By Daniel Wu
In December 2018, the U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) to understand how HIPAA provisions harm data sharing and coordinated care. This RFI underscores how the Federal government is beginning to understand the importance of responsible data sharing, a topic of growing importance. When providers don’t share data, physicians wastefully reorder tests and don’t fully understand their patient, harming the quality of their care.
To address this, HHS should incentivize the use of database management and privacy-enhancing tools, as well as standards to promote interoperability. Such incentives not only promote data sharing that protects patient privacy and trust, but also enhances the quality of care. However, this is easier said than done.
While the U.S. government, financial institutions and other sectors are rapidly adopting data science programs, there are still some key barriers to entry including the difficulty of ensuring the sharing of correct and relevant patient data, lack of data standards and shared data being disconnected from physician workflows.
The difficulty of ensuring the sharing of correct and relevant patient data
Hospitals are struggling to ensure they share correct and relevant data for care. A policy could encourage providers to adopt privacy tools that provide nuanced views of patient data.
According to one health information privacy lawyer, providers are worried they may unintentionally share their entire hospital’s patient record system. This is not an irrational fear; a surprising 53 percent of breaches, were due to internal factors, such as unauthorized disclosures, according to a Johns Hopkins University study. Hospitals do not have easy access to tools to provide nuanced views of data. Scared of such scenarios, providers shun electronic data sharing and default to “tried and true” but ineffective methods like faxes and phone calls.
Hospitals should also be worried about sharing particularly sensitive forms of data irrelevant for current care. A majority of patients are worried about the unnecessary disclosure of their financial background as well as family and mental health data. For this reason, HIPAA’s “minimum necessary” requirement mandates providers take reasonable steps to limit the disclosure of irrelevant health information.
Very likely because of inadequate tools, providers cite HIPAA’s minimum necessary requirement as a major barrier to data sharing. Instead of a blanket safe harbor as this article suggests, HHS should incentivize the adoption of privacy tools that easily provide nuanced views of patient data. The last thing regulators want is to protect providers from liability if they share entire records, the wrong records or unnecessary and highly-sensitive data.
Such privacy tools allow providers to tag data columns, such as income, as highly-sensitive. Such tools can block access to or mask just the rows containing such data, except for highly-vetted purposes. Data access is done in real-time, removing the need to create pseudonymized copies of data. This reduces mistakes as well as storage and computation costs. Finally, such tools easily track all data access and processing. With such tools, providers can easily demonstrate transparency to their patients, foster trust, and meet audit requirements.
Lack of interoperability
Even if providers want to share data, most complain about differences across vendor platforms that make sharing expensive. Additionally, many EHRs rely on standards that are outdated or incompatible with different applications, contributing to high fees EHR vendors charge to share data. One medical executive has called incompatible standards as “the industry’s most significant remaining obstacle.” As a result, policies should find ways to promote the adoption of common data standards to ease data sharing costs.
One policy to promote such adoption is to provide a safe harbor for those who share data and are part of the currently-voluntary U.S. Core Data for Interoperability (USCDI). The U.S. Core Data for Interoperability identifies the data set expected to be available for exchange — for instance, lab data, problem lists and medications — and standards for the content and format of that data — such as definitions of diseases and deadlines to respond to disclosure requests.
To reduce the cost of adopting frameworks like the USCDI, data management tools like the above are also helpful. As discussed, many providers are unable to provide nuanced views of patient data. But special tools can automate the sharing of USCDI data categories, particularly for users that meet certain requirements. For instance, a hospital might write a policy that enables only healthcare providers in Los Angeles to access Patient X’s dataset, if (1) (a) they’re cared for Patient X in the past or (b) patient X was admitted to their emergency room and (2) are using it for purposes of treatment. Such rule-based policies can facilitate access by reducing back-and-forths between healthcare providers for routine purposes.
Shared data is disconnected from physician workflows
Even if providers do manage to share data, physicians may not use it. In fact, 33 percent said they rarely used outside data, even when it was available. A major barrier, according to one survey, is that clinicians cannot see outside data embedded within their own EHR and that data access was given too slowly.
One policy to promote such integration is to incentivize it. HHS could clarify that data sharing goes beyond simply sending and receiving data. Not only should data be usable, by incentivizing the adoption of a common standard like USCDI, but data should also be easily and quickly accessible for the physicians who need it. Much like the adoption of USCDI, ensuring reasonable efforts for workflow integration could be a key element of a HIPAA safe harbor policy.
Data management tools offer some design lessons to promote better workflow integration. Instead of forcing physicians to navigate across complicated tabs or different applications to access outside data, data should be easily accessible from the physician’s main dashboard. In major data management tools, such “single point of access” is a key design feature that enables better data access and analytics.
Policy creation without code and rule-based access can address the second concern — that data access is given too slowly. As described above, writing rules for key data categories reduces back-and-forth between providers and automates data access. Secondly, empowering data governance personnel to data protection policies without code speeds up compliance and data access. Manual time-consuming processes requiring meetings with software developers to code new policies are eliminated.
Towards a smarter health system
In conclusion, data sharing can create a smarter health system. Beyond promoting coordinated care, data sharing can allow providers to learn from each other’s mistakes and triumphs. In most cases, this kind of analysis does not require access to individual-level data, just large amounts of quality data to make statistically-significant inferences.
If providers are worried about whether the benefits of data sharing outweigh the risks, they can start with those patients who would benefit the most with the least risk. Examples include patients with severe illnesses or the highest utilizers of care. These patients are the most likely to benefit from data sharing, which improves prognosis as well as wait times.
HHS should consider incentivizing key features seen in data management tools, such as nuanced views of data and the adoption of national data standards. Promoting technology that reduces costs of compliance for smaller providers and startups is key to reducing monopolies and anti-competitive behavior. While these suggestions are far from a comprehensive solution, as seen in other realms, these tools can help reduce the major challenges in data sharing and improve patient care.
Daniel Wu is a Privacy Counsel & Legal Engineer with Immuta.