There are really good reasons for privacy policies, particularly in the field of healthcare. Patients have a right to keep their sensitive data to themselves, and when anyone can call and ask questions about someone else’s physical and mental health, it opens a huge can of worms, even becoming dangerous to the individual in question.

This happened often enough in the past that the government created strict healthcare privacy policies to prevent unauthorized access to sensitive medical information, with severe consequences like fines and jail time for those who disregard these laws and guidelines. The question isn’t whether healthcare policies are necessary. Rather, the gray aspect of the black and white lines occurs when the nation or world is undergoing a public crisis, like the pandemic of COVID-19. When the fate of many depends on exposing the health of a few, what are the normative data sharing factors in the health sciences?

HIPAA and Other Data Sharing Norms

If you have ever been in a doctor’s office or dealt with anything in the medical field since 1996, you’ve heard of HIPAA. Short for the Health Insurance Portability and Accountability Act, HIPAA is a federal law that devised national standards that must be used in any medical environment to ensure sensitive patient health information is protected. It designates specific guidelines to follow to prevent this information from being disclosed to anyone, including researchers, without the patient’s express written consent and knowledge.

HIPAA’s Privacy Rule is a set of standards that explain how an individual’s health information can be used and disclosed by those considered “covered entities.” These entities include anyone who might, for any reason, need access to the information, like healthcare providers, healthcare insurance plans, clearinghouses, and business associates. Each entity has its own subset of standards they must follow to adhere to the HIPAA rule and keep an individual’s rights met while they are sharing data.

In addition to HIPAA, each institution has its own policies and procedures on how to approach data sharing. Knowing the updated rules, sharing them, and policing them is usually the job of a data steward in any business or institution.

Pros and Cons of Data Sharing

Sharing patients’ confidential information is necessary between physicians when an individual is referred for co-managed treatment. It’s also a helpful way for researchers to judge the potential need for further studies on a health condition. When patient-level data is made available, though regulated, for this research to be performed, it is often for the good of the individual and the future population.

Researchers can verify original results with their hypotheses and the experiments that they came up with the outside of human test subjects. This then leads to advanced knowledge of a healthcare condition and further tests on the new information obtained. The databases that already exist on the subject expand, allowing other researchers to perform greater scale experiments and with even more impactful outcomes.

But there are risks with this expanded sharing, even if the information is regulated. The further the reach of the data shared, the more likelihood of failure in privacy protection. Data is also subject to misinterpretation the farther it gets from the original sources. Additionally, data ownership may be called into question, with the decision as to the amount of privacy afforded to the individual becoming the choice of the person or institution that had the information on hand at the time.

Steps to Take to Ensure Privacy While Data Sharing

Any time you are dealing with human subjects in your research, expect to take the highest precautions possible, regardless of the level of privacy you are instructed to use. This will ensure that you are safe should something come back as a data breach.

Start with following the data security policies of your institution. The data steward on your campus can help you with this if you are unsure where to begin or if your current policies are stringent enough.

During a healthcare emergency, you may be required to release research that is relevant to the crisis at hand. When that happens, privacy must still be the priority as much as possible. Mechanisms can be set into place to ensure that the final data is only released in need-to-know levels that keep the patient’s sensitive information blanketed. Should you have to release all your information, you must then entrust the privacy of data sharing to the organizations releasing it, such as the World Health Organization.