launch

MAKING MEDICAL BIG DATA MORE SECURE

Sharona Hoffman, JD, recently scrolled through a popular online medical data sharing site—the kind that delights researchers with its possibilities but leaves her uneasy.

She stopped at the profile of one individual identified by name whose history included chest pains and high cholesterol.

"I'm concerned that if an employer does a little bit of searching, it can find this page and decide not to hire him," said Hoffman, the Edgar A. Hahn Professor of Law, professor of bioethics and co-director of the Law- Medicine Center at Case Western Reserve School of Law.

The rise of medical databases, coupled with government open data policies, has created a trove of easily accessible health data—some of which could contribute to significant medical breakthroughs.

But Hoffman—who has built a career studying the ethical and legal ramifications of health information technology—wants to make sure the public understands the potential implications of three types of open medical database sites:

• Sites where individuals can voluntarily post their names and medical histories—and unwittingly become vulnerable to discrimination by employers and others who might make adverse decisions because of the information.
• Sites without people's names, but with other identifiers, such as gender, birth date and ZIP code, that Hoffman said are sufficient for a large percentage of people to be identified.
• Sites that thoroughly de-identify individuals, yet could create potential problems for specific demographic groups. Sophisticated data miners may be able to reach sweeping conclusions—for example, an employer might avoid hiring people of a certain age and ethnic group because data show a propensity for certain illnesses.

Hoffman became increasingly concerned when she worked at the U.S. Centers for Disease Control and Prevention (CDC) in Atlanta in the spring of 2014 as a Distinguished Scholar in Residence, studying the impact of federal releases of medical big data.

"Some researchers would say that the more you de-identify the information the less valuable it is," she said. "But we need to reach a balance between having information that is valuable for researchers and protecting the privacy of individuals."

Hoffman realized that America's legal system had not kept up with health information technology. While at the CDC, she developed recommendations to address the regulatory shortcomings she saw.

In an article, "Citizen Science: The Law and Ethics of Public Access to Medical Big Data," being published later this year by the Berkeley Technology Law Journal, Hoffman details potential policy solutions. She suggests adding a provision to the federal law protecting health privacy—commonly known as HIPAA—that would prohibit any attempt to re-identify de-identified patient data. She also recommends expanding the Americans with Disabilities Act to protect people who, based on information learned from data mining, could be flagged for the risk of future disabilities.

"She clearly articulates the issues and proposes rational remedies that policymakers would benefit from reading," said David Kaelber, MD, PhD (GRS '94, '99, biomedical engineering; MED '00), professor of medicine at the Case Western Reserve School of Medicine and chief medical informatics officer for the MetroHealth System in Cleveland.

Hoffman hopes the paper will help start a national conversation. "The open data question is relatively new," she said, "and its implications deserve careful thought and attention."

—REBECCA MEISER