HealthCamp UK 2008‎ > ‎Schedule‎ > ‎

Privacy in health integration

Session led by Rob Navarro


  • Privacy:use the Helen Nissenbaum model of contextual integrity. If any of the axioms are broken, patient feels privacy breeched.
  • Security: ought to include privacy, but not yet. Early example is STDs where keeping privacy is important to the provision of health care and overrides the inconvenience of separating the data and anonymizing it.
  • Identification is the pinch point of potential harms. Two dimensions for identification: specificity and volume of connected information per person, e.g. terrabyte for population is different from one year for one patient. Latter is about capturing choices in life that the patient made.
  • Identity: just what can be measured about you with five senses. This information can be copied so your identity can be copied.
  • Consent: supposed to be the right thing to do, but in reality, need to get broad consent (so can do things that were not forseen) but then this is not informed consent.
Solution: reduce the risk of identification coming up, so removed facility for harm to patient.
  • Distinguishable is different from identifiable. Only need distinguishable to do work.
  • "Washing data clean" to prevent identification from demographic data usually washes out too much of the data for it to be useful. Instead, rely on low risk environment - people who are unlikely to abuse the data with those who
Question: does telling someone that you are minimizing the risk of sharing actually trigger a panic from the patient knowing

What to do?
Police talk about four factors of crime. Can use this framework to reduce data breeches.
  • People - improve by vetting
  • Motive - improve by vetting
  • Ability - can't do anything about it
  • Opportunity - access control
Factoid of the day: firemen in Liverpool are getting address and diagnoses of patients from the Liverpool social services and using this to call the patients and offer them exercises.