How safe is a patient’s health care data? AIPPI panel explores data privacy around the world.
11 September 2022
When does a patient’s personal health care data no longer belong to the patient? Four lawyers from four different jurisdictions discovered that there is no easy answer to that question in the Pharma III: Personal Healthcare Data – Free for All? session at the AIPPI 2022 World Congress in San Francisco.
The panel session reviewed the legislation regarding personal information protection that has been implemented in different countries, influencing the rules for handling health care data and innovations of personalized medicines and diagnostic methods.
Among the topics was whether anonymized data could be used differently than data with patient information attached to it. “In the U.S., our [patient privacy laws] date from 1996, from the perspective of 1990s where, if you take a patient’s medical information, take off their name, their insurance number, their phone number and address and birth date, it’s pretty anonymous, because to then connect that data point with an individual patient, in the 1990s, would have been virtually impossible,” said MaryAnne Armstrong, a partner at Birch, Stewart, Kolasch & Birch in Falls Church, Virginia.
“But is that still impossible today? If you are in a situation where you want to use the data for a research study for which you will need the geographic information, you can include the information down to the ZIP Code – which is not a very big geographic area in the U.S. – and that was considered anonymous enough. But today, with software with algorithms, conceivably you can put that data in and, if you have the regional demographics, you might be able to narrow down pretty well who the patients might be.”
Soley Coban, a senior attorney at Deris IP Attorneys in Istanbul, noted that if you have gender, post code and age, you can, with a high probability of accuracy, find that subject in the United States. But she warned against the attractiveness of over-anonymizing. “If you over-anonymize, that could lead to data not being usable, not good enough for research or a clinical trial. Yet it you don’t anonymize enough, you could de-identify” which could lead to data security breaches,” she said.
In India, said Mamta Rani Jha, a senior partner at Inttl Advocare in Delhi, confidentiality is an underlying principle in personal health care data. “You cannot breach the privacy,” she said. “It has to be anonymous if you want to use it. Anyone connecting or sharing the data, consent is the first thing, then you have to say the purpose and the objective for collecting that data, and then you have to use it for the purpose for which you collected it. It is essential that it has to be handled very, very carefully.”
Eran Bareket, the panel moderator and a senior partner at Gilat, Bareket & Co. in Tel Aviv, asked the panellists if there were any regulations for the de-identification process for health care data.
“In my view, the process is similar to encryption,” Bareket said. “You encrypt, but then the issue is decryption. Can someone decrypt anonymizing? Is there are any best practices in your countries regarding de-identification?”
Everyone is trying to use the best tool to make such data anonymous, but there is no standardized way of doing so, says Jha.
The European Union doesn’t have such practices, either, says Coban. “But it’s one of the issues that should be regulated.”
– Gregory Glass, reporting from San Francisco