Balancing data analytics with patient privacy

CHICAGO—How to leverage healthcare data while protecting patient privacy is not a new question but “the dimensions have gotten significantly bigger,” said Deven McGraw, JD, partner in the healthcare practice of Manatt, Phelps & Phillips, speaking at the 2014 Healthcare Leadership Forum.

“There is a lot more data out there, imperatives to make responsible use of data for healthcare reform purposes…a constellation of issues that’s much more salient today.” That could lead to a tipping point that drives regulatory changes, she added.

HIPAA is extremely relevant to analytic uses of data because there is a lot of valuable data in the HIPAA-covered space, she said. The law applies most stringently to fully identifiable data and doesn’t apply at all to deidentified data. When the risk of reidentification is very small—it will never be zero—data can be used for any purpose. “That’s a very attractive vehicle for analytic uses of data,” said McGraw. The limited dataset is a “close cousin,” which doesn’t require users to strip out as much identifying information but can be used liberally for population health and research.

There is heavy reliance on these types of data but they don’t always work for all types of analytics, McGraw said. Geographic demographics, for example, play a role in a lot of analytics efforts.

The government has done very little to provide more guidance around deidentified data and limited datasets, she said. The most recent guidance calls for patient consent for future uses of fully identifiable data in a HIPAA-covered entity.

The rules used to require researchers to ask for very study-specific authorizations but in early 2013, the Dept. of Health and Human Services (HHS) issued the Omnibus rule. That set of regulations implemented most of the changes that are part of the HITECH Act. Buried in “this big stack of rulemaking,” said McGraw, was guidance that said researchers “don’t really have to do a study-specific authorization. They could get more general authorization for research as long as they have sufficiently described it in the authorization form.” The patient should not be surprised by any uses down the line.

“The problem is, that’s all [HHS] said. There were no examples and no additional guidance,” said McGraw. That left a situation where the regulators opened the door but people are too worried about walking through that door. They can’t feel certain that they’ve done enough regarding consent and authorization. “I think the regulations really did intend to try to ease up on the rules here but probably didn’t go far enough to enable the research community, which operates within the compliance environment, to feel comfortable enough to do that.”

Back in 2011, the federal government issued an advanced notice of proposed rulemaking that was essentially a request for information, she said. “There weren’t proposed changes but they were floating ideas for possible changes to start getting stakeholder feedback. They floated the idea that we could loosen up the rules particularly for reuse of clinical data. That’s HHS’ sweet spot. They govern clinical data.”

There has yet to be a proposed rule released on this because it’s still “jammed up in internal review.”

McGraw said she sees a pattern where “we’re not going to get rid of consent altogether but they’re willing to let people start gathering it in a more general way.” It’s an effort to respond to imperatives to let stakeholders perform more data analytics.

There are numerous issues with the rules, not least of which is confusion and misinterpretation about how they apply, she said. Organizations are concerned about sharing data with another entity—even within the context of treatment—without knowing for sure that the receiving entity will protect those data to the same degree that the disclosing entity does. That’s even though the regulations say that the sending entity is not responsible for what a downstream receiver does with the data, at least from a legal standpoint.

The rules don’t make a lot of sense, said McGraw. The distinction between operations and research lies in internal and external use of information. Operations means organizations are not going to try to contribute to generalizable knowledge and don’t need to get patient consent. Research is both systemic and involves contributing to generalizable knowledge. Entities must get authorization, use less identifiable information or have authorization waived.

There’s a paradox here, said McGraw. The same data use, intending to improve quality is going to be treated as operations if the results are used just within one organization and as research if the organization intends to share with others in order to improve the learning healthcare system as whole.

“That is just silly,” she said. “In a learning healthcare system, we’re supposed to be encouraged to learn and share what we learn.” The current rules say that how users handle the data isn’t more important than what they intend to do with the results.

However, McGraw said she doesn’t “see any appetite within the Office of the Civil Rights [OCR] to do anymore on this issue. OCR has a very broad mandate of which HIPAA is a tiny slice. That’s where we are now--not a forward-thinking viewpoint. They protect HIPAA too much.”

When the advanced notice of proposed rulemaking was issued, the Health IT Policy Committee—of which McGraw has been involved—submitted comments about “the very weird dichotomy between operations and research. When reusing data responsibly and contributing to generalizable knowledge, we should always treat that as operations, at least from regulatory standpoint, as long as the entity contributing data still has the customary decision-making control that they have when data are used internally. The mere fact of sharing results doesn’t raise any more risk so why treat it as though it does?”

The lines aren’t drawn in the right place, she added. “The objective should be let’s build trust, not check off some box of consent.”