by Gharaza Nasir

Graphic design by Yu-Wen Jan

In an age when medicine is becoming as personalized as the technology people use daily, its potential to transform healthcare is undeniable. However, behind every individualized treatment lies a network of data that is powerful, yet vulnerable. A data breach can cause unimaginable damage to millions, thus it is only natural to expect patients to demand the highest standards of privacy and security of their medical data.

Data is essential to modern medicine; being highly valuable to clinicians in creating personalized treatments for patients. Medical data encompasses various types of patient information that will improve individual care, advance research, and drive innovations in treatment. This data is widely used and collected in healthcare to understand patient health and develop disease interventions. One example is genomic data, which includes a patient’s genetic makeup and can pinpoint genetic predispositions for diseases.¹ Another example is imaging data, which comes from X-rays, MRIs, ultrasounds, and CT scans, and is crucial for diagnosing and monitoring patient conditions. Imaging data is increasingly being used in AI-based diagnostic tools to detect trends and anomalies in diseases.¹ Blood tests, biopsies, and other laboratory tests further provide critical information on various disease markers, which can assist in diagnosing and monitoring patient health.¹

In the United States (U.S.), several data leaks have been recorded over the years.² Two notable events are the cyber attacks on Anthem in 2015 and Change Healthcare this past year.^2,3 The attack on Change Healthcare affected almost 100 million individuals.² This data breach broke records, surpassing Anthem as the largest known breach of protected health information at a Health Insurance Portability and Accountability Act (HIPAA) regulated entity.³ 

It is undeniable that entities like Anthem and Change Healthcare handle vast amounts of personal patient data; however, contrary to public misconceptions, they are tightly regulated under stringent laws such as HIPAA.³ While public concern over data privacy with third-party organizations is valid, it is essential to recognize that precautions exist to protect patient data. For example, after Anthem’s data leak, the organization faced a $16 million penalty, the largest HIPAA settlement to date.³ HIPAA, enforced by the Office for Civil Rights (OCR), mandates frequent risk assessments and imposes strict access controls to prevent such incidents.³ Through these regulations and penalties, entities like Anthem are held accountable, underscoring that strong systems are in place to protect data privacy even in a landscape of evolving security risks. 

While American laws like HIPAA and OCR enforce strict data privacy regulations, these measures do not directly translate beyond U.S. borders. Though Canadian healthcare is not reliant on third-party organizations, patient privacy still remains a high priority, with the Canadian healthcare system enforcing rigorous protocols on the collection, use, and protection of patient information.⁴ The Personal Information and Electronic Documents Act (PIPEDA), is a federal law that protects all personal information.⁴ Additionally, provinces and territories have their own legislation that addresses data privacy and protection in healthcare. In Ontario, the Personal Health Information Protection Act (PHIPA) includes several provisions to protect patient data and respond to breaches through actions like reporting abnormalities to the Information and Privacy Commissioner of Ontario (IPC), risk assessment, training programs, and, most importantly, public awareness.^5,6 

These protections highlight important ethical questions surrounding data sharing in healthcare. With increasing reliance on digital information systems and data-driven treatments, there is a growing need to balance the benefits of shared patient data with the ethical duty to respect privacy and autonomy. Key considerations include ensuring patients fully understand how their data will be used, obtaining informed consent, and safeguarding their rights to control personal information.⁷ Navigating these ethical dimensions is crucial to building trust and maintaining the integrity of patient-centered care across healthcare systems globally. For instance, what are the implications of the opt-in and opt-out models?⁷ How do these models differ in patient control over personal data or their trust in the healthcare system? Opt-in requires patients to actively agree to share their data; ensuring they make conscious choices about data use.⁷ Comparatively, the opt-out model assumes consent of the patient by default, meaning their data can be shared automatically unless they say otherwise.⁷ 

Consent models like opt-in and opt-out provide autonomy to patients over how their data is shared, but it is only part of the whole picture. As data sharing needs grow, especially in research and public health, safeguarding privacy becomes more complex. This is where data anonymization comes in. By removing identifiable information, like a patient’s name, address and financial information, healthcare providers can share valuable insights while protecting individual privacy.⁸ However, the effectiveness of traditional anonymization methods is increasingly challenged by advancements in AI, which occasionally re-identifies individuals from these seemingly anonymised datasets.⁸ Newer techniques are being explored to combat these challenges and are essential in building a robust privacy framework. 

The journey forward in data security is ongoing. As we look to the future, protecting patient data requires technological solutions and a dedicated commitment from healthcare professionals. Beyond implementing secure data practices, healthcare workers hold the responsibility of educating patients and the public on their rights, thereby empowering them to make informed decisions. Particularly in the age of AI and its integration within the healthcare system, full transparency with patients will not only enhance patient trust, but will also encourage wider participation in research, as individuals feel more confident sharing information when they understand how it will be protected and used. By fostering a culture of openness and communication, healthcare providers can build lasting trust and ensure that patient privacy remains a priority as data-driven, AI-enhancing medicine continues to evolve. 

References

1. Gupta V, Sachdeva S, Dohare N. Deep similarity learning for disease progression. Trends in Deep Learning Methodologies; 2021. https://doi.org/10.1016/B978-0-12-822226-3.00008-8. 
2. The HIPPA Journal. Healthcare Data Breach Statistics [Internet]; 2024 [cited 2024 Nov 8]. Available from https://www.hipaajournal.com/healthcare-data-breach-statistics/ 
3. US Department of Health and Human Services. Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history [Internet]; 2018 [cited 2024 Nov 8]. Available from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html 
4. Government of Canada. Personal Information Protection and Electronic Documents Act [Internet]. Government of Canada: Justice Laws Website; 2024 [cited 2024 Nov 8]. Available from: https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-1.html#h-416888
5. Information and Privacy Commissioner of Ontario. [Internet]. IPC; 2024 [cited 2024 Nov 8]. Available from https://www.ipc.on.ca/en  
6. Aziz S. Cyberattacks on Canadian health care are increasingly common. What can be done? [Internet]. Global News; 2023 [cited 2024 Nov 8]. Available from: https://globalnews.ca/news/10103261/health-care-cyberattacks-canada/ 
7. De Man Y, Wieland-Jorna Y, Torensma B, et al. Opt-In and Opt-Out Consent Procedures for the Resuse of Routinely Recorded Health Data in Scientific Research and Their Consequences for Consent Rate and Consent Bias: Systematic Review. J Med Internet Res. 2023;25;e42131. PMID: 36853745; PMCID: PMC10015347. 
8. Olatunji IE, Rauch J, Katzensteiner M, et al. A Review of Anonymization for Healthcare Data. Big Data. 2022 March 10. doi: 10.1089/big.2021.0169.