The development of automated systems and methods for exchanging private information such as medical records and data between various healthcare stakeholders has been attempted and found to be technically and logistically challenging, particularly at large scale. Such systems and methods involve challenges such as digitizing paper records, connecting disparate systems, securing electronic channels, authenticating identity, developing broadly-accepted semantic structures, and navigating legal/regulatory requirements. As an infrastructure for such systems and methods develops, improved methods for regulating the flow of private data are needed in order to fulfill a number of key operational functions attendant to satisfying legal and regulatory requirements and to engender trust in the system.
Such systems for regulating the flow of data must address potentially conflicting interests from various stakeholders. For example, in the case of healthcare information, the individual about whom such records pertain may prefer that no one see certain parts of their medical information under any circumstance, while a healthcare worker, researcher or public health official may wish to use that information for providing services and securing timely payment, conducting research, or verifying compliance, each with varying needs for data access and the right to share at least some portion of the data (or information derived from it) with others.
Similarly, a company selling health-related products or services may wish to utilize the information to target marketing messages to the data subject, with the hope of increasing sales. To the extent these goods and services are valued by them, this use of the consumer's private information may be highly useful and appreciated. However, the use of non-public information to generate this targeted marketing message—particularly if it is not viewed as being of benefit—could be considered by the data subject (and in some cases, by the law) as a violation of the individual's right to privacy, and the use or release (particularly if sold) of the information that gave rise to this offer as having been a breach of trust by the party to whom the person initially provided the data.
Different jurisdictions have addressed these sorts of conflicting interests with a set of heterogeneous laws such that the country has multiple (and at times contradictory) rules associated with data use and sharing, including (in some instances) the requirement for, and content of, notices of privacy practices and express authorization that may be required. Generally speaking, when such state laws are more stringent than the federal law regarding limitations imposed on the use and/or disclosure of this information, state laws are given precedence; and when the federal law is more restrictive than under the applicable state statute, the federal law takes precedence. Despite concerted efforts to “harmonize” these regulations in an effort to make implementing data exchanges across jurisdictional boundaries less challenging legally, the heterogeneity of jurisdictionally distinct laws and applicable regulations persists. Moreover, each institution or corporate entity that holds such information (individually referred to herein as a “data holder,” or collectively as “data holders”) may within the broad bounds of governing laws and/or guidelines develop its own policies and procedures for when data is released, or when (by way of non-limiting example) express consent by the individual to whom such records pertain, or their designated agent or representative, is required.
Such data holder privacy policies are commonly lengthy, exceedingly complex, and generally filled with legal terminology. Some groups criticize such policies for being excessively restrictive and representing an impediment to meaningful data exchange, and others criticize these policies for being overly permissive and deceptive by virtue of creating the appearance of protections that is far greater, they contend, than is actually the case. And nearly everyone criticizes the written policies for being incredibly difficult to understand, full of obfuscated language, and of extremely limited practical value. Accordingly, whether it pertains to signing the mandatory Acknowledgement of Privacy Policies notice required by HIPAA on a paper form in the presence of a witness, or clicking on the “agree” box in the case of online click-through policy disclosures, clearly a majority of consumers perceive that beyond wholesale opt-out, they have no other choice and thus consent so they can get on with their transactions. For these reasons, such blanket and arguably uninformed consent practices are also troubling to a number of advocacy groups, regulatory officials and lawmakers.
Complicating matters even further, applicable laws, regulatory policies, institutional rules, and consumer wishes respecting the right to access, employ and/or share private data are inherently subject to changes over time as political will or personal preferences shift, as concerns are exposed in the media or through investigative studies, or in response to changes in circumstance, knowledge, awareness or perspective. This is true not only in healthcare, but also across a large number of fields of use. A non-limiting list of fields presenting similar challenges and for which the instant invention is relevant includes financial and investment documents and services; official documents and e-government services; legal, employment and educational documents; online social networking, gaming and behavioral marketing; online lead generation; search engine usage; geo-location, cyber-security, law enforcement, and energy [smart grid].
The regulatory framework for privacy issues worldwide is currently in flux and is likely to remain so for the foreseeable future. Practices regarding the collection, use, storage, transmission and security of personal information by companies operating over the Internet, using mobile platforms and employing location-based technologies have increasingly come under public scrutiny, and civil claims alleging liability for the breach of data privacy have been asserted against numerous healthcare, social networking, online marketing and Internet search firms. The U.S. government, including the Federal Trade Commission (FTC) and the Department of Commerce, has announced that it is reviewing the need for greater regulation over the collection of information concerning consumer behavior on the Internet, potentially including regulations aimed at restricting certain targeted advertising practices. In addition, the European Union is in the process of proposing reforms to its existing data protection legal framework, which may result in a greater compliance burden for companies with users in Europe; and judicial decisions in several recent European court cases against Google and other large data holders have shown an increasing trend towards empowering consumers to control what data about themselves may be disclosed online when it is objectionable to them.
