Privacy and Health Data: A Comparative Analysis

The sensitivity of health data has been left unquestioned for centuries, as they translate into words, numbers, and graphs some of our deepest weaknesses. At the same time, information lies at the core of health care, which is largely based on a relationship of trust between physician and patient. This delicate balance has been shaken by the advent of e-Health, a phenomenon that lies at the intersection of Information and Communication Technology (ICT) and health care. The technological developments of our era increasingly place a blind trust in efficiency as a value per se, avoiding submitting technology to a moral assessment. Maximizing efficiency is extremely appealing, since we are afraid of what goes beyond our control, but it is crucial to realize that efficiency is not an end in itself but rather a means to achieve other goals. In the field of health data, the primary goals should be the protection of human dignity and adherence to the complexity of reality. Instead, the excessive pursuit of efficiency encourages creating simplistic, bright-line solutions that fail to take into account the different nuances and the inherent intricacy of human relationships and activities. The protection of health data must account for the inefficiency and the imperfection embedded in all human things. Therefore, law should not make deceptive promises of perfection and ought to treasure and value inefficiency. This work is articulated into three chapters, aimed at comparing the legal frameworks of the European Union (with a focus on Italy) and the United States and identifying the challenges engaging legislators on either side of the Atlantic Ocean. The first Chapter provides an overview of the rules on health data protection, highlighting what triggered the adoption of the relevant legislation and whether it successfully takes into account all the competing interests. Overly technical standards, born more from a desire for smoother transactions rather than for protecting human dignity, often create incentives to formally comply with the standards rather than on achieving the goals. The second Chapter focuses on electronic health records, which aim at collecting in one place all health data concerning a patient, and inquires into how they have been implemented in Europe and in the United States. Despite several advantages, EHRs also create several risks to patient privacy and often suffer from an excessive simplification of the concept of consent. Technology should be welcomed in the delivery of health care without forgetting that healing is a human activity and patients are not just stacks of data. The third Chapter concerns the topic of anonymization in the field of health data and criticizes the outdated dichotomy between personal and anonymous data, showing how anonymization should not be regarded as a silver bullet and anonymous data should be surrounded by further layers of protection. This work shows that rules in health data protection should not be black-and-white and should adopt a risk-analytic approach. “There is a crack in everything […], that’s how the light gets in” [L. Cohen]: the impossibility to achieve perfect outcomes is a precious reminder that “data processing systems are designed to serve man” [EU Directive 95/46, Recital 2].