Health Data Privacy and Security: Finding the Right Balance
By Pamela Buffone
Every year, the Department of Health and Human Services publishes the dollar amounts of settlements with health care organizations that violated HIPAA. The nature of the violations in 2016 and so far this year range from laptops stolen from a hospital employee's car with patients' personal information and a video crew allowed to tape patients without their permission to sending a press release with a patient's name in a headline.
Some of the violations involve data security, others data privacy, and sometimes a combination. But security and privacy, although related, are also very different concepts whose meanings often get confused.
Privacy is more an art than a science. Protecting it requires expertise and tools that are not part of the normal skill sets of an organization. Privacy has an abundance of shades of grey. Each context is different, especially if an organization charged with protecting patient information wants to use that information for secondary purposes, such as research on new therapies for serious diseases. Such uses are lawful as long as patient privacy is protected.
If possessing any data about other people is one kind of risk, sharing data involves a potentially greater degree of risk, no matter what techniques are used to protect the privacy of personal information. With security, organizations want to eliminate risk by locking down the fort. Better that nothing escapes the organization's control than constantly worrying about reputational and financial risks if someone in a dataset is exposed—accidentally or because it's stolen. Some health organizations in possession of valuable data may choose not to share under any circumstances, depriving the scientific community of valuable data that can save lives.
Many data breaches are preventable with better data security. Strict controls make it less likely that an employee will leave a laptop with patient records in a private vehicle. Same thing with the patient featured in a press release. What's important are training, sound judgment, and a detailed review process.
Data stolen by hackers for criminal purposes involve another kind of risk that can be mitigated through better access and authentication controls. Monitoring IT systems is also key; some of the costliest hacks of recent years were perpetrated by hackers who announced their intentions in broad daylight with digital door jiggling but were missed by the organizations' security personnel.
Reach Out Before the Breach
The fact is that security and privacy are both necessary, and the organizational culture must embrace both. Organizations, including hospitals, tend to seek specialized help only after a breach has occurred. An ounce of prevention really is worth a pound of cure. Many lapses that generate big penalties are the result of human error. It is commonly against hospital policy—or should be—for data involving thousands of patients and research participants, including names, birth dates, addresses, Social Security numbers, diagnoses, laboratory results, medications, and other medical information, to be left in an employee's car. Likewise, if data are shared for HIPAA-approved purposes, all recipients are responsible for protecting personal information and usually have written agreements to do just that. Security has a big role to play.
One area of privacy that is rapidly expanding and requires specific and careful attention is the practice of sharing patient data for secondary purposes—that is, purposes other than those directly associated with a patient's care or uses otherwise authorized under HIPAA. Unlike most approaches to the privacy and security of patient data, where the intent is to keep the patient data locked down and out of the view and reach of unauthorized parties, secondary data use involves willingly and purposefully releasing data. Hospitals, for example, may participate with a third party in the study of breast cancer to improve diagnostic capabilities and treatments based on best practices, or a pharmaceutical company may release clinical trial data on a new drug therapy. Before these data are shared, they must be deidentified using HIPAA-approved methods in order to protect the individual privacy of the patients in the data set.
These methods range from data masking and redaction to much more sophisticated techniques, such as risk-based deidentification, which measures risk in the dataset and then removes identifiers without the loss of data that are most valuable to researchers. Since valuable data are sometimes available to researchers on websites, protecting identities with risk-based expert determination methods are essential. These methods are commercially available now.
Getting the security-privacy balance right is more important than ever. Protected health information plays an increasingly important role in connecting the pieces of the health care ecosystem to ensure better patient outcomes. Data are what connect people and providers; they can be used to achieve better health outcomes.
Health has been a very unsynchronized system. The failure to collaborate and share information is slowing down our ability to find new cures and achieve the goals that we have for patients. It also disrupts the creation of business models to support the health care challenges for our aging population and the coming generations. The health care system needs to be healthy, and right now it's not.
The digitization of health records has opened up the potential for sharing data and made the data more readily available for secondary use. This is a huge change from the recent past when the fax machine was the main technology for sharing health information. Fewer protections were possible when a fax with personal identifiers could be seen by any number of unauthorized persons.
A second big impact on the system has been the Affordable Care Act and the shift in payment models from fee for service to fee for value, resulting in new metrics and benchmarks that need to be tracked, as well as new demand for bringing different types of data together. The focus now is reducing hospital readmissions, improving adherence rates, and figuring out how to measure improved outcomes.
These shifts in the market mean that data sharing is no longer simply an opportunity—it's a necessity. The challenge is in shifting our thinking to sharing and collaboration and investing in technologies and skill sets that enable us to trust one another as we move forward.
Meanwhile, profit margins in the industry are being squeezed. Margins and growth for traditional medicine are flat. New growth is in specialty pharma, which has 7,000 new biologic medicines under development. These drugs and treatments are changing the business models across the industry and require access to data to identify, define, and validate new therapies throughout the lifecycle of a new drug. Everything is data driven, from the initial research stages through clinical trials, and gathering clinical and market evidence to defend drug pricing and go-to-market decisions.
Ultimately, it comes down to balancing the risk of using data for their intended purpose in the context of the question, "Is there a risk of harm to the person or his/her reputation?" It's difficult to assess this objectively. This is why the privacy domain requires a more nuanced perspective; it's a different side of the coin.
Today, security and privacy officers have new tools to help strike the right balance, including expert determination tools for deidentifying health data while preserving their value to contribute to dramatic improvements in the delivery of health care.
— Pamela Buffone is director of product management for Privacy Analytics.