- Health data sharing is becoming an increasingly popular topic in the healthcare industry, and more organizations are working to find ways to become more interoperable while keeping health data secure.
The Centerstone Research Institute (CRI) is a non-profit research and technology company that provides research, analytics and evaluation services. CRI recently published a paper detailing a collection of behavioral healthcare patient and practice data featuring nearly 500,000 patients and millions of unique records.
The information is stored in the National Data Warehouse, which is a project for CRI’s Knowledge Network, according to CRI Chief Operating Officer Russell Galyon. CRI created a collaborative of various like-minded community mental health centers (CMHCs), Galyon said.
“They were very interested in the clinical research occurring in this area of healthcare, and one of the projects that came out of the Knowledge Network was the National Data Warehouse, which was an attempt to pool a large amount of clients, services, and care information into a unified repository for data research,” he explained.
This is the first year that CRI is trying to invite researchers as well as do its own data research on the data that has been pooled, Galyon said in an interview with HealthITSecurity.com.
“We have data covering the concepts of service activity diagnoses and we have a good deal of prescription-related information,” Galyon said. “The data is actually transmitted into us in a reasonably de-identified format, and then we take a lot of security precautions in length, both in design, audit, as well as standard system security style.”
Health data security is an essential aspect at CRI and the National Data Warehouse, according to Galyon. CRI encrypts data at rest and in-transit, and the at rest encryption typically has two layers both on the OS as well as the hypervisor. Moreover, the data that’s submitted in by Knowledge Network partners is submitted without IDs, he said. Instead, there are surrogate IDs to identify a client. The health data center also does not actually have access to patients’ medical records, Galyon explained.
“Every major release we have specific testing related to security, and security testing can never be performed by a developer that was part of the build,” Galyon said. “Any major release or a change to the actual security infrastructure within the application, we have an external firm that does pin testing before that is allowed beyond the development and test systems. Development and test systems are never exposed in any way online.”
CRI Chief Information Officer Wayne Easterwood added that HIPAA regulations are pervasive through everything that CRI and the National Data Warehouse undertake.
Information is segregated based on employees’ layers of privileges, Easterwood said, and there is a strict “need to know” philosophy.
“Anyone may need to know a variety of pieces of information around someone’s health record, if they’re involved in their care,” Easterwood explained. “But we don’t let anybody have access to anyone’s health information just freely.”
There are also employee logs so the organization is able to track specific information on access, he said.
Why health data sharing is beneficial for the industry
Health data sharing has the potential to be greatly beneficial to healthcare, according to Gaylon.
“Data sharing is probably the most critical thing we’ve never been able to do,” he said. “It’s not a technology problem. We need to protect people’s privacy very strongly, but we also need to find a way to actually share the information that’s pertinent to improving my treatment with a lower amount of friction than is in the current healthcare system.”
In the mental health and substance abuse space especially, health data sharing is a very difficult compliance and legal question, Galyon added. It is an issue that Centerstone works through quite frequently with its payers and other organizations that it works with.
Easterwood agreed, and added that sharing data is an essential tactic to getting to coordinated care. The friction comes from a lot of different motivations in what to do with the health data, he explained.
“It’s necessary to see how do we efficiently coordinate care to improve the quality and hopefully reduce costs of delivering healthcare,” Easterwood said. “We have very segmented or siloed delivery systems and they’re not accustomed to talking to each other.”
While the health data privacy concern is real, Easterwood explained that too much of the friction with health data sharing hides behind that privacy concern. In that respect, HIPAA regulations can be a bit of a scapegoat at times, he said.
“It’s definitely the most important thing that we’ve got to figure out, especially for behavioral health and the other specialties,” Easterwood said. “It’s very very important because it is going to be what ultimately improves the quality of care.”
The future of health data sharing
From an operational standpoint, Easterwood stated that learning how to exchange health data in real-time would be helpful to get the right diagnosis for a patient. It’s important for patients to receive the right care and for providers to fully understand the picture that a particular patient is presenting.
Galyon said that being able to break the silos of specialties is essential for a successful future in health data sharing.
“Anytime you deal with a specialty kind of healthcare service, you end up with a data silo,” he explained. “Because of those restrictions, the willingness of the broader community to share information back and forth is very limited.”
Individuals should be able to restrict their own healthcare data, Galyon added. But there needs to be a reasonably simple way for all of an individual’s data to be in place with the provider that he or she chooses.
“Right now, we really don’t have that system set up,” Galyon said, adding that he agreed with Easterwood’s earlier point of organizations sometimes hiding behind the HIPAA Privacy Rule. “A lot of it is because we hide behind HIPAA or we say the technology can’t do it. I’m not entirely sure either of those is true.”