaid
88. Lawrence D. End of Windows XP support Services (CMS) Data Containing Unique
means added opportunity for hackers. Identifiers, Form CMS-R-0235, OMB No. 0938-
Businessweek 2014 Apr 4; available at http:// 0734; available at http://www.cms.gov/
www.businessweek.com/articles/2014- M e d i c a re / C M S - F o r m s / C M S - F o r m s /
04-04/end-of-windows-xp-support-means- downloads//cms-r-0235.pdf (last accessed
added-opportunity-for-hackers (last accessed 13 Sept 2013).
1 July 2014). 102. Hebda T, Czar P. Handbook of Informatics for
89. Shahani A. The black market for stolen Nurses and Healthcare Professionals. 4th ed.
health care data. NPR; 2015 Feb 13; available Upper Saddle River, NJ: Pearson/Prentice
at http://www.npr.org/sections/alltech- Hall; 2009, at 321.
considered/2015/02/13/385901377/the- 103. See note 68, Donnelly 2014.
black-market-for-stolen-health-care-data 104. See note 95, Holtzman 2006, at 192.
(last accessed 14 May 2015). 105. McGraw Hill General and Human Biology
90. See note 58, Hall, Schulman 2009. Case Studies. Gene Banks versus Privacy
91. See note 34, Dunkel 2001. Invasion; available at http://www.mhhe.com/
92. See note 47, Benitez, Malin 2010. biosci/genbio/casestudies/sellinggenes.
93. Roberston J. States’ hospital data for sale mhtml (last accessed 2 May 2014).
puts privacy in jeopardy. Health Leaders 106. Brief for the Association of Clinical Research
Media; 2013; available at http://www. Organizations as Amici Curiae Supporting
healthleadersmedia.com/content/QUA- Respondents, William H. Sorrell v. IMS
292963/States-hospital-data-for-sale-puts- Health, Inc., et al., 2011 WL 2647130 (2011)
privacy-in-jeopardy (last accessed 14 June (No. 10-779), (2011).
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

2013). 107. See note 59, Gooch et al. 2013.

94. Brief for the New England Journal of Medicine, 108. See note 105, McGraw Hill 2014.
the Massachusetts Medical Society, the 109. Austin MA, Harding S, McElroy C.
National Physicians Alliance, and the Genebanks: A comparison of eight proposed
American Medical Students Association as international genetic databases. Community
Amici Curiae Supporting Petitioners, William Genetics 2003;6(1):37–45.
H. Sorrell v. IMS Health, Inc. et al., 2010 U.S. 110. Gillham WW. Genes, Chromosomes, and Disease:
Briefs 779 (No. 10-779), 2011 U.S. S. Ct. Briefs From Simple Traits, to Complex Traits, to
LEXIS 299. Personalized Medicine. Upper Saddle River, NJ:
95. Holtzman DH. Privacy Lost: How Technology Pearson Education, published as FT Press
Is Endangering Your Privacy. San Francisco: Science; 2011, at 18–19.
Jossey-Bass; 2006, at 195. 111. Amgen. Amgen to Acquire deCODE Genetics,
96. See, for example, RPC Health Data Store. a Global Leader in Human Genetics; available
CMS MedPAR Hospital Data File; available at at www.amgen.com/media/media_pr_
http://www.healthdatastore.com/cms- detail.jsp?releaseID=1765710 (last accessed
medpar-hospital-data-file.aspx (last accessed 2 May 2014).
13 Sept 2013). 112. See note 109, Austin et al. 2003.
97. [Winston JS]. States’ hospital data for sale puts 113. Annas GJ. Rules for research on human
patient privacy in jeopardy; 2013 June 7; avail- genetic variation—lessons from Iceland. New
able at https://www.annualmedicalreport. England Journal of Medicine 2000;342(24):
com/states-hospital-data-for-sale-puts- 1830–3.

