Data Privacy Checkup

Sam Wehbe


June 1, 2016

data privacy healthcare

As health care organizations try to capitalize on big data, their risks are increasing exponentially. To address this issue, professionals trained in health data risk management must guide their organizations in monitoring emerging risks and establishing defensible health data-sharing practices.

While the technology, finance and retail industries have long relied on big data and analytics to generate additional revenue and reduce the cost of doing business, the health care industry lags behind in seizing these opportunities. As a result, health care organizations are just now beginning to unlock the potential of their rapidly growing data assets. Hospitals, health insurers, and drug and medical device companies are increasingly seeking opportunities to access and use health data for secondary purposes. These include supporting medical research, performing post-market drug surveillance, monitoring the quality of care, identifying and treating diseases in a more timely manner, and delivering better clinical outcomes.

The increased use and sharing of health data triggers significant risks, however, with regard to patient privacy, legal compliance, financial exposure and corporate reputation, for both internal and external secondary data-sharing activities. Leveraging protected health information (PHI) or personally identifiable information (PII) requires health care organizations to tread carefully. Safeguarding patient privacy is paramount and the repercussions from data exposure and breach can be costly in many ways, both to the organization and to the people whose privacy it is obligated to protect.

For privacy officers, risk professionals and an increasing number of executives, sharing data for secondary use is inherently an exercise in risk management. By effectively assessing the data’s exposure to risk, proper measures can be taken to safeguard individual privacy. It is about striking the right balance. While maximum security could be achieved by simply not sharing the data with anyone, this would defeat the purpose and demands of secondary use. Maximum data quality can be reached by keeping the data elements intact, but this leaves sensitive, protected or confidential information exposed to unauthorized viewing, use, disclosure or theft.

A recent survey of privacy, IT and compliance professionals revealed that, as demand for data access and sharing increases, more than two out of three health care organizations lack complete confidence in their ability to share data safely with regard to protecting individual privacy. The survey—conducted by Privacy Analytics in collaboration with the Electronic Health Information Laboratory—indicated that, despite this lack of confidence, data-sharing activities continue to grow. Nearly two-thirds (62%) of respondents indicated that their organizations are currently releasing data for secondary purposes. More than half (56%) are planning to increase the volume of data they share in the next 12 months.

The goal, then, should be to find the appropriate way to ensure both privacy compliance and access to useful data.

The regulatory environment for health information is complex. Long-standing legislation like the Health Insurance Portability and Accountability Act (HIPAA) has been modified and updated by the HITECH Act and other changes, and recently the proposed 21st Century Cures Act has suggested provisions to further modify the rules around sharing patient data. With the addition of various national and international standards and guidelines, like those from the Health Information Trust Alliance (HITRUST), Institute of Medicine and the EU’s Data Protection Directive 95/46/E, it can be challenging to determine if data-sharing practices meet regulatory compliance.

These recent changes have elevated the role of risk managers and privacy officers, who must now go further to help their organizations monitor emerging risks, navigate the regulatory landscape and manage risk to minimize financial and reputational costs. This can be achieved through establishing responsible, risk-based data-sharing practices to address any data items that could be used to re-identify an individual patient within a data set while still preserving the data’s utility.

Below are six ways to limit risk when releasing data for secondary uses. These steps can give risk professionals confidence that their organization’s data-sharing practices effectively protect privacy, comply with current legislation, and are defensible should a breach occur.
1. Locate Sources of PHI in the Data

As health care has evolved from paper charts to digital files to data analytics, the extent and complexity of the health data that is captured on a patient has increased. Health care organizations are finding PHI in their data where they did not expect it to be, particularly in unstructured data. As a result, these organizations may be inadvertently “leaking” PHI to data recipients without realizing it.

In the United States, the disclosure of PHI is governed under HIPAA legislation. To provide data for secondary use, HIPAA requires that PHI be removed from the data. Adequately assessing privacy risks requires the use of tools that can comprehensively examine structured and unstructured data elements to dig out sources of PHI. Only then can effective data de-identification be performed. Covered entities and business associates have traditionally employed two approaches to achieve this: data masking and the Safe Harbor method set out under HIPAA’s Privacy Rule.
2. Incorporate Effective De-Identification

While data breaches resulting from external attacks and hackers garner significant media attention, breaches due to re-identification, although often less publicized, also present real risks to privacy.