In 2009, in conjunction with adoption of the Health Information Technology for Economic and Clinical Health (or HITECH) Act, Congress adopted what some observers describe as being the most sweeping new privacy regulations focusing on healthcare data since 1996, when HIPAA was initially enacted. HITECH directs a federal investment of over $20 billion into health information technology (HIT) infrastructure and establishes strong incentives to encourage doctors and hospitals to use standards-based HIT systems to electronically exchange patients' health information. In conjunction with this bold stimulus effort to advance health data exchange (and to some degree borne out of associated concerns by consumer interest groups over attendant privacy risks and other implications), HITECH expressly mandates strengthening federal privacy and security laws to protect identifiable health information from misuse.
As the foregoing overview suggests, there presently exist significant challenges in seeking to apply to confidential information (as well as databases and/or documents containing at least some confidential information) otherwise highly effective, in many cases already widely employed, Internet-based technologies such as search engines, social networks, inference engines, location and behavioral tracking, and data mining. Difficulties arise from trying to apply these technologies that were designed for publicly accessible data to the rigors of simultaneously adhering to potentially highly restrictive, heterogeneous, and ever-changing data access and usage restrictions commonly associated with private data. And these challenges are multiplied by data replication, mirroring and packet transmission technologies that are used to minimize latency time, address load variations, and assure high reliability factors—all of which system users today take as givens for leading websites and web-based services. Accordingly, a number of observers have gone so far as to assert that it is impossible to reconcile traditional notions of privacy with these sorts of networked technologies and increasingly pervasive database integration tools and techniques; and thus in deference to the benefits these technologies can afford, privacy should no longer be anticipated.
To at least some degree, the challenge of designing sufficient tools for data regulation, distributed management, and accountability arises in part from the design of the Internet, and conscious tradeoffs that have been made in its fundamental architecture. As described in the 1988 review paper entitled “Design Philosophy of the DARPA Internet Protocols,” this architecture intentionally does not presume the underlying networks themselves can support multiple types of services, in part because this would violate one of the fundamental goals, which was to support all existing networks as well as new innovations that extend beyond what can even be foreseen. Instead, the hope was that multiple types of services could be constructed out of the basic datagram building block using algorithms within the host and the gateway. And that on the other side of what is commonly referred to as the architecture's “narrow waist,” a number of different transport protocols could be used to provide all sorts of services and incorporate different networks and network providers.
Thus, although the Internet makes it possible in principle for any sort of data to flow from any device to anyplace over virtually any means, it has historically done a poor job in respecting authority and governance issues and taking into account privacy issues because in a very real sense, its fundamental architecture simply wasn't designed with these needs in mind—or perhaps more forgivingly, the needs were recognized, but were not as high on the list of priorities at the time. Rather, the central philosophy of the architecture was (and to a large measure still is) to support as many networks as possible and to enable the universal interconnection of multiple networking technologies and heterogeneous links into a single interoperable network.
While this has worked extremely well in many respects, it can also be observed that some of the more significant anxieties regarding the Internet and the application of Internet-based systems and methods with respect to confidential information arise from the tradeoffs made in adopting such a ubiquitous philosophy. Thus, as entities increasingly seek to employ the Internet and Internet-based systems as a means for communicating confidential information such as medical records, financial information, and a wide array of sensitive and/or personally identifying characteristics that are highly desirable for some persons and systems to see and utilize, but potentially damaging or embarrassing if shared ubiquitously, this presents a unique challenge.
Without meaningfully addressing the issue of data flow regulation, already prevalent problems such as data misuses, privacy breaches, and legal violations are likely to become even more frequent as use of these technologies proliferates. It is widely known that today's Internet companies, are constantly being criticized for perceived privacy violations. Federal and state regulators, investors, and consumers all want to be assured that data holders are, on the one hand, adequately addressing consumers' reasonable concerns about minimizing related privacy risk (and from the data holders' perspective, associated concerns about reducing privacy violation risks), and at the same time to ensure that privacy protections do not foreclose the numerous benefits to be gained from greater data liquidity, including improved services, cost savings, increased revenue and profits.