Health Data Privacy and Security: Finding the Right Balance
Health is a very unsynchronized system. The failure to collaborate and share information is slowing down our ability to find new cures and achieve the goals that we have for patients. It also disrupts the creation of business models to support the health care challenges for our aging population and the coming generations. The health care system needs to be healthy, and right now it’s not.
In need of a remedy is the way the system deals with patient data security and privacy. Every year the Department of Health and Human Services publishes the dollar amounts of settlements with health care organizations that violated HIPAA. The nature of the violations in 2016 and so far this year range from laptops stolen from a hospital employee’s car with patients’ personal information, to a video crew allowed to tape patients without their permission, to sending a press release with a patient’s name in a headline.
Some of the violations involve data security, others data privacy and sometimes a combination. But security and privacy, although related, are also very different concepts whose meanings often get confused. Privacy is more an art than a science. Protecting it requires expertise and tools that are not part of the normal skill sets of an organization. Privacy has an abundance of shades of gray. Each context is different, especially if an organization charged with protecting patient information wants to use that information for secondary purposes, such as research on new therapies for serious diseases. Such uses are lawful as long as patient privacy is protected.
If possessing any data about other people is one kind of risk, sharing data involves a potentially greater degree of risk no matter what techniques are used to protect the privacy of personal information. With security, organizations want to eliminate risk by locking down the fort. Better that nothing escapes the organization’s control than constantly worrying about reputational and financial risks if someone in a dataset is exposed—either accidentally or through theft.
Many data breaches are preventable with better data security. Strict controls make it less likely that an employee will leave a laptop with patient records in a private vehicle. Data stolen by hackers for criminal purposes involve another kind of risk that can be mitigated through better access and authentication controls.
Reach out before the breach
The fact is that security and privacy are both necessary, and the organizational culture must embrace both. Organizations, including hospitals, tend to seek specialized help only after a breach has occurred.
One area of privacy that is rapidly expanding and which requires specific and careful attention is the practice of sharing patient data for secondary purposes, that is, purposes other than those directly associated with a patient’s care or uses otherwise authorized under HIPAA. Unlike most approaches to the privacy and security of patient data, where the intent is to keep the patient data locked down and out of the view and reach of unauthorized parties, secondary data use involves willingly and purposefully releasing data. Before these data are shared, they must be de-identified using HIPAA-approved methods in order to protect the individual privacy of the patients in the data set.
These methods range from data masking and redaction to much more sophisticated techniques, such as risk-based de-identification, which measures risk in the dataset and then removes identifiers without the loss of data that are most valuable to researchers. These methods are commercially available now.
Getting the security-privacy balance right is more important than ever. Protected health information (PHI) plays an increasingly important role in connecting the pieces of the health care ecosystem to ensure better patient outcomes. Data are what connect patients and providers. That connection is key in achieving better health outcomes.
But the connection itself is insufficient without enough data to connect to and to protect. The digitization of health records has opened up the potential for sharing data and made the data more readily available for secondary use. This is a huge change from the recent past when the fax machine was the main technology for sharing health information. Fewer protections were possible when a fax with personal identifiers could be seen by any number of unauthorized persons.
A second big impact on the whole system has been the Affordable Care Act and the shift in payment models from fee for service to fee for value. Demonstrating value requires the sharing and analysis of de-identified health data.
A third impact is profit margins in the industry are being squeezed. Margins and growth for generic medicine producers are modest. New growth is in specialty pharma, with many new medicines under development. These drugs and treatments are changing the business models across the industry and require access to PRIVATE data to identify, define and validate new therapies throughout the lifecycle of a new drug. Everything is data driven from the initial research stages, through clinical trials and gathering clinical and market evidence to defend drug pricing and go to market decisions.
Ultimately, it comes down to balancing the risk of using data for its intended purpose with the question of “Is there a risk of harm to the person or his/her reputation?” It’s difficult to assess that objectively, which is why the privacy domain requires a more nuanced perspective. It’s a different side of the coin.
Pamela is the director of product management at Privacy Analytics. Her job is to make the risk-based approach to de-identification more accessible to meet the dual needs of data utility and privacy protection.