By Adam Lorant, VP, Product and Solutions, PHEMI
Modern data science and analytics hold the potential to transform healthcare—from helping hospitals operate more efficiently, to identifying precision medicine targets, to evaluating public health initiatives, and more.
All of these advances, however, depend on sharing data. It’s not enough to collect more information. If you can’t share it—with analysts, investigators, partners, clinical decision-makers—you can’t capitalize on it. But, as you collect and share more data, you have a legal and ethical obligation to ensure that it’s secure, managed, and protected.
HIPAA and certifications like HITRUST play a critical role in protecting information. The HITRUST De-identification Framework provides a methodology for de-identification of data and the sharing of compliance and risk information amongst entities and their stakeholders. But if healthcare organizations want to unlock the full potential of their data, they need to do this in a timely fashion – essentially they need to find a way to automatically protect privacy while sharing the data.
Sharing with Privacy
Start by recognizing that while privacy depends on security, they are not the same thing.
Security is about restricting access to data. As Forrester notes in the September 2014 report, Brief: Stolen And Lost Devices Are Putting Personal Healthcare Information At Risk, “As healthcare organizations gather and process greater amounts of PHI, data security initiatives become exponentially more important… It’s no longer acceptable to allow unfettered data access to the vast majority of your employees.”
Privacy, on the other hand, assumes that data will be shared and used. It’s making sure that individuals control who sees their data and what they do with it. Effectively, privacy means making sure that protected health information (PHI) and personally identifiable information (PII) are available only to the right person, at the right time.
The HIPAA Privacy rule provides a basic policy and procedures framework regulating use and disclosure of PHI. But much of HIPAA compliance focuses on securing data, not sharing it. HITRUST goes farther, certifying that organizations have met clear and measurable data security requirements and specifying a strategy for de-identifying data. While these additional layers of protection aim to prevent security and privacy breaches—adhering to these processes is consumes time and effort, ultimately slowing down data sharing.
A physician with a precision medicine program, a researcher in the program, and a bioinformatician with an affiliated public health agency all have legitimate reasons to access patient records. But their privacy constraints are very different. The physician is authorized to view the full record. The investigator may be allowed to see clinical and genomic data but no PII. The bioinformatician should be able to view aggregated population data but no individual records. Manually applying guidelines and publishing de-identified data sets for each user is time consuming and costly.
There are technologies that can solve this dilemma—that control access at the data level and provide different views of the same record to different users. But the first step is recognizing that effective sharing must be part of your data security and privacy strategy and must be built into your information infrastructure. If you’re going to use your data to innovate in your field, you must automate these industry best practices.
Privacy as Competitive Advantage
Organizations shouldn’t have to view privacy and data sharing as a tradeoff. They should embrace a proactive approach to both. Instead of asking, “How can I avoid the risk of fines and brand damage?” the question should be, “How can I manage data sharing effectively to collect more data and gain more insights?” Privacy in the past primarily consisted of education and policing. Today, it can be about defining policies that are automatically enforced by IT systems.
As Forrester notes in the February 2016 report, Industry Spotlight: US Healthcare Security Budgets And Priorities, Q4 2015 To Q3 2016 “Focusing on compliance alone will leave you unprepared for the increasing attack surface created by your staff’s new device types and technology services. Instead, align your priorities with those of the business and meet innovation head-on. Adopt a data centric security strategy. This is especially critical as your firm increasingly shares patient data with other hospitals, information exchanges, and patients themselves.”
When you take that next step—when you can proactively ensure privacy and governance as you share data—you can:
- Give patients more confidence that they control who sees their information
- Give researchers more control over who can use their data
- Build greater trust among patients, clients, collaborators, and partners
- Let privacy officers define policies, and have IT systems enforce them automatically
All of this means more data collected and analyzed, more clinical and operational advances, and sustained competitive advantage.