We’re currently witnessing an explosion of digital health applications and software that is producing rapidly growing volumes of consumer and patient information. As a result, healthcare organizations are sitting on large stores of data that have significant value beyond the primary clinical use for which it was collected.
This data, shared responsibly, can be used to help solve some of healthcare’s most challenging problems. It can play a critical role in driving innovative research, deriving key insights and gaining new knowledge that can lead to faster and better treatments and cures for a wide range of health conditions and diseases. Other uses of the data include clinical trials transparency, quality and safety measurement, public health, payment, provider certification or accreditation, marketing, and other business applications.
For many of these uses, the data may be monetized by data custodians. Data monetization is exactly what it sounds like – making money by selling the data to another organization, or selling reports based on the data. The simple truth is our personal information is being collected, analyzed, bought, and sold on an increasingly routine basis. According to Gartner, 30 percent of all businesses will be monetizing their information assets by 2016.
By Rudy Richman, VP of Sales and Marketing, Privacy Analytics
We’re currently witnessing an explosion of digital health applications and software that is producing rapidly growing volumes of consumer and patient information. As a result, healthcare organizations are sitting on large stores of data that have significant value beyond the primary clinical use for which it was collected.
This data, shared responsibly, can be used to help solve some of healthcare’s most challenging problems. It can play a critical role in driving innovative research, deriving key insights and gaining new knowledge that can lead to faster and better treatments and cures for a wide range of health conditions and diseases. Other uses of the data include clinical trials transparency, quality and safety measurement, public health, payment, provider certification or accreditation, marketing, and other business applications.
For many of these uses, the data may be monetized by data custodians. Data monetization is exactly what it sounds like – making money by selling the data to another organization, or selling reports based on the data. The simple truth is our personal information is being collected, analyzed, bought, and sold on an increasingly routine basis. According to Gartner, 30 percent of all businesses will be monetizing their information assets by 2016.
Safely Managing Health Data Monetization
A large number of health and healthcare organizations share and monetize data. They include federal and state public health agencies, pharmaceutical companies, hospitals and healthcare providers, academic medical centers, cancer and birth registries, medical device manufacturers, insurance companies, EMR vendors, and health information exchange organizations.
Health data cannot, and should not, be sold or exchanged without proper consideration into what it will be used for. And it’s necessary to understand what personal identifiers exist in the data to know what could put individual patient privacy at risk.
The HIPAA Privacy Rule, by establishing national standards, requires safeguards to protect personal health information and sets conditions on how it is used. The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened the enforcement of HIPAA. It requires authorization from each individual in a data set for any sale of Protected Health Information (PHI). While this addresses important privacy concerns, it’s not always possible for health organizations to secure consent from each individual in a large data set – because they’ve moved, trauma or sensitivity of the event, or are deceased – and unless all patients consent the results of any analysis may be put into question.
Unable to sell PHI without the consent of all patients, research efforts could be severely hampered. However, there is a way to achieve HIPAA compliance, share and monetize data, and still protect patient privacy. Under HIPAA, properly de-identified data is no longer considered PHI and therefore can be shared and monetized without consent.
There are two general approaches to de-identification, the “list” approach and the “statistical” approach, exemplified by the methods stipulated in the HIPAA Privacy Rule: Safe Harbor and Expert Determination. Safe Harbor specifies 18 elements that need to be removed or modified – 16 of those are direct identifiers, such as name and social security number, while two are quasi-identifiers that provide elements of dates or geography. Safe Harbor also includes a caveat that requires there be no clear or direct knowledge that anything else in the data could be used to re-identify individuals.
Whereas Safe Harbor is a one-size-fits all approach, Expert Determination requires an assessment of risk given a specific context. Based on the level of risk, direct identifiers and quasi-identifiers can be removed or modified so that the data retains value for research and analysis.
It’s important to note that proper data de-identification is not the same as data masking. While commonly used masking techniques hide or remove direct identifiers, this still leaves risk from the quasi-identifiers. There is legal risk for non-compliance with HIPAA, financial risk from fines and lawsuits due to a data breach, and the reputational risk of losing patient trust when they learn that PHI was being shared or monetized inappropriately. Not to mention that masking to remove PHI can strip away the value of the data, rendering it less useful for research and analysis, and therefore a less valuable commodity for monetary gain.
Only one of these methods provides the most utility and value of the data while still protecting privacy, and that is de-identification. The de-identification of data is more sophisticated and leads to better results because responsible expert determination methodology and tools are used to manage the risks associated with the specific use of the data. Legal compliance is also satisfied when consistent de-identification standards and effective risk management procedures are used to protect patient privacy.
For data to be considered de-identified, the context of the data release is analyzed through a risk assessment. This assessment analyzes the type and content of the data, what type of organization is receiving the data and how they will use it, as well as how the data will be protected through physical and policy measures. All these factors are considered to determine the risk of re-identification, and the data is then adjusted accordingly to provide a data set with the lowest level of risk for the highest level of use. Remember, once the data is no longer considered PHI, it is no longer covered under HIPAA.
As demand for data sharing and monetization grows, so do concerns about privacy and risk. The good news is that privacy can be easily addressed by using the right approach. Responsible de-identification is a reputable, HIPAA-compliant solution to safely monetizing the data that health and healthcare organizations have at their disposal.
About The Author
Rudy Richman is the Vice President of Sales and Marketing for Privacy Analytics, where he is responsible for the development, implementation and execution of strategies that deliver expert determination de-identification methodology and products to the marketplace. He uses his extensive market knowledge, business experience and leadership skills to design multi-faceted programs and provide strategic guidance to both established and emerging companies in technology, healthcare and other industries seeking to efficiently scale and monetize their assets.
