OR WAIT 15 SECS
Volume 36, Issue 8
Balancing today’s health data demands and patient privacy is not about new regulations-it’s taking a risk-based approach.
As the US prepares for the upcoming presidential election, Congress will not only break for summer this month but will also have an extended break in October and November. This means there will be fewer working days this year for Congress to draft and pass key healthcare and health IT legislation, such as the 21st Century Cures Act. The House passed the bill back in July 2015. Since then, the Senate Health, Education, Labor and Pensions (HELP) Committee has parsed the act and created several new companion pieces of legislation.
These legislative proposals invoke a Kennedy-esque dream with a “moonshot” for a cure. They propose a precision medicine initiative which could well be a legacy of the Obama administration and wrestle with all kinds of ethical questions tucked neatly under the covers.
Earlier this year, the Senate HELP Committee passed the Improving Health Information Technology Act, which targets electronic health records (EHRs) and aims to make them more interoperable. It does this by enlisting existing data-sharing networks to develop a voluntary model framework and common agreement for the secure exchange of health information across existing networks. This will foster bridging between currently siloed networks. The bill also mentions the creation of a digital provider directory that facilitates exchange and allows users to verify validity. Finally, it requires that the U.S. Department of Health and Human Services give deference to standards developed in the private sector.
Deemed too far-reaching, the intention of breaking up the “Cures” Act was to split the bill into smaller, more attainable goals. One major problem with the original act was the provisions around data sharing.
Patient advocacy groups want new treatments and better outcomes and they want them NOW. Everyone agrees we need a cure for cancer. What makes the legislation fascinating is it’s going to split open debates about the most important question of our time: Who is going to take the risk?
Risk at the root
Regulations exist because of this basic principle of risk. They try to ensure a balanced perspective among the stakeholders and mitigate the potential for undesirable consequences. Given the challenges facing the healthcare system and acute-care patients in particular, it’s easy to start pointing fingers at the regulations and demand changes to speed up the process.
Whether government should share in the financial risk of health research and whether individuals are willing to participate in research trials for new, unproven treatments are strong tests of our fundamental values and appetite for risk. Privacy is also a strong fundamental value. One of the questions on the table for debate with this package of legislation is how to balance our individual privacy with the insatiable demand for data that’s needed to fuel new research.
There is no question we need more and better data available for research and analysis. Some of the proposed approaches to increasing access to data include revising the HIPAA privacy rule and the HITECH Act to make it easier for organizations to access, share and use protected health information (PHI).
One proposed change is to expand the types of activities for which PHI can be used under HIPAA to include research under healthcare operations. Including research as part of healthcare operations could permit a hospital
to disclose PHI to contractors, business associates and other hospitals. This would enable broad sharing of data without restriction.
Another proposed change would allow PHI to be shared for profit. While there are limited situations where costs can be reimbursed if you are providing information for research purposes, current policies prevent the selling and purchasing of PHI for profit. This change could permit disclosures of PHI to pharmaceutical and medical device companies for research purposes without requiring that the data be appropriately de-identified to protect patient privacy.
To serve and protect
While it is important to share more health data for research and analysis, we must consider what impact these proposed changes would have on privacy protections for individuals. Who would be able to access the intimate personal details often captured in your health records and under what conditions?
The goal should be to find the appropriate way to balance privacy compliance and access to data. To achieve this goal, it may not be necessary to rewrite HIPAA and amend the HITECH Act. A risk-based approach exists that can address any data items that could be used to re-identify an individual patient within a data set while still preserving the important data elements researchers need.
Using this proven methodology, data-sharing goals can be achieved without putting patient privacy at unnecessary risk. This can eliminate the need to rework existing regulations, which could take years to approve and further delay implementation of the important initiatives aimed at bringing new therapeutic treatments to market faster.
Some innovative organizations are already using this proven de-identification methodology to unlock the value in our PHI safely. For example, the American Society of Clinical Oncology (ASCO) is developing a learning health system to provide doctors and other healthcare providers with access to cancer patient information. When little is known about a particular cancer or cancer treatment from clinical trials or published research, providers can use these types of systems to evaluate how best to approach an individual case by using information on millions of people to inform their decisions. A critical element is not only having historical information, but also including the most recent information available on cancer treatment to allow providers to learn things that would otherwise not be possible.
De-identification of PHI is a quicker and more responsible approach than pursuing unnecessary legal and regulatory changes. All that is needed is more encouragement and guidance to compel healthcare organizations to adopt the existing standards. This will ensure that healthcare organizations are all using the same proven approach to protect patient privacy.
This should be easy since a model framework already exists. Developed in collaboration with healthcare, information security, and de-identification professionals, the HITRUST De-Identification Framework provides a consistent, managed methodology for the de-identification of data and the sharing of compliance and risk information amongst entities and their key stakeholders. Risk-based de-identification is one of the most effective methods to manage privacy risks for sharing data, while allowing for the greatest level of utility for research and analysis.
There is strong consensus that increased access to health data can lead to important advancements in medical research and innovation. However, the current proposals for making this data accessible may be more complicated than necessary and may place patient privacy at increased risk. Organizations should be incented to operationalize the current standards and the risk-based de-identification methodology outlined by HIPAA, HITRUST, the Institute of Medicine (IOM), PhUSE, the Council of Canadian Academies, as well as the EU General Data Protection Regulation.
Proposing new legal and regulatory changes to facilitate increased data sharing is unnecessary. Innovative healthcare organizations are already using this proven approach to effectively balance patient privacy with the demand for greater access to robust health data needed for important research and analysis. We don’t need more or different regulations, we just need more healthcare stakeholders to adopt the current standards.
Pamela Neely Buffone is Director of Product Management for Privacy Analytics. She can be reached at PBuffone@privacy-analytics.com