DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Researchers seek medical data use without patient permission

Posted on November 27, 2014 by Dissent

Joseph Conn reports:

The American Medical Informatics Association is asking Congress to amend a central federal healthcare privacy rule, in order to give medical researchers access to patient records without their consent.

A see-saw battle has been waged at the federal policy level for more than a decade over patient consent regarding medical records, with patient privacy advocates arguing that control over information about one’s self is the definition of privacy.

So, not surprisingly, a leading privacy advocate reacted negatively to the AMIA request.

“It’s shocking that they don’t have enough data yet, they’re going after more?” said Dr. Deborah Peel, a psychiatrist who heads the Patient Privacy Rights Foundation in Austin, Texas. “We completely support the opinion that every research use should be disclosed to the patient.”

Read more on Modern Healthcare.

It’s not just disclosure, of course, that’s at issue. It’s also the issue of consent or at the very least, the right to opt out of use of PHI.

This blogger believes that Congress should not amend HIPAA to permit research use of PHI without patient consent.


Related:

  • CISA Alert: Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
  • System Status Note
  • System Status Note
  • Fraudster's fake data breach claims should remind media to be careful what we report
  • "Pompompurin" taken into custody after violating conditions of pre-sentencing release on bond (1)
  • Happy New Year 2024
Category: Uncategorized

Post navigation

← Ca: ‘Curiosity’ of Island Health employees led to privacy breach, probe reveals
Ca: Privacy breach at city hall →

2 thoughts on “Researchers seek medical data use without patient permission”

  1. Anonymous says:
    November 27, 2014 at 11:50 am

    Since 2001, HIPAA has allowed very broad access to patients’ health data for “12 national priority purposes” without consent, including for “research” use (See: 45 C.F.R. § 164.512.).

    But patients have no knowledge whether there are 100s or 1000s of disclosures of their health data for “research” or what corporations or entities have their health data. Further, only 1% of the public would agree to allow unfettered access to their health data for “research” (See Westin’s survey for the IOM: http://patientprivacyrights.org/wp-content/uploads/2010/01/WestinIOMSrvyRept.pdf–see slide #27).

    The “research” loophole in HIPAA allows corporations to use patient health data w/o consent, because the there is no definition of who/what can conduct ‘research”. This loophole led to the creation of a massive hidden US health data broker industry–not to what Congress expected: genuine academic research designed to benefit patients instead of corporate revenues.

    US patients’ health data is the most valuable data in the Digital Age, therefore Patient Privacy Rights believes the public should have the right to know what’s going on by having access to real-time “accounting for disclosures” of all “research” uses of health data.

    See below for language in the citation on the HIPAA “research” loophole that allows the use of health data w/o consent, from the “OCR Summary of the HIPAA Privacy Rule”: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf :

    “Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes”:

    “Research. “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.”

    1. Anonymous says:
      November 27, 2014 at 11:54 am

      Thanks for your informative comment, Deb. You and I are on the same page about this nonconsensual use of patient information. If HIPAA’s to be amended, it should be to grant more control to patients, not less.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Wiretap Suits Pit Old Privacy Laws Against New AI Technology
  • Action against tiny Scottish charity sparks huge ICO row
  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.