- As healthcare organizations continue to sift through and attempt to maximize the potential of the massive collections of health data at their disposal, the privacy of that data is a polarizing topic of discussion. Big data privacy questions stem from the innovation versus security debate that has long been in place in the healthcare industry.
Understanding how doctors, hospitals, insurers collect, use and disclose health data both on an everyday basis and the potential business opportunities for monetizing health data is among the first steps to making the large data sets usable and secure, according to Deven McGraw, Director, Health Privacy Project at the Center for Democracy & Technology (CDT). McGraw told HealthITSecurity.com that in working toward the goal of delivering better care at a reasonable cost, understanding how sensitive data is handled is an important piece of the puzzle.
We need to have a set of privacy and security protections that builds public trust in the way healthcare organizations use data, but also facilitate the uses of the data we know we need in order to change the healthcare system. Patients are harmed when data aren’t used in beneficial ways in the same way they would be harmed if the data were used inappropriately. So we’re trying to use data for good purposes but make sure that good doesn’t damage public trust.
HIPAA impact and data de-identification
Though HIPAA has been maligned in various areas of the healthcare industry, McGraw maintains that having law that governs how big data can be collected in HIPAA is better than having no regulations at all for non-HIPAA areas such as the Internet. The question, however, is once HIPAA’s de-identification standards are met, what types of rules and guidelines are in place? McGraw explained that how healthcare organizations should approach de-identification depends on what the need is for the data and how it’s been de-identified.
She said that the first of the two methodologies for de-identification is the “machete” approach, which doesn’t take much technological skill and is also called the “safe harbor” method. This takes 18 identifiers out of the data for it to be deemed to be de-identified. This approach also sometimes renders data not useful for certain research purposes. Alternatively, the “statistical method” allows organizations to keep some identifiers in the data, but they “mask” those identifiers where they’ve applied statistical methodologies to determine that there is a low risk of re-identifying that data.
“[The statistical approach] allows you to preserve certain identifiers in the data set that make the data more useful for researchers,” McGraw said. “A common example is if you’re using safe harbor de-identified data, you have to remove dates of service, which is critical health information. With the statistical methodologies, you could potentially mask that data and leave it in and ensure the risks are low.”
Current patient data safety progress
Though McGraw agrees that HIPAA isn’t without its flaws, the U.S. has a pretty good regulatory regime for securing HIPAA-covered data. Even with some gaps in mind, she believes that the U.S. is in such a better place in terms of health data protections in the HIPAA space than in the ever-expanding portion of the health data that’s not covered by HIPAA, such as the internet and most mobile applications and other patient-facing tools. For non-HIPAA regulated entities, the Fair Credit Reporting Act (FCRA) may apply for data brokers or there may be other Federal Trade Commission (FTC) privacy promises, but there’s not the comprehensive regulatory scheme that exists under HIPAA.
McGraw also referenced how state entities that collect data for public health missions aren’t covered by HIPAA. Back in June, it was reported that individual states have been collecting potentially-identifiable patient data from hospitals and selling it to researchers, companies and other public entities. But with HIPAA in place, McGraw said that patients responding to surveys who are worried about their data being compromised generally haven’t been acting upon those privacy concerns by seeking alternative healthcare methods.
When patients are surveyed, they consistently express a high level of concern about the confidentiality of their medical information. But it’s only one of six people who feel so threatened by the current health data environment that they practice what we call privacy protective behaviors, such as not seeing doctors or seeing doctors outside of their communities. Though the rates of those who say they’re concerned is much higher than that, there’s a difference between what people express in surveys and the extent to which they mistrust the system such that they take action to protect their own privacy.