Shining a Light on Secure Health Big Data and Digital Privacy
Kathryn Marchesini, J.D., Helen Caton-Peters, MSN, RN and Lucia Savage, J.D. | September 24, 2015
Through the proliferation of software applications and mobile technology, the amount of identifiable health information being collected, analyzed, and used is growing exponentially. As the volume, velocity, and variety of such information activities continue to grow, ONC is looking at how to protect that information from potential risks that may arise from unknown and inappropriate use.
The shared draft interoperability roadmap, Connecting Health and Care for the Nation, supports research and big data analyses within a trusted environment as an important component on the path to achieving a nationwide learning health system.
On August 11th, the Health IT Policy Committee (HITPC) approved the privacy and security health big data report of the Privacy and Security Workgroup (PSWG). The PSWG focused its efforts on identifying potential gaps in privacy and security protections given prevailing frameworks. The workgroup also examined the degree to which existing laws and regulations facilitate an environment that enables information to be “leveraged for good” while still protecting individual’s privacy interests or protecting against discrimination. ONC appreciates the time and dedication of the HITPC on this important topic and is taking the report under consideration.
HITPC Health Big Data Recommendations
The report recommends that ONC and other federal stakeholders, including the HHS Office for Civil Rights (OCR), take several actions to support privacy and security related to health big data. These actions include:
- Address Harm, Including Discrimination Concerns
- Promote more public discussion to understand the risks from gaps in privacy and security protections for health information, both the harm to individuals and communities.
- Focus on identifying gaps in legal protections against what are likely to be an evolving set of harms from big data analytics.
- Adopt measures that increase transparency about actual uses of health information.
- Explore how to increase transparency around use of the algorithms used in big health analytics, perhaps with an approach similar to that used in the Fair Credit Reporting Act (FCRA).
- Address Uneven Policy Environment
- Promote Fair Information Practice Principles (FIPPs)-based protections for data outside the protections of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
- Evaluate rules (existing laws, regulations, and local policies) governing uses of data that contribute to a learning health system to ensure they promote responsible re-uses of the data that contribute to generalizable knowledge.
- Modify rules around research uses of data to incentivize entities to use more privacy protecting architectures, for example by providing safe harbors for certain behaviors and levels of security.
- Create an individual “right of access” to the information in entities not covered by HIPAA as part of voluntary codes of conduct; also revise HIPAA over time to enable its continued effectiveness at protecting health information in the digital age.
- Educate individuals, healthcare providers, technology vendors, and other stakeholders about the limits of current legal protection; reinforce previous PSWG recommendations.
- Protect Health Information by Improving Trust in De-Identification Methodologies and Reducing the Risk of Re-Identification
- Be a more active “steward” of the HIPAA Privacy Rule de-identification standards.
- Develop initiatives or programs to objectively evaluate statistical methodologies to vet their capacity for reducing risk of re-identification to “very low” in particular contexts.
- Grant safe harbor status to methodologies that are proven to be effective at de-identification in certain contexts to encourage use of proven methodologies.
- Establish risk-based de-identification requirements in circumstances where re-identification risk is very low.
- Support Secure Use of Data for Learning
- Develop voluntary codes of conduct that also address robust security provisions.
- Provide incentives for entities to use privacy-enhancing technologies and privacy-protecting technical architectures.
- Educate stakeholders about cybersecurity risks and recommended precautions.
- Leverage HITPC’s Privacy and Security Tiger Team 2011 recommendations to ONC with respect to the HIPAA Security Rule
Rapidly evolving informatics techniques have the potential of yielding significant information that will help improve health, lower costs, and deliver a better health care experience. The recommendations further advance the dialog about how these techniques can contribute to building a learning health system while maintaining fair information practice principles and securing big health data and digital privacy. The report, however, is not comprehensive. That is why ONC looks forward to working with federal partners, industry, and the health IT community to make sure progress continues toward achieving the goals of an interoperable learning health system.