What is medical data?
Probably the image that first pops into everyone's mind is the old folder - or maybe clipboard - holding a lot of paper with test results, charts, and doctors' notes. Fairly quickly that's replaced with the image of today's world as we think we know it: a computer screen showing that same information in a relatively structured way. The most modern of us imagine not a desktop screen on a doctor's desk but a smartphone with that same information. What we're still thinking of, however, is the paper file, however translated into an electronic record.
We are wrong.
This was the lesson of a panel Wednesday morning at the Privacy Health Summit. A lot of things that we don't think of as health data are nonetheless health data.
Start with apps and the information they collect as they count steps, watch your heart rate, remind you to take your pills. Kathryn Serkes tried to keep track of the proliferating health app field but finally stopped counting at 12,000. Sleep apps play white noise and promise an end to insomnia; Sleep Cycle monitors your movements in bed so it can wake you at the most favorable time. Other apps track gym activities or glucose levels, manage eating disorders, provide advice about symptoms. Still others are provided by companies for whom they're marketing tools: Nike training apps, Playtex Period Tracker.
Serkes went on to list the data generated by genealogical research, which may be correlated with genetic information. Inside companies workplace wellness programs encourage employees to disclose health-related information that their employees now can access. Even retail shopping data may be health-related. You've started buying a bigger size; you put on weight - or are pregnant. On top of that is the good, old standby, records of search queries: does looking up diabetes on Webmd mean you're "diabetic-concerned"? Finally, there's the burgeoning category of what Andrew Matwyshyn called "consumer-generated health information", the stuff the quantified self people are tracking and sharing at meetings and conferences, and, of course, online.
The general point was that all of these myriad types of data are health data - but we do not think of them in that light, and they are not regulated as health data.
In the US, the key piece of legislation governing health data is the Health Insurance Portability and Accountability Act (1996). As Nicolas Terry said, both privacy advocates and those regulated by HIPAA have written screeds "eviscerating" it. But: "For thirteen or fourteen years we've all said that HIPAA protects most of our health data most of the time. That reality no longer exists."
The situation is a bit different in countries that, like the UK, have both nationalized health care and data protection laws (at least the first of which, I note in passing, Serkes would certainly campaign against). In the UK no one has yet suggested that care.data might expand to include these newer types of data. For the moment, NHS has little direct access to them. However, this will change soon in all countries. Implanted medical devices already send data to physicians for review, and it's logical that they will extend their oversight to data collected by apps used as part of a treatment regime. Many countries also are talking about ways to use various monitoring technologies to keep elderly and disabled people more safely in their homes for longer. These systems could be built with privacy in mind so that they only summon help when it's needed - but today's mindset seems likely to dictate that they should instead act as constant informants about their charges' activities.
This is less a problem in the EU, where, as Terry pointed out, data protection legislation governs all sectors. In the US those disparate levels already exist: a patchwork covers (some) individual domains, notably finance, health, genetics, and video rental. Unfortunately, "Data likes to be free, and when you have multiple domains data tends to flow to the least-regulated domain."
This all led up to Frank Pasquale, who asked this question: "Do we want to live in a world where people have a body score that's as important and as pervasive as their credit scores? This is the world we're moving into right now."
He listed some examples. The credit card company that found a correlation between getting marriage counseling and defaulting on debts. Result: going for marriage counseling triggers a rise in your interest rate and a lower credit limit. Credit scoring, after all, began as a way of assessing the likelihood that an applicant would default on a loan. Now those scores appear in decisions about health insurance, employment, and other uses they were never designed for. So Pasquale asked: "What happens if we put all the big data databases together. Will it render HIPAA's gains nugatory?"
The clear perimeter that used to delineate health data is vanishing; it is no longer solely collected by experts in formal settings. In countries with solid data protection regimes it may not matter. In the US, the closest comparison seems to me to be Bring Your Own Device in businesses today. Both situations raise the question: do you know where your data is?
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.