Making sense of consent and health records in the digital age
May 8, 2016 § 2 Comments
There are few more potent touchstones for the public than the protection of their privacy, and this is especially true with our health records. Within these documents lies information that may affect your loved ones, your social standing, employability, and the way insurance companies rate your risk.
We now live in a world where our medical records are digitised. In many nations that information is also moving away from the clinician who captured the record to regional repositories, or even government run national repositories.
The more widely accessible our records are the more likely it is that someone who needs to care for us can access them – which is good. It is also more likely that the information might be seen by individuals whom we do not know, and for purposes we would not agree with – which is the bad side of the story.
It appears that there is no easy way to balance privacy with access – any record system represents a series of compromises in design and operation that leave the privacy wishes of some unmet, and the clinical needs of others ignored.
Core to this trade-off is the choice of consent model. Patients typically need to provide their consent for their health records to be seen by others, and this legal obligation continues in the digital world.
Patient consent for others to access their digital clinical records, or e-consent, can take a number of forms. Back 2004, working with colleagues who had expertise in privacy and security, we first described the continuum of choices between patients opting in or out of consent to view their health records, as well as the trade-offs that were associated with either choice .
Three broad approaches to e-consent are employed.
- “Opt Out” systems; in which a population is informed that unless individuals request otherwise, their records will be made available to be shared.
- “Opt in” systems; in which patients are asked to confirm that they are happy for their records to be made available when clinicians wish to view them.
- Hybrid consent models that combine an implied consent for records to be made available and an explicit consent to view.
Opt in models assume that only those who specifically give consent will allow their health records to be visible to others, and opt out models assume that record accessibility is the default, and will only be removed if a patient actively opts-out of the process. The opt-out models maximises ease of access to, and benefit from, electronic records for clinical decision making, at the possible expense of patient privacy protections. Opt-in models have the reverse benefit, maximising consumer choice and privacy, but at the possible expense of record availability and usefulness in support of making decisions (Figure 1).
Figure 1 – Different forms of consent balance clinical access and patient privacy in different proportions (from Coiera and Clarke, 2004)
All of the United Kingdom’s shared records systems now emply hybrid consent models of one form or another. Clinicians can also ‘break the glass’ and access records if the patient is too ill or unable to consent. In the US a variety of consent models are used and privacy legislation varies from state to state. Patients belonging to a Health Maintenance Organisation (HMO) are typically deemed to have opted in by subscribing to an HMO.
How do we evaluate the risk of one consent model over others?
The last decade has made it very clear that, at least for national systems, there are two conflicting drivers in the selection between consent models. Those that worry about patient privacy and the risks of privacy breeches favour opt-in models. Governments that worry about the political consequences of being seen to invade the privacy of their citizens thus gravitate to this model. Those that worry about having a ‘critical mass’ of consumers enrolled in their record systems, and who do not feel that they are at political risk on the privacy front (perhaps because as citizens our privacy is being so rapidly eroded on so many fronts we no longer care) seem comfortable to go the opt-out route.
The risk profiles for opt in and opt out systems are thus quite different (Figure 2). Opt-out models risk making health records available for patient’s who, in principle, would object to such access but have not opted out. This may because they were either not capable of opting-out, or were not informed of their ability to opt-out.
For opt-in models, the greatest risk to a system operator is that important clinical records are unavailable at the time of decision-making, because patients who should have elected to opt-in were neither informed that they should have a record, or were not easily capable of making that choice.
Other groups, such as those who are informed and do opt-out, may be at greater clinical risk because of that choice, but are making a decision aware of the risks.
Figure 2: The risk profiles for opt-in and opt-out patient record systems are different. Opt-out models risk making records available for patients who in principle would object to such access, but were not either capable or informed of their ability to opt-out. For opt-in models, the risk is that important clinical records are unavailable at the time of decision making, because patients who should have elected to opt-in were neither informed nor capable of making that choice.
Choosing a consent model is only half of the story
In our 2004 paper, we also made it clear that choosing between opt-in or out was not the end of the matter. There are many different ways in which we can grant access to records to clinicians and others. One can have an opt-in system which gives clinicians free access to all records with minimal auditing – a very risky approach. Alternatively you can have an opt-out system that places stringent gatekeeper demands on clinicians to prove who they are, that they have the right to access a document, that audits their access, and allows patients to specify which sections of their record are in or out – a very secure system.
Figure 3 – The different possible functions of consent balance clinical access or patient privacy in different proportions. The diagram is illustrative of the balances only – thus there is no intention to portray the balance between access and privacy as equal in the middle model of e-Consent as an audit trail. (From Coiera and Clarke, 2004)
So, whilst we need to be clear about the risks of opt in versus opt out, we should also recognise that it is only half of the debate. It is the mechanism of governance around the consent model that counts at least as much.
For consumer advocates, “winning the war” to go opt-in is actually just the first part of the battle. Indeed, it might even be the wrong battle to be fighting. It might be even more important to ensure that there is stringent governance around record access, and that it is very clear who is reading a record, and why.
- Coiera E and Clarke R, e-Consent: The design and implementation of consumer consent mechanisms in an electroninc environment. J Am Med Inform Assoc, 2004. 11(2): p. 129-140.
I agree that there’s been very little progress in public policy in this area since we did this work in 2001-03.
As a result, public trust in the handling of their health care data is plummetting. DoH bureaucrats have spent the last two decades imposing a collectivist view on people, demanding that they give up their private health data for the presumed good of public health (and auditors, and fraud investigators, and insurers, and researchers).
If trust is to be recovered, consent has to be re-established as the primary basis for data access.
There’s a strong bureaucratic desire for open access to private health data. Some of the data that is expropriated for other purposes is subject to some degree of protection, through processes that are referred to as anonymisation or de-identification.
The problem is that rich data-sets (such as virtually all health care data) are extremely challenging to de-identify.
Currently, assurances that the vast quantities of data that are passed across to researchers and corporations are de-identified are basically laughable. Re-identification techniques are capable of re-associating a substantial proportion of the records with the people they relate to.
However, supposing we could devise a specification of what’s required to actively falsify the data-set, so that each individual record is no longer usable to draw any inferences – and is known to be unusable.
Then maybe it would be possible to apply a combination of so-called ‘data perturbation’ techniques to satisfy that specification.
The trick of course is to perform data falsification in such a way that, although individual data-records are useless, the data-set retains statistical value for particular purposes.
Although this sounds magical, it may not be. It’s an active area of research. If serious progress is made, it may become possible for data-sets to be disclosed without the wholesale breaches of privacy that are currently occurring. If public trust is to be recovered, the research had better proceed very quickly.