The establishment of protections for personally identifiable information security in healthcare and human subjects research through the Health Insurance Portability and Accountability Act (HIPAA) establishes rights of control, disclosure, and informed consent for the collection and use of said information for the person the information pertains to (United States Department of Health and Human Services [HHS], 2013). Protection of this information becomes increasingly more complicated when electronic records are involved, transmission or sharing of protected information occurs, or when the use of information is for purposes secondary to the collecting practitioner use in treatment (Schweitzer, 2011). Difficulty or complexity in maintaining the integrity of personally identifiable information is accepted as a challenge, however, sanctions against violation of rights concerning health and personal information exist and are a significant financial and criminal liability with additional liabilities potentially levied on a state by state basis (Schweitzer, 2011; Pritts, 2007). In order to ensure that every effort is made to protect both the subject of the information and the organization or researcher collecting the information for use in research or providing care, Institutional Review Boards Human Subjects Committees (IRBs) and specific requirements for Risk Analysis and Management within all health organizations, programs, and clinics (Nass et al., 2009).
How is PAMS affected?
Private Arrangement Milk Sharing (PAMS) is a complex practice. Part of that complexity arises from the frequent nature of the agreements being “Contract Implied in Fact” arrangements involving individually identifiable information and/or the exchange of health information. A Contract Implied in Fact “Consists of obligations arising from a mutual agreement and intent to promise where the agreement and promise have not been expressed in words. Such contracts are implied from facts and circumstances showing a mutual intent to contract, and may arise by the conduct of the parties. A contract implied in fact is a true contract” and is entered into upon exchange of milk in a PAMS relationship. The exchange of milk in PAMS fulfills requirements of conduct illustrating “an unambiguous offer, unambiguous acceptance, mutual intent to be bound, and consideration.” A critical part of this contract obligation is the use of the donated milk and information regarding health and lifestyle of the donor obtained during screening be used for the purpose of providing for the recipient infant/family and that infant/family alone, and this is supported by the claims of each of the major PAMS networks.
All of the major milksharing networks make clear their stance to be uninvolved in the specific between party agreements involved in PAMS including questionnaires and screening tools (Eats On Feets), asserting that all individuals take complete responsibility for outcomes of milksharing as individuals (Human Milk 4 Human Babies). This explicit maintenance of non-participation ensures that as networks, they are not included in provisions requiring adherence to HIPAA. These organizations provide description of their belief that information collected for research or analysis should not be undertaken by the networks, presumably for both philosophical and practical conflict of interest reasons. Encouragement to violate this foundation of expectation by soliciting third party information is counter productive to the specified intent and spirit of milk sharing as a private arrangement strictly between the donor and recipient, and undermines the security in providing information confidentially. So who is intentionally asking that this expectation and potentially contractual obligation to honor privacy in the PAMS agreement be violated?
The Milksharing Incident Database and Survey (MIDAS) is described on their website as “…a grassroots public health program created by World Milksharing Week.”* Neither the survey nor the incident reporting options provides an informed consent document, indication of data security, intended use, authority to collect such data, de-identification procedures, or information regarding data security and storage. There is no IRB approval for any of the actions undertaken by this organization. In the frequently asked questions tab of the website, it is stated that there is absolutely no follow up on any information provided, and that all information is provided anonymously. On the same page, follow up is discussed as occurring in “severe and very severe” instances, with a medical professional that MIDAS chooses. No information is provided regarding vetting of medical professionals, authority for them to contact respondents, and certainly not to contact individuals who’s personal information was obtained through a third party without consent. So, if the reporting is anonymous, how does the follow up occur? The answer is likely that this website is an integrated WordPress account, as it is hosted by Bluehost, and WordPress has the capability of tracking the IP addresses of users who interact with websites. Not particularly anonymous, or secure.
No evidence or foundation based on the current level of knowledge concerning PAMS is provided by the creators of MIDAS. The efforts are redundant, as my own research and that of several other teams operating in the US and Canada are collecting practice information and participant beliefs. These research endeavors are being conducted under approved IRB circumstances, and with full disclosure to all participants. Considering this information is being collected in such a way that it cannot be used for legitimate research, it is likely that such a site poses more harmful potential than benefit for any efforts to generate policy and evidence regarding PAMS.
The PAMS community and participants are operating under very biased and intensive scrutiny from existing health authorities. Concerns about the cavalier attitude of those participating and the presumed ignorance of those involved is frequently discussed. A site clearly not manned by an experienced researcher or data manager, seeking information from third parties without any right to do so and potentially in violation of individual state and federal regulations regarding protected information and contract law, and without recourse for those who may be seriously wronged in this process certainly does not refute these views of PAMS. It is deeply disturbing to me, personally, to see otherwise well respected researchers who would certainly be expected to understand their inability to be associated with such an undertaking per their involvement with research institutions already are being named as partners in this endeavor through World Milksharing Week.
* The milksharing network Human Milk 4 Human Babies and Modern Milksharing are included in the committee responsible for the creation of MIDAS. This involvement and endorsement is in direct opposition to stated intentions to stay removed from involvement and to support individual accountability of participants on their networks and sites.
Nass, S. J., Levit, L. A., Gostin, L. O. (2009). Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. Washington, D.C: National Academies Press.
Pritts, J.L. (2007) Federal efforts to impose uniformity on state healthcare laws. Health Law and Policy. Vol. 20 (2). Pp 20-23.
Schweitzer, E. J. (2012). Reconciliation of the cloud computing model with US federal electronic health record regulations. Journal of the American Medical Informatics Association : JAMIA, 19(2), 161-165. doi:10.1136/amiajnl-2011-000162