328
 Bioethics and Information Technology

114. Gulcher JR, Stefánsson K. The Icelandic 126. Miller RA, Schaffner KF, Meisel A. Ethical
Healthcare Database and informed consent. and legal issues related to the use of computer
New England Journal of Medicine 2000;342(24): programs in clinical medicine. Annals of
1827–9. Internal Medicine 1985;102:529–36.
115. See note 19, Kaplan forthcoming. 127. Goodman KW. Health information technol-
116. Evans BJ. Much ado about data ownership. ogy: Challenges in ethics, science and uncer-
Harvard Journal of Law & Technology 2011;25(1): tainty. In: Himma K, Tavani H, eds. The
69–130. Handbook of Information and Computer Ethics.
117. For example, GE Data Visualization uses Hoboken, NJ: Wiley; 2008:293–309.
information “based on 7.2 million patient 128. See note 127, Goodman 2008.
records from GE’s proprietary database”; 129. Data mining case tests boundaries of medi-
available at http://visualization.geblogs. cal privacy. CMAJ 2011;183(9):E509–10.
com/visualization/network/ (last accessed 130. See note 44, McGraw 2013.
27 Sept 2013). GE Healthcare’s Healthcare 131. See note 17, Taylor 2011.
IT Solutions—available at http://www3. 132. See note 57, Rodwin 2010, at 617–18.
gehealthcare.com/en/Products/Categories/ 133. See note 15, Solove 2006.
Healthcare_IT?gclid=CIKQ4Z6P7LkCFcE7 134. Goodman KW. Ethics, information tech-
OgodTDIAPQ and http://www3.gehealthcare. nology, and public health: New challenges
com/en/Products/Categories/Healthcare_ for the clinician-patient relationship. Journal
IT/Knowledge_Center (last accessed 27 of Law, Medicine and Ethics 2010 Spring:
Sept 2013)—includes patient records and 58–63.
patient portals. 135. Kaplan B, Litewka S. Ethical challenges
118. Sittig DF, Singh H. Legal, ethical, and finan- of telemedicine and telehealth. Cambridge
cial dilemmas in electronic health record Quarterly of Healthcare Ethics 2008;17(4):
adoption and use. Pediatrics 2011 Apr;127(4): 401–16.
e1042–7. 136. See note 19, Kaplan forthcoming.
119. Moore J, Tholemeier R. Whose data is it any- 137. See note 134, Goodman 2010.
way? The Health Care Blog; 2013 Nov 20; 138. See note 135, Kaplan, Litewka 2008.
available at http://thehealthcareblog.com/ 139. See note 19, Kaplan forthcoming.
blog/2013/11/20/whose-data-is-it-anyway-2/ 140. Roland D. UK to get 200 high-tech factory jobs
(last accessed 3 Feb 2014). making “swallowable sensors.” The Telegraph
120. Goodman KW, Berner E, Dente MA, Kaplan B, 2014 Mar 10; available at http://www.
Koppel R, Rucker D, et al. Challenges in telegraph.co.uk/finance/10687395/UK-to-
ethics, safety, best practices, and oversight get-200-high-tech-factory-jobs-making-
regarding HIT vendors, their customers, and swallowable-sensors.html (last accessed
patients: A report of an AMIA special task 17 July 2014).
force. JAMIA (Journal of the American Medical 141. See note 24, Koontz 2013.
Informatics Association) 2011;18(1):77–81. 142. See note 44, McGraw 2013.
https://doi.org/10.1017/S0963180115000614 Published online by Cambridge University Press

121. Hall MA. Property, privacy, and the pursuit 143. See note 23, Beyleveld, Histed 2000.
of interconnected electronic health records. 144. See note 12, EU 2014.
Iowa Law Review 2010;95:631–63. 145. Rodrigues RJ, Wilson P, Schanz SJ. The
122. See note 57, Rodwin 2010. Regulation of Privacy and Data Protection in
123. See note 3, IOM 2009, at 77. the Use of Electronic Health Information: An
124. See note 58, Hall, Schulman 2009. International Perspective and Reference Source
125. Atherley G. The public-private partnership on Regulatory and Legal Issues Related to Person-
between IMS Health and the Canada Pension Identifiable Health Databases. Washington, DC:
Plan. Fraser Forum 2011:5–7. World Health Organisation (WHO); 2001.

329