Solving Healthcare's Big Data Analytics Security Conundrum
HIPAA understandably makes it hard for organizations to obtain personal health information and even harder to use that information for the purpose of data analysis. Empowering patients to own and share their own data -- and then assuring them that it's being properly de-identified -- can ease this process.
Mon, October 07, 2013
CIO — Big data holds much promise for healthcare. Analytics use cases — which focus on heady tasks such as giving physicians more information at the point of care, reducing hospital readmissions and better treating chronic diseases — continue to emerge, while vendors such as SAP and Oracle increasingly pitch their in-memory platforms as the solution to solving healthcare's exceedingly complex problems.
Most of medicine's data is unstructured, though. It exists largely in free-form physician notes fields in electronic health record (EHR) systems or, worse, in manila folders. On top of that, the complexities of interoperability and health information exchange make it difficult for healthcare organizations to share information, structured or otherwise.
There's another, often overlooked wrinkle: Much of that data is personal health information strictly protected by the Health Insurance Portability and Accountability Act, which the HIPAA omnibus rule recently strengthened to bring PHI security into the 21st century.
This means tomorrow's data scientists, not to mention today's, must make the task of keeping patient data secure as much of a priority as actually analyzing that data in order to improve outcomes and reduce costs.
Go Straight to Patients Willing to Share
Under HIPAA, notes David Harlow, a healthcare attorney and consultant and founder of The Harlow Group LLC, any institution's use of PHI for purposes other than treatment, payment or operation requires patient consent. This provision prevents organizations from using patient information in marketing or selling it to a third party, but it's worth noting that "data analysis" doesn't meet those criteria, either.
Such strict safeguards make sense, Harlow says. PHI as well as genetic research — increasingly prevalent thanks to advances in genomic research — is far more valuable to ne'er-do-wells than a Social Security number or credit card information, as it opens the door to healthcare fraud as well as potential discrimination based on one's medical condition.
Because HIPAA makes it hard to get information from healthcare providers, Harlow says those interested in analyzing PHI for both individual care needs and population health management could consider another source — patients themselves.
Admittedly, for this to happen, healthcare needs to do nothing less than develop "an ecosystem based on patient-controlled data," but Harlow says it's a "viable alternative" to the status quo.
Luckily, the later stages of the federal government's meaningful use incentive program start to provide some answers. Stage 2 of meaningful use, which goes into effect in 2014, requires providers to document that 5 percent of unique patients have viewed, downloaded or transmitted their electronic PHI.
Harlow also points to the Blue Button initiative as a patient enabler. The initiative — which began in the U.S. Department of Veterans Affairs but now includes more than 450 payers, providers, pharmacies and medical labs — lets patients view online, download and share any electronic PHI held by an entity that displays the blue button on its website.