Lawyers to Feds: Decentralized Drug Tracker Passes Privacy Test
BY Nancy Scola | Thursday, July 23 2009
I read long and ridiculously legalistic oversight reports so that you don't have to, my friends. Seriously, can I get a raise? I know, the 91-bleeping-page "Analysis of Legal Issues Related to Structuring FDA Sentinel Initiative Activities" doesn't sound like something we'd care about here, where we have constant eyes are on the sweet spot at the intersection of technology and politics. But ooh boy, it is. Let me 'splain.
Back in May 2008, the Food and Drug Administration a handful of creative and forward-thinking sorts at the Food and Drug Administration launched a system called Sentinel. The problem that Sentinel is meant to solve is this: what public health officials know about how pharmaceutical drugs perform after they've gone to market ranks somewhere in between "abysmal" and "horrendous." At a recent meeting of the FDA Transparency Task Force, for example, a mother told the assembled officials that it was only after her teenage son died from complications from leukemia brought on by taking a drug to treat Crohn's Disease that she found out that the drug her son was taking tends to create blood cancers in young men.
What Sentinel would do, which would be groundbreaking, is to create a standard, a system, through which all that we know about drugs and medical devices that is locked inside electronic health records is extracted. With it, we might finally paint a picture of what drugs actually do out in the world. Think Google Trends for prescription drugs. The flip side, of course, is that unlocking the power of Sentinel also means unlocking some of the most personal information that a human being has -- information on their health. So the question that has been on the mind of Sentinel's advocates is, can we really build a system that respects patient privacy while unleashing the power of our collective electronic medical data?
In short, the answer is yes. At least, that's the finding of the above-mentioned report by outside legal counsel. You can stop reading here if your curiosity is satisfied with the short answer, or you can join me after the break for the nitty gritty.
As you might know, the most powerful law guiding patient privacy in the United States is the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. The irony is that HIPAA was meant, in large part, to supercharge U.S. adoption of electronic health systems by easing patients' minds about their privacy. Nervous types at FDA, though, have been worried that HIPAA might prohibit exactly the type of information sharing that Sentinel aims to do. That might be somewhat true, said the lawyers, but still, there are ways.
The most straightforward way for Sentinel to stay in compliance would be to completely separate patient information from medical information, so that the records used would be more or less anonymous. And here, say the lawyers, the creators of Sentinel did themselves a real favor by opting to architect a decentralized system -- where medical data stays in the hands of the health care provider or Medicare database or patient electronic health record -- rather than doing it the old school way of having hundreds of thousands or even millions of medical records compiled by FDA. Says the report:
The creation of a distributed data network that leaves individually identifiable data at the data source, versus creating a centralized database for analysis, alleviates many of the privacy concerns that might otherwise surround the transmission of individually identifiable data to the FDA or its partners.
Beyond that, the lawyers' advice is fairly simple: those holding medical data should report it out to public health officials under the HIPAA provisions that make exceptions for public health concerns. (I've obviously condensing things here. Read the report if you really want to get in the weeds.) Whether Drug X is killing people right and left is no doubt a public health concern, and if we can use data to stop some of those bad effects in their tracks, we should do it. Things get a bit trickier when you consider state laws on things like mental health and HIV/AIDs privacy, but that's the gist.
(Photo by Nuevo Anden)