Healthcare Information Security

Cybersecurity News

Should big data research override patient privacy needs?

By Patrick Ouellette

- Making the most out of healthcare big data sets to improve patient care by spotting disease and other types of healthcare trends is undoubtedly viewed as a critical part of healthcare IT innovation. Google co-founder Larry Page was the latest to point out the myriad benefits to having large volumes of patient data available to researchers during a recent TED conference. But some in the healthcare industry believe that ensuring protected health information (PHI) within those large data sets, based on HIPAA standards, remains private and secure remains a barrier to big data research.

TechCrunch pointed to a 2012 Harvard Info/Law blog post, titled “Death by HIPAA” that cited specific ways in which HIPAA prohibited disease research. This wasn’t the first nor the last time that HIPAA has been described as an obstruction to healthcare. For instance, the Committee on Energy and Commerce, within the House of Representatives, has been trying to determine the effects of the HIPAA Privacy Rule on mental health data reporting. In this case, however, he Harvard researchers explained how, in spite of there being research indicating a strong connection between Vioxx and increased risk of heart attack, the product wasn’t taken off the market until after it “caused between 88,000 and 139,000 unnecessary heart attacks, and 27,000-55,000 avoidable deaths.” From the Harvard researchers’ standpoint, HIPAA is overly cautious and the methods of data de-identification and re-identification are too cumbersome to be reasonable for research purposes

HIPAA allows health providers and insurers to release patient health information for research use only if the researcher enters into contractual agreements with each individual data-holder or if the data complies with HIPAA’s deidentification standards. These research exceptions are much too narrow to harness the full potential of the data. The contractual exception (“limited use” datasets) is practical only for work on small or medium scales, and only when the data holder agrees to work with the researchers. The de-identification exception allows research data to be shared freely, but the data producer is required to remove a lot of information that may be critical to the research and to building longitudinal data files.

Alternatively, patient privacy expert Deven McGraw told in September 2013 that the different data de-identification methodologies – the “safe harbor” and “statistical” methods – prescribed HIPAA allow enough flexibility for organizations to still take advantage of data collection.

“[The statistical approach] allows you to preserve certain identifiers in the data set that make the data more useful for researchers,” McGraw said. “A common example is if you’re using safe harbor de-identified data, you have to remove dates of service, which is critical health information. With the statistical methodologies, you could potentially mask that data and leave it in and ensure the risks are low.”

The point that Harvard researchers made back in 2012 still resonates now: the balance between HIPAA privacy rules and big data innovation shouldn’t be black and white. There are some instances where privacy laws may inhibit research and progress. But there still needs to be balance ensuring patient data is private and potentially preventing disease or even deaths.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks