Perspective | Tim Suther
Senior Vice President, Data Solution at Change Healthcare
Data use and privacy are priority topics for consumers, businesses, regulators, and consumer watchdog groups. While the use of deidentified healthcare data can provide compelling benefits (such as improved outcomes and reduced cost), its use does not come without some risk. It is critical to identify those risks and develop a plan to mitigate them.
To better understand and act on risk, let us first examine what the major risks are, then explore levers to mitigate them.
Healthcare data is regulated by a complex and evolving web of federal, state, and international privacy laws.
HIPAA, HITECH, CCPA, CPRA, GLBA, GDPR, and other laws regulate the privacy of healthcare information. The enforcement of these laws can entail civil and criminal action. For example, failure to comply with HIPAA can lead to fines of up to $50,000 per violation and up to ten years in prison.1,2 As of December 2, 2020, there were 686 active HIPAA investigations (see https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf for a current list).
In addition to federal laws, states have privacy laws that add complexity. California has perhaps the most comprehensive law—the California Consumer Privacy Act. The California Attorney General can impose penalties of $2,500-$7,500 per record for violations.3 The next generation of California’s consumer privacy law, the California Privacy Rights Act, was recently approved by California voters and includes additional restrictions on the use of data, including its combination with third-party data.4 Lastly, GDPR sets the world’s privacy agenda and ultimately may have more significant implications on healthcare privacy around the globe, including in the US.5
Making matters more challenging, keeping data de-identified can be especially difficult.6 The widespread availability of demographic, credit card, and location data, even if de-identified, makes maintaining privacy compliance particularly challenging. Even when an expert determination has been made that healthcare data has been thoroughly de-identified, comingling or collocating that data with other consumer attributes may introduce the risk of re-identification.7 A proper expert determination should incorporate all data and be continuously monitored.
Healthcare data is often designated as sensitive data subject to more stringent protections than other personally identifiable information.
Data breaches, particularly if exposed data is capable of being re-identified, can subject data users to significant financial and criminal penalties as noted above.
Additionally, healthcare data can be an attractive target for criminal activity. A CISA/FBI/HHS joint cybersecurity task force recently highlighted increased ransomware activity targeted at healthcare data which is known to have impacted dozens of healthcare facilities.8
Beyond privacy, protection of other parties’ confidential information is essential.
While privacy laws protect patients and consumers, contractual obligations protect confidentiality. Confidential information can include data about a provider’s volume, cost, volume, and quality. Confidential information can include information about a payer’s network coverage or the specific reimbursement policies between payers and providers.9
Misuse of this information can give rise to FTC action.10 In 2019, the FTC awarded $143.76 million in civil penalties and imposed a $5 billion fine on Facebook.11 In 2019, enforcement actions for violations by healthcare and healthcare-associated organizations alone amounted to nearly half, or 46%, of the total enforcement actions taken by the agency.12
Copyrighted content is commonly embedded in healthcare data, meaning licenses are required for use of those materials.
For example, use of Current Procedural Terminology (CPT) codes requires a license from the American Medical Association as this is copyrighted material.13
There are also reputation risks that may damage an organization’s perceived trustworthiness in the marketplace.14
For example, the notoriety surrounding Cambridge Analytica has shaped Facebook’s perceived trustworthiness for years. Lancet, the oldest peer reviewed medical journal, suffered reputation damage from a poorly conceived (and potentially fraudulent) Hydroxychloroquine study that was later retracted.15,16 The bottom line: while your use might be lawful and contractually permitted, you still run the risk of the perception of misuse.
All these factors present risks to your ongoing ability to access and use de-identified data. The time and resources required to ingest, analyze, and act upon de-identified data are significant. Disruption to the flow of data could result in serious financial consequences and damage your customer commitments and the underlying relationships.
Accordingly, it is critical to ensure that your source of data has an effective risk mitigation program. Let us look at the levers to mitigate those risks.
Change Healthcare helps its customers mitigate risk using a governance model that ensures evolving risks are effectively identified and incorporated. Change Healthcare recently was recognized as Best Compliance & Ethics Program (small to mid-cap), and Compliance Department of the Year.17 Let’s review how Change Healthcare helps its customers mitigate risk. This governance model is supported by a multi-million dollar per year investment that ensures evolving risks are effectively identified and incorporated.
Principles of Use:
An effective governance program starts with principles of permitted use. Change Healthcare only allows use when it helps inspire a better healthcare system, which includes, but are not limited to the following applications:
We protect against adverse impact. For example, we do not allow uses that deny health insurance. We never sell data, but rather license only for clear and specific restricted use. We impose rigorous standards on our vendors and subcontractors for data, including a licensee-specific certification, security standards, insurance, and audit rights to ensure compliance. Many of these protections have immediate termination rights for unauthorized use.
We adhere to the treatment, payment, healthcare operations (TPO), and associated minimum necessary obligations specified under HIPAA. For example, we do not allow models to be trained on PHI for secondary use.
Change Healthcare data is de-identified using the expert opinion methodology.18 Some of those requirements include:
We typically require customer-specific certification. A contractual representation not to re-identify is not enough. It is simply too easy to acquire other consumer attributes and inadvertently create an unacceptable risk of re-identification. We negotiate robust audit rights with our customers to ensure ongoing adherence. That audit right can be an effective control you use as part of your own compliance program.
Change Healthcare monitors updates and additions to both federal and state laws that impact the use of data. As of October 2020, there were at least seven privacy bills in U.S. Congress and over 40 in state governments.
Our patent-pending Data Science as a Service (DSaaS) environment offers “always on” protections to help ensure privacy and security adherence. Under Data Services as a Solution (DsaaS), every query and output are monitored to help ensure each use is compliant. This is an offering unique to Change Healthcare.
We require explicit written permission from covered entities to de-identify and license data we process on their behalf, and we allow use of de-identified data only when compatible with customer authorization.
Deidentified data may never be used for anticompetitive purposes. Where appropriate, we may require measures about covered entities to be segmented to enable informed healthcare decision making yet protect the interests of the underlying subjects of the data.
DSaaS offers “always on” confidentiality protections to help our data customers maintain high standards for their use of data. Additionally, each DSaaS environment is established uniquely and solely for the customer accessing that store of data. No other customer has access to your DsaaS instance. And we reserve the right to audit use and compliance to help ensure ongoing adherence.
This document highlights numerous diverse risks associated with the use of de-identified healthcare data. Fortunately, research indicates that an effective governance program can be very effective in ensuring de-identified data remains de-identified.20
2. 42 U.S.C. § 1320d–6.
8. https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware _Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf