- Data aggregation is quickly becoming a larger issue in healthcare, especially as organizations begin to switch over from fee-for-service models to value-based healthcare. As entities continue to gather, store, and transfer sensitive information, healthcare data security must remain a top priority.
But why are healthcare organizations even gathering such information in the first place?
The push to value-based healthcare will have a large impact on how providers and payers approach using data for predictive analytics, according to Ropes & Gray Partner Tim McCrystal.
Using data for predictive purposes and for establishing clinical guidelines and pathways has been ongoing, and will likely continue into the future, he told HealthITSecurity.com.
“It’s going to be fueled in part by value-based healthcare, which is somewhat of a paradigm shift in the way that providers are paid when they’re participating in value-based healthcare programs,” said McCrystal, who is also co-chair of his firm’s healthcare practice group. “The traditional fee-for-service arrangement is replaced in a value-based healthcare arrangement by some form of payment that might be a fixed payment, it might be contingent payment, or it might have quality and other patient outcome incentives associated with it.”
There’s a great need for information and analysis based upon data, just with respect to delivering quality outcomes, where the payment paradigm is shifting, he noted. That value-based healthcare paradigm shift also provides an opportunity to analyze data to determine cost of services within particular areas of healthcare delivery.
“If one is receiving a fixed payment for a delivery of a defined set of healthcare services, then understanding the cost of those services and variables in what may impact the cost of delivery of services is another critical solution,” McCrystal explained.
“That’s a critical piece of knowledge that providers need to have. Mining data to understand how similar procedures, similar treatments, and courses of treatment, analyzing the costs of those and what impacts them is another helpful opportunity for providers and others as they participate in value-based healthcare.”
Fellow Ropes & Gray Partner Deborah Gersh stated that healthcare payers often have a wealth of data. Payers gather data from a number of different members or other organizations, often through their contractual arrangement to aggregate that data.
Payers will aggregate such information to determine trends and to understand a bit more on the predictive analytics side and treatment methodologies, she said.
“It’s becoming more important than ever that payers and providers work together with that,” noted Gersh, who is also co-chair for the Ropes & Gray healthcare practice. “You’re seeing on the providers’ side, a lot of clinically integrated networks that are working together to define and determine clinical pathways. You really have two things going on: the payer cost issue, and the provider treatment and costs and outcomes issue.”
The payers and providers can work together to develop those pathways to reduce the cost and improve quality, Gersh explained, which is the underlying goal in value-based healthcare.
Staying mindful of HIPAA regulations, data security concern
There are many levels of data security to take into consideration when it comes to gathering health data and using it, Gersh pointed out. Data can be provided from a covered entity to a covered entity for treatment purposes, or it can be covered under certain arrangements that providers have or organized healthcare arrangements that are in place.
“Payers typically have arrangements with the networks to gather information, and they can use that information to aggregate and then they can de-identify it and use it for their own purposes,” she said. “They’re contractually permitted to do so. That’s how most of that data is aggregated.”
Payers are trying to create incentive to shift some of the work to the provider as part of this shift where providers and payers are working together, she added.
“The underlying reasoning for that is really based upon clinical testing,” Gersh explained. “A lot of times payers have information from broader sources and providers are also determined, based upon their personal experience, to provide care in a certain way through clinical pathways that have been most effective.”
“Sometimes those go together, and sometimes they don’t,” Gersh continued. “Data certainly can be shared depending on the relationship, and if not it can be shared in de-identified ways, but ways that still allow for the sharing of that data.”
For example, Gersh said that if a provider thinks there’s a better way to reduce length of stay or cost, they can share that concept with the payers, and the payers can run the data.
McCrystal added that the firm’s healthcare clients are often counseled by reviewing the typical privacy and security analysis. This will help keep data security in mind for the innovative arrangements where data would be used for analytical purposes and is not de-identified.
“We need to make sure that we have appropriate business associate and other data use agreements in place for purposes of the arrangement, and then ensure that appropriate security safeguards regarding the maintenance, use, and transmission of that data exists,” he said. “Some of the innovative partnerships that are now being undertaken require independent HIPAA Privacy and Security analyses at the time that they’re implemented to the extent that the information is not de-identified fully in accordance with HIPAA.”
How BYOD, mobile devices affect data security in aggregation
Another important aspect is the rise of mobile devices, especially as more providers are allowing for BYOD policies. Covered entities need to be particularly mindful of how physicians and staff members use devices and how data is able to be accessed through those devices.
BYOD in general just adds another layer of security risk, McCrystal said.
“It creates a challenge to understanding the universe of devices that are accessing information,” he explained. “The security protocols that would apply to those devices; it’s a challenge on inventory of the devices that access one system.”
While BYOD presents some beneficial organizational and operational opportunities, the appropriate security protocols must also be implemented, McCrystal maintained.
“Those devices should be required to have the same information security system and programs that the business has adopted for its own system,” he said. “For example, remote wiping and access in the event the device is lost, engaging in training and having appropriate policies and procedures around password management control, deletion of information from devices, and limiting access to certain types of information through a personal device.”
The device side has always been the Achilles heel in data security, Gersh stated. In addition to the technical safeguards that must be implemented, she underlined the importance of employee training and ensuring that work arounds are not created.
“It’s anticipating those workarounds and ensuring responsibility and ownership,” she said. “What used to be exceptional is now considered required, sometimes even on the encryption side. But remote wiping and remote access are also important.”
“That’s going to continue to be an issue and a challenge, because the more devices you have out there, the greater risk for hacking and other problems,” Gersh continued. “That’s going to continue for a while, because every time you think you’ve added something else and added another restriction, it’s going to be an ongoing issue.”
Gathering healthcare data, understanding what it means, and then properly and appropriately sharing it is going to be a large issue in the industry, she concluded.
“The evolution of this, and how the use of the data, its impact, how it will be used, the accuracy of it, the relevance of it, is going to be interesting in how it plays into the value-based healthcare piece. That’s what’s so critical.”