Healthcare Big Data: Privacy and Security Workgroup Gives Preliminary Report

Big data has considerable potential to improve the quality of care provided to patients, and even improve patient outcomes; however, there are risks. Privacy advocates worry that the disclosure of health data together with personally identifiable information could result in the data being used for discriminatory purposes, or could otherwise cause patients to be harmed.

Analysts predict that big data can, and will, be used to reduce the cost of healthcare delivery; however first the issue of patient privacy needs to be resolved. Big data, no matter how useful for the advancement of medical science, can only be used if patients’ right to privacy is assured.

The potential benefits for the healthcare are too valuable to ignore; however deciding on the allowable uses of data, while preserving patient’s right to privacy, is a difficult task. It is a problem the Whitehouse is trying to address, and it has turned to stakeholders for help.


How to Leverage Big Data While Protecting Patients’ Privacy Rights


President Obama requested assistance from the Department of Health and Human Services and asked for input from healthcare stakeholders on the use of big data to benefit the health industry. Last year he asked the HHS to “consult with stakeholders to assess how federal laws and regulations can best accommodate big data analyses.” The HHS was also asked to “develop recommendations for ways to promote and facilitate research through access to data while safeguarding patient privacy and autonomy.”


Health IT Policy Committee’s Privacy and Security Workgroup Announces Preliminary Findings


The Health IT Policy Committee’s Privacy and Security Workgroup has held two sessions in which stakeholders have been asked their opinions on the use of big data, and the problems that could be caused. The first public hearing took place in December 2014, with a follow up conducted on February 15, 2015.

During the meetings, the workgroup listened to the opinions of 21 stakeholders and heard the arguments for and against big data use. Researchers presented their opinions on the need to have access to data, while privacy advocates argued the serious data security problems that must first be resolved.

The preliminary findings from the first two sessions have recently been summarized in a virtual workgroup meeting. Co-chair of the Privacy and Security Workgroup, Stanley Crosley, believes patients’ right to privacy must be preserved. At the workgroup meeting he said, “Patients should not be surprised or harmed by collections, uses, or disclosures of their information. Nowhere is this more difficult than with big data.”


Potential for Discrimination a Major Issue


He explained one of the major problems is the potential use of big data to discriminate against individuals. The data, for example, could be used by health plans to make decisions about health insurance applicants, and could be used to set premiums based on the level of risk each individual represents and insurance could be denied.

Crosley said, “We found this to be a very significant challenge—ensuring both the responsible use of big data analytics and understanding the increasing risk of harms that might result, of which discrimination is one of the harms that could arise,”

He pointed out that currently the laws covering the use of data are inconsistent, with some states prohibiting the use of health data to discriminate. However he said there are situations in which discrimination is “expressly permitted.”

For example, the Health Insurance Portability and Accountability Act prohibits the use of health information for discriminatory purposes; however other entities holding the exact same data may be permitted to use it. The health industry may be heavily regulated, but not all industries have the same protections.


Too Much Reliance on Data De-Identification?


Under HIPAA, health data can be used for research or other (limited) healthcare purposes; provided patient consent has been obtained in writing. Data can also be shared if it has been de-identified before being disclosed. HIPAA includes rules covering the de-identification of data, but non-HIPAA entities do not have any standards to adhere to.

At present healthcare providers are relying on data de-identification in order to use patient data. Crosley said, “The workgroup believes there’s an over-reliance on de-identification while no accountability for re-identification.”


Patients Must Not Come to (much?) Harm


Another issue raised was the lack of a consensus on the definition of “harm”. Patents must not be harmed by the sharing of their data, but what is harm? Financial? Physical? And what is the threshold?

It was pointed out there are cases in which the sharing – or use – of data is clearly bad for a patient, and could potentially cause considerable harm or damage. Denial of health insurance, for example.

There are some uses that should not cause any harm to patients; however, a gray area exists where there are benefits that come at a cost. Unfortunately, the gray area covers 80% of potential big data uses according to Crosley.


Final Report to be Issued Later this Summer


There is still work to be done before the final report is issued, which should be later this summer, but in the meantime more opinions will be gathered from stakeholders on how big data can be implemented to benefit healthcare providers and patients, and advance medical science.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.