The removal of basic demographic data from a database does not ensure anonymity for the individuals represented within it. Health care organizations are starting to share data widely with researchers and, in some cases, make information publicly available. Unfortunately, their de-identification practices may not have caught up with their sharing practices. Successful re-identification has been demonstrated by matching data that has been masked to public sources of information, like newspaper reports. Meaningful de-identification requires more than the simple removal of names and addresses; it involves taking a risk-based approach to data de-identification.

In the aforementioned Privacy Analytics survey, when asked to identify current data management practices, more than 75% of respondents indicated that their organizations were using one or more approaches that can increase data privacy risk, such as data-sharing agreements (50%), data masking (31%) and Safe Harbor methodology (28%). These approaches do not adhere to globally accepted data-sharing guidelines, including those from HITRUST, the Institute of Medicine, and the Council of Canadian Academies. Although Safe Harbor is recommended by regulators, it represents a minimum standard for de-identification and can still leave data vulnerable to a breach.

Resources are available for organizations that do not have the in-house capacity or training to run threat scenarios against the data, which helps proactively assess vulnerability to various threats. Adjustments can then be made that limit the data’s usefulness to criminals, making it a less tempting target and containing the negative consequences of a breach.
3. Benchmark Risk Exposure

One of the hardest decisions to make when sharing data is how much de-identification to apply; finding the right balance between optimal data security and data quality is imperative.

Determining the “right” amount of de-identification to meet both of these needs can be difficult since we are dealing with probabilities, not absolutes. It is impossible to say that there is a zero chance that a patient could be re-identified from their data. It is possible, however, to confidently know that the risk is close to zero. This is achieved by following the lead of reputable organizations that have extensive experience in releasing data. The Centers for Disease Control and Prevention, for example, has established precedents for what is an acceptable risk of re-identification for public release. These precedents provide for good data quality while also ensuring strong security.
4. Work with IT to Assess Security Incidents

While negligent or careless employees who lose or leave behind devices storing PHI or PII remain a major cause of data breaches, criminal attacks on health care organizations have grown by 125% since 2010, according to the Ponemon Institute. For the first time, criminal attacks have become the number one cause of data breaches. Despite this, many covered entities and business associates say they lack sufficient resources and budget to protect against new threats to patient data. Limited bandwidth leaves organizations with only enough capacity to react to incidents once they occur, focusing on the last threat rather than preparing for the next one. Ponemon also found that the assessment of security incidents is most often an ad hoc process. The majority of organizations indicate that they do not perform risk assessments for all security incidents involving electronic documents even though there is a federal mandate to do so.

Organizations will only come under greater pressure to allocate sufficient budget toward security technologies and training as criminal attacks on health care data become more prevalent.
5. Base Data-Sharing Agreements on Context

The sensitive nature of health data means that exceptional care is needed when data is to be shared for secondary purposes. But who will have access to the data, how it will be used and where it will be stored differ from one case to the next. Some sharing agreements require widespread access to the data while others restrict access to a trusted few. To quantify an organization’s vulnerability in these situations, risk professionals need to look at both the data and the data recipient. Data-sharing agreements are contracts with the recipient that help to clearly establish the limitations on data use and disclosure from the beginning of a data-sharing arrangement.
6. Engage with Experts

In an attempt to protect privacy, many organizations employ data-masking tools or other in-house de-identification solutions to remove PHI. Unfortunately, while cost-effective and simple to use, these rudimentary tools have significant drawbacks. Many of the most common masking techniques reduce the usefulness of data, diminishing granularity and destroying the utility of the masked fields. Furthermore, masking does not provide guarantees for low privacy risk. These techniques do not use metrics to measure the risk of re-identification, so it is not always possible to know whether the data transformations performed are sufficient and will be defensible in the event of a lawsuit.

Operating in the current legislative environment requires risk managers and privacy officers to have confidence that their data is compliant. Engaging with experts in health data de-identification will help organizations effectively protect patient privacy and enable them to unlock the value of their data.

Health care organizations are under increasing demand to share their data, both from internal executives looking to achieve cost efficiencies and find new sources of revenue, as well as external groups who grasp the potential to conduct innovative research and improve health outcomes.

For health care organizations, like many companies, data is an invaluable asset that can unlock opportunities when used responsibly. By applying sensible strategies, risk managers dealing with health care data can mitigate risk and prevent costly mistakes.
Sam Wehbe is a director at Privacy Analytics, a provider of data security software and services.