Health Data Sharing Is Increasing, But Confidence in Privacy Security Lags
More patient health data is being shared for approved purposes, with almost 57 percent of organizations possessing such data reporting sharing and over 55 percent increasing the amount shared. However, these same organizations lack confidence in their ability to protect privacy, increasing reputational and other risks if patient identities are exposed. These are three findings from the second year of a survey, released recently, of organizations that collect and store health data.
According to the survey, The 2016-2017 State of Data Sharing for Healthcare Analytics, nearly six in 10 respondents lack complete confidence even as they increase data sharing and as the amount of data collected mushrooms. The good news is the number of organizations that lack complete confidence fell by 8 percent between the 2015 and 2016 studies. Nevertheless, those companies with less than complete confidence still comprise over half of all organizations surveyed.
There was also evidence that at least some of those companies expressing full confidence in their data sharing protocols may be using identity protection methods that don’t reflect best practices—making these organizations more vulnerable to data breaches. For example, the survey results indicated a high level of confidence in the Safe Harbor method. Safe Harbor is HIPAA-specified standard for the de-identification of health information. It specifies 18 data elements that must be removed or altered to make patients anonymous. This rules-based approach is easy to implement but limits how the data can be used and making it in some cases largely useless to third-party researchers.
Safe Harbor is not so safe
The level of confidence expressed by survey respondents in Safe Harbor seems unjustified given the risks, and although the use of Safe Harbor dropped in the one-year interval between surveys, it remains popular. Techniques such as Safe Harbor are likely to become even less effective in the future as more data sets are linked with other data sets, increasing the potential value of the data to researchers but also the risk of patient identification.
A potential problem for the organizations surveyed is the reliance on multiple approaches to protect data privacy. According to an evolving consensus on best practices, the use of multiple approaches by a single organization can increase the risk of exposing patient identities. Countering this trend is an increase in the use of risk-based approaches such as the Expert Determination Method, or Statistical Method. This method requires an expert, familiar with the principles and techniques of de-identification, examine the data and determine risk by taking into consideration the sensitivity of the data, context for its release, and the controls in place.
In the most recent survey, a growing number of respondents used such approaches (23.6 percent). But this is less than a quarter of all survey respondents. The growth in use of risk-based approaches is likely due to the availability of more robust training; increased education in the market; and adoption of best practice standards issued by HITRUST, the Institute of Medicine and European Medicines Agency and others. Growth also might be the result of more organizations putting the ability to understand the risk of re-identification as their most important concern in last year’s survey, when the previous year it was certifying compliance.
A need for more expertise
Organizations may feel pressure to share data, while at the same time maintaining doubts about their competency to protect it. Such doubts may affect the pace of sharing, the value to researchers of the data shared and the data protection techniques employed. Survey respondents believed that more IT professionals needed to be hired by their organizations to fill perceived gaps in expertise. But creating a bigger IT department is only one possible solution and may not be feasible or necessary for all organizations. Also, adding IT specialists is probably not a substitute for knowledge gaps in other parts of the organization, including senior leadership.
On the other hand, there is evidence that organizations are becoming more knowledgeable about and actually using widely recommended techniques, such as risk-based and expert determination de-identification. In the 2016 survey, 23.5 percent of respondents said they were using risk-based approaches. While encouraging, that’s less than a quarter of all respondents. The other three-quarters may be using other approaches or multiple approaches, putting these organizations at considerable risk of privacy violations.
Nearly 60 percent of organizations surveyed are sharing data with academic institutions and pharmaceutical companies. The most common types of data shared are medical claims (21.4 percent); Electronic Medical Records (19.7 percent); insurance claim data (15.8 percent); survey data (15 percent); and clinical trial data (15 percent).
The surveys present a picture of health data sharing practices in flux. The encouraging news is that sharing is increasing and that some organizations are finding ways to generate revenue from it, hopefully only after it has been anonymized using available techniques that meet industry standards and that lower risk to acceptable levels. Also encouraging is that more data are being made available for research purposes, potentially accelerating cures for diseases suffered by millions of people.
However, a major concern is that many organizations may believe the data protection techniques they use will protect patient privacy when they in fact won’t. This false sense of security comes at a time when the amount of personal health data is exploding due to social media, personal devices and the linking of data from multiple sources. In addition, organizations using techniques such as data masking may lower the risk of re-identification but also make the data useless to researchers.
The hope is that organizations will continue to get knowledgeable and adopt commercially available risk-based data privacy techniques. That is a proven way to stay steps ahead of the rapidly changing technology and health care landscape, while making more and better data available for research to help fight serious diseases.
Privacy Analytics is responsible for the survey on which this article is based.
Sam Wehbe is the Director at Privacy Analytics. He is responsible for increasing the industry’s awareness and understanding of the key role de-identification plays in preventing data breaches, achieving HIPAA compliance and making more data available for secondary uses such as research and analytics in order to solve some of healthcare’s most challenging problems.