Big Data, HIPAA, and the Common Rule: Time for Big Change?
UVA Law Faculty Affiliations
The Health Insurance Portability and Accountability Act (HIPAA) was a laudable attempt to get in front of developing issues with health privacy and the networking of data. But it was too early, now out of date, and way too complicated. We now operate in a world of networked medicine, ideally combining social networks, disease networks (human disease associations, especially those based on genomic characteristics), and pathophysiologic networks (physiologic and biochemical characteristics of disease). A tremendous amount of useful data may come from sources outside the typical health record. For example, pharmaceutical and laboratory research and development (R&D) data and patient behavior and preferences may be found outside the HIPAA firewall. Those data may be more actionable than the medical record.
Fundamental characteristics of Big Data challenge the structure of how we regulate human subjects research, the impact of HIPAA, and how we think of healthcare itself. The analysis of Big Data related to healthcare is often for a different purpose than the purpose for which the data were originally collected. This challenges notions of meaningful consent – or even what consent might mean. The volume of data used for Big Data purposes means that it comes from many sources, often outside the purview of any oversight. In addition, none of the current regulations deal with issues of ownership. These data have rapidly increasing commercial use, and individuals assign ownership of their data to commercial entities without much thought. At the same time, regulations impose inconsistent and sometimes onerous obligations on researchers.
Big Data really begs for a comprehensive, nonsectoral approach. HIPAA imposes a tangled web of regulation that hampers the use of healthcare data, especially their use with data from other sources. This requires us to fully examine the question: are data derived from healthcare interactions really different from other personal data? How can or should we move beyond HIPAA to both protect individuals from risk borne by improper use of healthcare data and make those data more freely available for research?